Solved: Re: Help-need to allow ports 18082 and 18086 inbound (ASA5510)

ceezr1997 · ‎10-19-2011

Hello everyone, n00b here.

As the title reads, I need help to alow ports 18082 and 18086 inbound to one of my internal servers.

I pretty much now how to create a static nat rule but I dont know how to only allow those two ports. I dont want to open the server to all ports.

This is what I am doing via ASDM v6.1:

Configuration-NAT Rule-Add=Add Static NAT Rule

Original

Interface: inside

Source: my internal IP address

Translated

Interface: outside

Use IP Address: my available external IP address

Now under PAT I assume that's where I put the ports, so I place a checkbox on Enable and select TCP. Then I enter 18082 on both the Original and Translated Port boxes. I tried adding 18086 by entering 18082-18086 or with a comma as a separator but it doesnt allow it and spits an error saying that the format is incorrect.

click [OK]

Now is that how I add a single port to forward to my internal server? Do need to create another Static NAT Rule including the second port of 18086

Thanks for the help!

Julio Carvajal · ‎10-19-2011

Hello Cesar,

Yes, you will need to do it and afterwards you will need to open those ports on the ACL applied to the outside interface (inbound direction).

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-19-2011

Hello Cesar,

Yes, you will need to do it and afterwards you will need to open those ports on the ACL applied to the outside interface (inbound direction).

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ceezr1997 · ‎10-20-2011

thanks for the reply jcarvaja.

to clarify - I will have TWO NAT rules under my NAT Rules section, one for each port configured as stated above.

then I will go to my Access Rules and apply those two ports to that outside IP address?

I currently have an access rule with that outside IP address for an old website address no longer being used, it's configured as follows:

==========================

Interface: outside

Action: permit

Source: any

Destination: my outside ip address

Service: tcp/htpp <-more on this at the end

Enable Logging - Checked

Logging Level: Default

More Actions:

Enable Rules - Checked

===========================

In regards to the service, I can click on the elipsis button [...] - go to add - TCP service group - give it a group name and description and on the bottom box Port/Range enter the needed ports and [Add >>], am I correct? How can I add two ports on this same service group? Separate them with a "," or a ";"? ie: 18082,18086 or 18082;18086?

Thank you once again.

Julio Carvajal · ‎10-20-2011

Hello Cesar,

That is correct, lets add them and this setup is going to work.

Hope you have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ceezr1997 · ‎10-20-2011

it worked, I am good to go!

thank you for your help!!!