cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3884
Views
0
Helpful
6
Replies

Nat from Public IP to Internal Server using Custom TCP Port

sulaimangd
Level 1
Level 1

Hi,

I need some Advice to Configure ASA Firewall (ver 8.2), I'm really new to ASA, (Done switching so far.. so this is my first task with ASA).

My task is simple 

I have as ASA Firewall which has a public IP Address to Publish some Services. My task is to configure NAT Port forwarding for a New Server on a Custom Port say tcp_50443

This is how i visualize the configuration

define object service

object service $SERVICE_NAME
 service $TCP/UDP destination $PORT_Number

define Network Object for the Internal Server

object network $OBJECT_NAME
host $HOST_IP

then Create a NAT Rule

nat (outside,inside) static $HOST_IP service tcp $SERVICE_NAME

Create and ACL to allow access from outside to inside Server

access-list outside-inside-serv extended permit tcp any object $HOST_IP eq $PORT_Number

apply this rule to outside interface inbound

access-group outside-inside-serv in interface outside

if we assume the public IP is 2.2.2.1

and Internal Host is 192.168.250.10

and the Port is 50443

then my configuration should be like this 

object service port-number

service tcp destination 50443

object network internal-host

host 192.168.250.10

nat (outside,inside) static internal-host service tcp port-number

access-list outside-inside-serv extended permit tcp any object internal-host eq port-number

access-group outside-inside-serv in interface outside

I hope this is the correct way to configure such requirement.

Kindly advice if this is the correct way to do it.

Thanks in Advance

2 Accepted Solutions

Accepted Solutions

Check this link out :

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

In the pre 8.3 section, the first two options is what you should be checking, Static NAT and Static PAT.

Regards,

Pulkit

View solution in original post

Ajay Saini
Level 7
Level 7

If its 8.2, its should be pretty simple:

static (inside,outside) tcp x.x.x.x 80 y.y.y.y 80 

where x.x.x.x - mapped public ip address. Per your example, its 2.2.2.1

y.y.y.y - real ip address of server. per your example, its 192.168.250.10

I have taken example port 80, you can change it.

access-list outside-inside-serv extended permit tcp any x.x.x.x 80

HTH-

AJ

View solution in original post

6 Replies 6

You are using the new (ASA 8.3+) syntax here. You have to decide to either update the ASA (better as 8.2 is EOL and doesn't get any security fixes) or use the legacy syntax.

Thanks for the Reply,

well the firewall is not managed by us, so i don't have control whether to upgrade or not, this config is required to test a specific app that's all and was requested by our apps team who will deploy the application at client's infra.

is there a way to get the syntax for this specific image?

Thanks again for the reply

On the legacy ASA it's the static-command to do the NAT. The ACL has to reference the translated (public) IP and not the real IP.

Check this link out :

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

In the pre 8.3 section, the first two options is what you should be checking, Static NAT and Static PAT.

Regards,

Pulkit

wow, thats great, thanks a lot..

Ajay Saini
Level 7
Level 7

If its 8.2, its should be pretty simple:

static (inside,outside) tcp x.x.x.x 80 y.y.y.y 80 

where x.x.x.x - mapped public ip address. Per your example, its 2.2.2.1

y.y.y.y - real ip address of server. per your example, its 192.168.250.10

I have taken example port 80, you can change it.

access-list outside-inside-serv extended permit tcp any x.x.x.x 80

HTH-

AJ

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: