Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3941
Views
0
Helpful
6
Replies

NAT / PAT - ASA 8.2

Go to solution
simonbmadsen
Level 1
Level 1

‎09-24-2013 05:23 AM - edited ‎03-11-2019 07:42 PM

Hi

I have problems figuring out how to make a simple port translation/forwarding on an ASA 5505 firewall running 8.2

The firewall has several inside networks and an outside ip which it sourcenats traffic through.

The goal is that when ANY outside IP to reach the firewall outside IP lets say 123.123.123.1 on port 10000 for example,  then it should be forwarded to an inside IP address lets say 10.10.10.2 port 80.

How is this done in ASDM gui ? how is it done CLI ?

Should be simple, but i just cant figure it out.

Simon

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎09-24-2013 05:28 AM

you can find this on the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html#wp1071777

First you just need a static-command:

static (inside,outside) tcp 123.123.123.123 10000 10.10.10.2 80 netmask 255.255.255.255

And of course the traffic has to be allowed by the interface-ACL.

It could be also configured in ASDM which is a little bit harder to explain. The ASDM-Guide is here:

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/nat.html

Or you configure it on the CLI and later look at the ASDM for the results.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎09-24-2013 05:28 AM

you can find this on the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html#wp1071777

First you just need a static-command:

static (inside,outside) tcp 123.123.123.123 10000 10.10.10.2 80 netmask 255.255.255.255

And of course the traffic has to be allowed by the interface-ACL.

It could be also configured in ASDM which is a little bit harder to explain. The ASDM-Guide is here:

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/nat.html

Or you configure it on the CLI and later look at the ASDM for the results.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
simonbmadsen
Level 1
Level 1
In response to Karsten Iwen

‎09-24-2013 08:39 AM

in your static statement the "inside" is refering to the "external" interface and vise versa right?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to simonbmadsen

‎09-24-2013 09:42 AM

"inside" is the interface where your internal server 10.10.10.2 is located. "outside" is the inteface where you connect to the internet.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
simonbmadsen
Level 1
Level 1
In response to Karsten Iwen

‎09-24-2013 10:34 AM

Im sorry. Ofcourse its the internal (real_interface). The GUI isnt very helpful, i had to try several, in my eyes, wrong configurations to get the correct result CLI wise.

Anyway it is still not working.

I gave any outside connection permit to outside IP interface port 10000. Do i need more ACL since the final destination is the internal interface?

The internal interface isnt terminated on the ASA firewall. It is learned by OSPF. Could this be a problem ?

Simon

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to simonbmadsen

‎09-24-2013 10:51 AM 

I gave any outside connection permit to outside IP interface port 10000. Do i need more ACL since the final destination is the internal interface?

no, a statement like

permit tcp any host 123.123.123.123 eq 10000

is enough.

The internal interface isnt terminated on the ASA firewall. It is learned by OSPF. Could this be a problem ?

you only need reachability from the ASA to the server. And if the ASA reaches the server through interface inside, the answers from that server also have to come back through this interface.

try the packet-tracer and post the result:

packet-tracer input outside tcp 1.2.3.4 1234 123.123.123.123 10000

The GUI isnt very helpful, i had to try several, in my eyes, wrong configurations to get the correct result CLI wise

yes, the GUI for NAT is really bad, even on the newer versions. On CLI things are much more clearer if you know the syntax.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
simonbmadsen
Level 1
Level 1
In response to Karsten Iwen

‎09-27-2013 12:00 AM

Hello

I found out why it didnt work.

The packet trace failed on reverse path check but it doesnt give very detailed information on why.

It was a mix of multiple internal interfaces and a NAT exempt rule to the same internal network.

Thank you for your help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card