Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
934
Views
0
Helpful
10
Replies

Port forwarding on ASA 5510

Go to solution
neillradford
Level 1
Level 1

‎04-24-2015 08:52 AM - edited ‎03-11-2019 10:50 PM

Hi all

 

Have ran into an issue on my ASA 5510.

 

I have recently added a web server to directly into Ethernet port 2 on the ASA. It will be accessed from the internet so as a result, is on its own dedicated interface, separate from the internal network. I need this web server to listen on ports 2008-2011 and 1957-1960 to pull down feeds from a remote server configured to send on the same ports. I then need my ASA to be clever enough to forward this particular traffic onto the internal web server. Sounds simple enough but running into a brick wall with the NAT statements and Access Rules! If anyone can help, I will post selected config and the results of the packet trace (which show its almost there!).

 

Thanks :)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pranay Prasoon
Level 3
Level 3
In response to neillradford

‎04-24-2015 01:15 PM

please add these two lines and let me know

access-list outside_access_in line 1 permit ip any 10.10.100.0 255.255.255.0

access-list HeadEnd  line 1 permit ip any 10.10.100.0 255.255.255.0

 

 

If it doesn't work, please send me packet-tracer output again with command.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Pranay Prasoon
Level 3
Level 3

‎04-24-2015 10:36 AM

NAT and access-list on ASA depends on version on software. Please post software version.
 

0 Helpful

Go to solution
neillradford
Level 1
Level 1
In response to Pranay Prasoon

‎04-24-2015 12:02 PM

Hi Pranay,

Thanks for the quick reply.

asdm-731-101
asa 9.1(5)

See attached for selected config. I've tried so many variants of NAT so doubt this current config is correct.

Thanks

N

Preview file
4 KB
Preview file
7 KB
0 Helpful

Go to solution
Pranay Prasoon
Level 3
Level 3
In response to neillradford

‎04-24-2015 12:02 PM

You have access-list at ingress direction on "outside" and "egress" on Headend

 

You need to allow traffic on both of them to 10.10.100.0/24 from outside address. Have you verified if correct access-list is configured?

0 Helpful

Go to solution
neillradford
Level 1
Level 1
In response to Pranay Prasoon

‎04-24-2015 01:11 PM

Hi Pranay

 

I have changed it around but still the packet trace fails at same point?

 

Thanks

N

0 Helpful

Go to solution
Pranay Prasoon
Level 3
Level 3
In response to neillradford

‎04-24-2015 01:15 PM

please add these two lines and let me know

access-list outside_access_in line 1 permit ip any 10.10.100.0 255.255.255.0

access-list HeadEnd  line 1 permit ip any 10.10.100.0 255.255.255.0

 

 

If it doesn't work, please send me packet-tracer output again with command.

0 Helpful

Go to solution
neillradford
Level 1
Level 1
In response to Pranay Prasoon

‎04-24-2015 01:57 PM

That worked! Just need to add the rest of the NAT statements.

Many thanks

 

0 Helpful

Go to solution
Pranay Prasoon
Level 3
Level 3
In response to neillradford

‎04-24-2015 12:06 PM

You have access-list at ingress direction on "outside" and "egress" on Headend

 

You need to allow traffic on both of them to 10.10.100.0/24 from outside address. Have you verified if correct access-list is configured?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to neillradford

‎04-24-2015 12:13 PM

I think looking at your configuration the acls applied to the HeadEnd interface are the wrong way round.

So the inbound acl on that interface is traffic coming from the web server.

The outbound acl on that interface is traffic going to the web server.

So your source and destination IPs are the wrong way round as far as I can tell.

Whether you actually need either of the acls is debatable.

The inbound acl would be needed if you either -

1) wanted to allow the web server access to higher security interfaces eg. your inside interface

or

2) you wanted to restrict what connections can be initiated from the web server to the outside

and the outbound acl would be needed if  you wanted to limit what traffic is allowed to the web server from other interfaces other than the outside because you have an acl already on the outside interface.

So I'm not sure you need either although it's difficult to say.

Most common are inbound acls which you may need depending on the above.

Jon

0 Helpful

Go to solution
neillradford
Level 1
Level 1
In response to Jon Marshall

‎04-24-2015 12:30 PM

Hi Jon

Thanks for taking the time to read my config and reply.

I had intended to restrict access to the web server to only permit access from the outside to 6 ports so maybe I am going overboard with the ACLs. I have an access group applied to the interface as well.

This interface doesn't need access to the inside network at all, just internet access outbound.

The packet trace does indicate an ACL issue so will swap the source & destination round as suggested.

Thanks

Neill

 

0 Helpful

Go to solution
neillradford
Level 1
Level 1
In response to neillradford

‎04-24-2015 01:12 PM

Swapped the source and destination around but still no luck :(

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card