cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
86452
Views
56
Helpful
24
Replies

Port Forwarding on cisco asa5505

Roberto Kippins
Level 1
Level 1

Hi I need help with doing a port forward for remote desktop with asa5505 9.1.1 and asdm 7.1.1 i could have done this with the previous versions of asdm but now it even more confusing

24 Replies 24

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Basic command format (that you can also insert through the ASDM toolbar -> Command Line Interface)

object network STATIC-PAT

host 10.10.10.10

nat (inside,outside) static interface service tcp 3389 3389

access-list OUTSIDE-IN permit tcp any object STATIC-PAT eq 3389

Where

  • STATIC PAT = name of the object that holds the source host IP and the actual NAT command
  • host 10.10.10.10 = example LAN host IP to be Static PATed
  • nat (inside,outside) static interface service tcp 3389 3389 = does nat between "inside" and "outside" interface and uses the "outside" interface IP address. Forwards port TCP/3389 to port TCP/3389 of the LAN host IP
  • access-list OUTSIDE-IN permit tcp any object STATIC-PAT eq 3389
    • access-list is attached to interface with command "access-group"
    • access-group OUTSIDE-IN in interface outside

What was your last firewall version? Was it perhaps even below 8.3?

- Jouni

my last version was 8.4  with asdm 6.1.3 and i could have done it in the blink of an eye with this asdm but now it is just confusing

im new to cisco and the cli are there any gui examples with the new asdm

Hi,

Are you saying the NAT configuration has somehow changed? I haven't tested 9.x software yet myself. Only 8.4(x)

Whats different from the below configuration windows? (using my own ASAs interface names)

Configuration -> Firewall -> NAT Rules -> Add Network Object

LAN = "inside"

WAN = "outside"

Advanced

- Jouni

ok i got this piece and what abt the access rule

Hi,

Configuration -> Firewall -> Access Rules ->

Right Click on the Interface/ACL for your "outside" interface in the list you see and choose "Add Access Rule"

STATIC-PAT = name of the object created in the NAT configuration

Please rate if you found the information was helpfull. Also mark the question as answered (if it was).

- Jouni

ok thanks for your help bro but here is waht mine looks like

Hi,

The first picture seems to be for me the configuration for a different type of NAT rule. Not the "Network Object" type of NAT

When you have gone to Configuration -> Firewall -> NAT Rules -> Then Right Click and the below options should be visible (This unless there has been some change from 8.4 -> 9.x)

The middle one highlighted for me gives the configuration window desired.

I guess if the ACL portion of the ASDM has changed because of some change in 9.x

I assume you can just add the rules by filling the above fields which are needed (source, destination, service)

To be honest, I dont personally use the ADSM for ACL and NAT so I'm a bit (if not alot) rusty with it.

- Jouni

someone help please..

i need to to port forwarding for 2 LAN ips natted to single Public IP.

2 LAN ip's and their ports.

1

1)LAN A port 443(https)

2)LAN B ports 8080 and 80(http).

Please help guys...

Hi.

syslog

Teardown TCP connection 5735645 for outside:83.220.238.182/54731 to inside:10.2.150.5/3389 duration 0:00:30 bytes 0 SYN Timeout

What's the problem?

Hi,

The host 10.2.150.5 on the "inside" is not replying to the TCP Connection forming.

You should check that no local firewall on the host is blocking the connection and also check that the host is configured otherwise to allow RDP sessions to it.

Also if those are ok should confirm that the host on the "inside" has the default route back to the Internet through the ASA.

- Jouni

Here 1.1.1.1 wan ip address?

object network PORT-FORWARD

host 1.1.1.1

nat (lan,wan) static interface service tcp 3389 3389

access-list wan_access_in extended permit tcp any object PORT-FORWARD eq 3389

Hi,

The IP address under the "object network" should be the local IP address of the host/server

The parameter "interface" in the "nat" configuration line specifies that the IP address of the interface "wan" will be used as the NAT IP address.

object network

host

nat (lan,wan) static interface service tcp

Remember to rate helpfull answers.

- Jouni

I am write

object network TEST

host

nat (LAN,WAN) static interface service tcp 3389 3389

access-list WAN_access_in extended permit tcp any object TEST eq 3389

Dont work.

Syslog

Teardown TCP connection 6306058 for disbacak:83.220.236.74/29128 to icbacak:10.2.150.5/3389 duration 0:00:30 bytes 0 SYN Timeout

What is he problem?

?

Review Cisco Networking for a $25 gift card