cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
601
Views
0
Helpful
4
Replies

Need Help With ASA Rule

townofnewmarket
Level 1
Level 1

ASA running 8.3(2)

Want to be able to hit an internal IP addy from the outside.  ONly need access to port 5001.

Generally, I would do something like this (assume internal is 10.0.0.1, external is 74.75.76.77 and port is 5001)

access-list inbound permit tcp any host 74.75.76.77 eq 5001
static (inside,outside) tcp interface 5001 10.0.0.1 5001 netmask 255.255.255.255 0 0

With the second command I get an error about "This syntax of nat command has been deprecated".

So I have tried this:

object network remote-test

 host 10.0.0.1

 nat (inside,outside) static 74.75.76.77 service tcp 5001 5001

But I am not getting there.  Am I missing anything else I need to add (maybe an acl list)?

Appreciate any help!

Thanks

4 Replies 4

joseoroz
Cisco Employee
Cisco Employee

The configuration that you are using is for code <8.2 there was a major change on the syntax on code 8.3 and above:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Please have on mind that on the access-list we permit the traffic now to the private IP of the server instead of the public.

The configuration will look something like this

Object network Public server

host 74.75.76.77

Object network Private_server

host 10.0.0.1

Object service 5001

service tcp source 5001

Nat (nside,outside) source static Private_server Public server service 5001 5001

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_rules.html#wp1101985

Hope you find this information helpful.

Jose, that looks awesome.  Is there any command I can issue inside the ASA that would show me if this connection is in fact being "hit"?  I am wondering if I don't have something else in between me and the ASA. 

I say this because, from the top of "sho run":

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.20 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!

You may run the packet tracer command. This will tell you the traffic can be permitted. Other than that you can setup a packet capture on in and outbound interface to confirm the traffic is actually permitted.

packet-tracer input outside tcp (source ip from the internet) 1025 (Public destination)  5001

packet-tracer input outside tcp 4.2.2.2 1025 74.75.76.77  5001

This is the example of access list that I missed earlier.

access-list inbound permit tcp any host 10.0.0.1 eq 5001

This are the instructions for packet capturing:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

"show conn" and "show xlate" will let you verify if connection is in the table and if NAT is taking place. 

Review Cisco Networking for a $25 gift card