04-24-2014 09:44 AM - edited 03-11-2019 09:07 PM
ASA running 8.3(2)
Want to be able to hit an internal IP addy from the outside. ONly need access to port 5001.
Generally, I would do something like this (assume internal is 10.0.0.1, external is 74.75.76.77 and port is 5001)
access-list inbound permit tcp any host 74.75.76.77 eq 5001
static (inside,outside) tcp interface 5001 10.0.0.1 5001 netmask 255.255.255.255 0 0
With the second command I get an error about "This syntax of nat command has been deprecated".
So I have tried this:
object network remote-test
host 10.0.0.1
nat (inside,outside) static 74.75.76.77 service tcp 5001 5001
But I am not getting there. Am I missing anything else I need to add (maybe an acl list)?
Appreciate any help!
Thanks
04-24-2014 10:19 AM
The configuration that you are using is for code <8.2 there was a major change on the syntax on code 8.3 and above:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
Please have on mind that on the access-list we permit the traffic now to the private IP of the server instead of the public.
The configuration will look something like this
Object network Public server
host 74.75.76.77
Object network Private_server
host 10.0.0.1
Object service 5001
service tcp source 5001
Nat (nside,outside) source static Private_server Public server service 5001 5001
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_rules.html#wp1101985
Hope you find this information helpful.
04-24-2014 10:45 AM
Jose, that looks awesome. Is there any command I can issue inside the ASA that would show me if this connection is in fact being "hit"? I am wondering if I don't have something else in between me and the ASA.
I say this because, from the top of "sho run":
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.20 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
04-24-2014 02:49 PM
You may run the packet tracer command. This will tell you the traffic can be permitted. Other than that you can setup a packet capture on in and outbound interface to confirm the traffic is actually permitted.
packet-tracer input outside tcp (source ip from the internet) 1025 (Public destination) 5001
packet-tracer input outside tcp 4.2.2.2 1025 74.75.76.77 5001
This is the example of access list that I missed earlier.
access-list inbound permit tcp any host 10.0.0.1 eq 5001
This are the instructions for packet capturing:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html
04-25-2014 05:03 AM
"show conn" and "show xlate" will let you verify if connection is in the table and if NAT is taking place.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide