Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
0
Helpful
3
Replies

Need help with port forwarding on ASA

Amit V
Level 1
Level 1

‎06-19-2014 08:34 AM - edited ‎03-11-2019 09:21 PM

 

Guys,

 

How do I achieve this port forwarding on ASA 5505.. Here is the situation

I have one host on inside lan

Host IP: 10.0.0.9

Outside ip: 65.65.65.100 (just an example)

 

So if a user from outside ssh into port 65.65.65.100:557, I want that traffic to go to 10.0.0.9:22 

and if another user from outside ssh into port 65.65.65.100:7111, I want that traffic to go to 10.0.0.9:22 

 

So basically when outside users connects to an IP on two different ports, I want that traffic to go to same host on same port number

 

Here is what I tried and I get "duplicate entry" error and it wont let me enter the second line

 

static(inside,outside)  tcp 65.65.65.100 557 10.0.0.9 22

static (inside,outside) tcp 65.65.65.100 7111 10.0.0.9 22 <---This line fails

 

Please help

Labels:
0 Helpful
3 Replies 3

rvarelac
Level 7
Level 7

‎06-19-2014 02:29 PM

Hi

What comes to my mind right now is what if you upgrade to 8.3 or up and try port forwarding with objects (object network and object service)

I haven't tried yet this on my lab , so it may work or not...

Example of the config:

 

Object service telnet

service tcp destination eq telnet

object service portx

service tcp destination eq 9999

nat (out,DMZ) source static any any destination static interface dmzserver service portx telnet

 

Hope this helps.

0 Helpful

Amit V
Level 1
Level 1
In response to rvarelac

‎10-14-2014 09:09 PM

8.3 or high version supports this.. I was able to achieve it by upgrading to 8.3 or higher version. Sorry about posting this late

0 Helpful

jumora
Level 7
Level 7

‎06-19-2014 02:43 PM

Here is the configuration that you need:

 

access-list ssh_557 permit tcp host 10.0.0.9 eq 22 any

access-list ssh_7111 permit tcp host 10.0.0.9 eq 22 any

 

static (inside,outside)   tcp 65.65.65.100 557 access-list ssh_557

static (inside,outside)  tcp 65.65.65.100 7111 access-list ssh_7111

 

ciscoasa(config)# show xlate detail

2 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
       r - portmap, s - static

TCP PAT from inside:10.0.0.9/22 to outside(ssh_557):65.65.65.100/557 flags sr

TCP PAT from inside:10.0.0.9/22 to outside(ssh_7111):65.65.65.100/7111 flags sr

Value our effort and rate the assistance!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card