Port forwarding ASDM

Izac ICT · ‎12-04-2014

Hi,

I have ASA 5510, FW:8.4 and ASDM 6.4.

I`m trying to forward port 2222 to my Synology NAS but not successful. I added access rule, created NAT but no success. Please check attached file to see how I created. Should I add static route, too?

I also want to map outside port to different inside port. I tried but I couldn`t manage. Please help. You can send me screenshots or commands, both good to me.

Thank you very much in advance.

Jouni Forss · ‎12-04-2014

Hi,

I pretty much only use the CLI so I might miss something.

It looks strange to me that the ACL rules section "Service" only lists "2222" instead of "tcp/2222". Though I would imagine that the ASDM should not accept that rule if it wasnt specified as TCP or UDP.

Also what I am wondering is does your device really listen on port TCP/2222 in the local subnet or are we talking perhaps about TCP/22 (SSH) listening on the local NAS and you want to access it with mapped port TCP/2222? In that case I would change the "Real Port" section to "22"

Notice that this would also mean that you would have to allow the traffic to the local/real port TCP/22 (instead of TCP/2222). This is because the newer softwares require you to always permit (or deny) the connections towards the local/real IP and local/real port.

Notice that for connections incoming from the external networs you WON'T have to add a rule to the internal interfaces ACL as the ASA has already allowed the connection and the return traffic will be allowed on the basis of connection information already present on the ASA.

Hope this helps :)

- Jouni

Izac ICT · ‎12-04-2014

Hi Jouni,

Thank for the comment. I changed the port 22 to 2222 in NAS device. You see 2222 on ASA not TCP since I created TCP 2222 service named "2222". You can see also from NAT configuration that it is TCP 2222.

I can use also CLI since I`m old CCNA R&Sw.

Thanks again.

Jouni Forss · ‎12-04-2014

Hi,

I guess from the CLI you could list the following

show run access-group

show run object id <nat object name>

show run nat

show run access-list

Naturally if the configuration aint large you can share the whole configurations. In either case remember to remove any references to actual public IP addresses or other sensitive information.

- Jouni

Izac ICT · ‎12-04-2014

Thanks for prompt answer.

Please see responses for the commands in the attached file.

Izac ICT · ‎12-04-2014

All Running Config

Jouni Forss · ‎12-04-2014

Hi,

I can't see any rule that would allow the traffic

You would need to add

access-list Outside_access_in line 1 remark NAS
access-list Outside_access_in line 2 permit tcp any object Syno-192.168.144.81 eq 2222

These should add the "remark" line and the actual ACL rule to the top of the current ACL.

If you were planning on using the "object service 2222" in the ACL rules then that probably wont work. You have specified in side the "object" both the "source" and "destination" as TCP/2222. This will mean that only a connection source from the port TCP/2222 and heading to port TCP/2222 will be allowed and that is probably not the case as the clients source port for the TCP connection is typically totally random port.

Hope this helps :)

- Jouni

Izac ICT · ‎12-04-2014

Thanks, I entered these two lines but I think I`m making mistake while configuring NAT. Could you please send me also NAT examples for those two lines? (For example outside port is 222, LAN port is 22)

Thanks again.

Izac ICT · ‎12-08-2014

I forwarded ports before via ASDM but now I can not forward any port, it always gives NAT error. Please see packet tracer error in attached file. What am I doing wrong?

Thanks again.

Izac ICT · ‎12-10-2014

I managed to redirect port 8000 with below settings but still I cannot redirect any other port. There is no problem with access rules, there is a problem with NAT.

object network CCTV
host 192.168.144.80
nat (inside,outside) static interface service tcp 8000 8000

access-list Outside_access_in line 1 remark CCTV
access-list Outside_access_in line 2 permit tcp any object CCTV eq 8000

Please help!

Vibhor Amrodia · ‎12-11-2014

Hi,

I think the easiest way to find the issue with the configuration would be to use the Packet Trace:-

Refer:-

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Paste the outputs for the ports which are not working.

take the trace from the any outside internet IP to the Natted GLobal IP on that specific port which you have forwarded.

Thanks and Regards,

Vibhor Amrodia

Izac ICT · ‎12-11-2014

Thanks for the advice. I used package tracer, result is attached. I check the ports with canyouseeme.org or yougetsignal.com but result is negative.

I use below commands;

object network 9100Alrm
host 192.168.144.80
nat (inside,outside) static interface service tcp 9500 9500

access-list Outside_access_in line 1 remark NAS
access-list Outside_access_in line 2 permit tcp any object 9100Alrm eq 9100

object network PC01(webservices)
 nat (Inside,Outside) static interface service tcp 789 789 
object network PC02(imap)
 nat (Inside,Outside) static interface service tcp imap4 imap4 
object network PC02(POP)
 nat (Inside,Outside) static interface service tcp pop3 pop3 
object network PC01(webservices)(udp)
 nat (Inside,Outside) static interface service udp 789 789 
object network https
 nat (Inside,Outside) static interface service tcp https https 
object network exchange_smtp
 nat (Inside,Outside) static interface service tcp smtp smtp 
object network 873
 nat (Inside,Outside) static interface service tcp 873 873 
object network CCTVGr-8000
 nat (Inside,Outside) static interface service tcp 8000 8000 
object network CCTVGr554
 nat (any,Outside) static interface service tcp rtsp rtsp 
object network 9100Alrm
 nat (Inside,Outside) static interface service tcp 9100 9100 
!
nat (WLAN,Outside) after-auto source dynamic any interface
nat (Inside,Outside) after-auto source dynamic any interface