Showing results for 
Search instead for 
Did you mean: 


Help Configuring ASA 5505 Port Forwarding

Hello guys, I have a Cisco home rack lab which is behind my ASA 5505. I use my ASA to connect to the internet. My situation is I travel a lot for work, and I am unable to do my labbing practice. I am pretty new to ASA and would like to do a port forwarding to access my access server which is connected to my Cisco routers and switches.My network topology is this: (internet)-------(ASA 5505)----------(3550)-------(CM32 Access Server)----------(Cisco Rack)

This is how I setup my remote access:


ssh outside


!object network CM32host service CM32PFservice tcp source eq 
nat (inside,outside) source static CM32 interface service  CM32PF CM32PF

I can't connect to my CM32 access server at all. On my SecureCRT, I get 'Broken pipe'. I am not sure if I am configuring this correctly. I have 15 ports that need to be forwarded to my CM32 access server.

I can establish SSH connection to my ASA, but not to my CM32.

Any help would be appreciated.Thanks

Jouni Forss


I think you might run into problems if you try to forward the SSH (TCP/22) port using the ASA "outside" interface to the "inside" host port TCP/22. Reason being that the ASA is using that port for its management. So you might map the TCP/22 port to something else.

I generally use the Network Object NAT to configure Port Forwarding in the following way

object network CM32-SSH


nat (inside,outside) static interface service tcp 22 222

access-list OUTSIDE-IN permit tcp any object CM32-SSH eq 22

access-group OUTSIDE-IN in interface outside

Where the port TCP/222 is the mapped port visible to the public network.

You could also configure a VPN Client on the ASA and that way allow connection directly to the LAN server wihtout any Port Forward configurations.

- Jouni

Hello JouniForss,

It seems like the VPN path is the safest/secure way to take.

What type of VPN do I need to setup on my ASA? I am assuming it will be the remote access VPN.

Would I need a VPN client installed on my laptop? I am using OSX 10.8.3.

I could setup a site-to-site VPN on Cisoc routers, but have no idea how to do this on ASA 5505 especially remote access VPN or Web-based SSL VPN.


I think your ASA should by default already be capable of doing any type of VPN that they support in general.

What I am wondering if you have the necesary image file on the ASA Flash memory to support your OS. I have only handled Cisco AnyConnect VPN Client with Windows using PCs.

If you can share the output of the CLI command

dir flash:

Then I could check if you have the imagine file necesary of the AnyConnect VPN.

Using the browser based Clientless SSL VPN is a bit harder and more complicated to configure.

Provided you have the necesary image file on the Flash to support your OS then I imagine it wouldnt be that hard to get the VPN working. You could either use the AnyConnect VPN wizard directly through the ASDM, ASAs graphical user interface.

Or if I saw the CLI format configuration of the ASA I might be able to provide you with the needed configurations to get it running.

- Jouni

Hello, Jouni,

This is the output when I used dir flash:


Directory of disk0:/

103    -rwx  25159680     22:39:40 Dec 09 2011  asa842-k8.bin

104    -rwx  17232256     22:45:44 Dec 09 2011  asdm-645-206.bin

3      drwx  2048         22:49:32 Dec 09 2011  log

6      drwx  2048         22:49:46 Dec 09 2011  crypto_archive

88     -rwx  0            22:50:00 Dec 09 2011  nat_ident_migrate

106    -rwx  2369         23:42:16 Dec 09 2011  8_0_4_0_startup_cfg.sav

14     drwx  2048         22:50:06 Dec 09 2011  coredumpinfo

107    -rwx  260          10:16:40 Oct 13 2012  upgrade_startup_errors_201210131516.log

108    -rwx  3191813      22:52:26 Dec 09 2011  anyconnect-win-2.4.0202-k9.pkg

109    -rwx  260          03:15:06 Oct 30 2012  upgrade_startup_errors_201210300815.log

110    -rwx  260          22:14:22 Nov 17 2012  upgrade_startup_errors_201211180314.log

111    -rwx  260          13:15:06 Dec 03 2012  upgrade_startup_errors_201212031815.log

112    -rwx  260          10:55:28 Dec 10 2012  upgrade_startup_errors_201212101555.log

113    -rwx  260          08:54:14 Jan 08 2013  upgrade_startup_errors_201301081354.log

114    -rwx  260          08:59:46 Jan 08 2013  upgrade_startup_errors_201301081359.log



Seems you only have an imagine file of AnyConnect for Windows

108    -rwx  3191813      22:52:26 Dec 09 2011  anyconnect-win-2.4.0202-k9.pkg

So unless you have some smartnet contract with Cisco you cant download the software for your OS.

I guess you could use the OSX own VPN client and configure the ASA with IPsec VPN client and see if that works

Here is some document related to that

Let me know if you need configuration help with that. Though for that I would have to see the current configuration of the ASA.

- Jouni

I configured an IPSec VPN on my ASA. I am able to connect to my VPN and received an IP address. I am using Apple's built-in VPN. Now, I can't seem to ping my CM32 IP address. I checked my laptop's IP and found this:

utun0: flags=8051 mtu 1280

        inet --> netmask 0xffffff00

I have NAT configured (see attached screenshots)

Screen Shot 2013-04-20 at 5.29.27 PM.png

Screen Shot 2013-04-20 at 5.28.49 PM.png


I dont personally use the ASDM to configure the ASA.

Can you perhaps share the ASA configurations in CLI format and I can check them through.

- Jouni

Hi Jouni,

I think I got it working now. What happened I missed configured my VPN pool. I entered an IP address that I already have on my 3550. And that is the reason why I can't reach my access server.

Thanks for all the help. Also, thanks for providing that link about VPN it helps a lot.