cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

79807
Views
56
Helpful
24
Replies
Highlighted

Port Forwarding on cisco asa5505

Hi I need help with doing a port forward for remote desktop with asa5505 9.1.1 and asdm 7.1.1 i could have done this with the previous versions of asdm but now it even more confusing

24 REPLIES 24
Highlighted

Hi,

The format for configuring Static PAT is pretty simple

You configure an "object network", for example

object network SERVER-RDP

host x.x.x.x

nat (lan,wan) static interface service tcp 3389 3389

The above "lan" and "wan" are interface names. If your interfaces are named different like they seem to be looking at the log message then you naturally use those.

The x.x.x.x means the local ip address configured on the actual host on your LAN network. Its not the public IP address.

- Jouni

Highlighted

I still did.

But when asked to external ip address in the logs an error

Teardown TCP connection 6306058 for disbacak:83.220.236.74/29128 to icbacak:10.2.150.5/3389 duration 0:00:30 bytes 0 SYN Timeout

What had I done?

Highlighted

Hi,

Seems to me that there is some translation already for IP address 10.2.150.5 local IP address and the connection that is taken through the firewall is allowed.

The actual target machine doesnt respond to the connection attempt.

This doesnt seem to be a problem with the firewall. It seems to be a problem with the PC you are trying to connect to.

- Jouni

Highlighted

If connected to the LAN by 10.2.150.5 RDP, the connection is established.

When you connect the external IP an error.

Highlighted

Hi,

Its impossible for me to tell you the reason with this information.

I would suggest checking that the actual host is not blocking the connection from the Internet.

It could be some Windows related setting or software firewall or perhaps there is problem with the default gateway configuration of the host (though I would doubt it since it couldnt access Internet through the ASA if this was the case)

- Jouni

Highlighted

The problem is solved.

The fact was that, as is the gateway ip address of the proxy server.

If you register ip address tsistso then everything works.

Thanks for the advice and help.

Highlighted

I following your suggestion to the T and I cannot get my IIS server to come up.  i have disabled FW, NO AV, no matter what I try I cannot get to the server.  I can post the config if you have the time to tell me wtf I am doing wrong.

Thanks

Highlighted
Beginner

Hi Roberto,

Are you done with the configuration? its successfull or not? because i have this problem either.

- Bara

Highlighted

Hi,

I went as far as changing my own ASA software from 8.4(5) to 9.1(1) and ASDM 7.1(1)52. I use the other software as there are some bugs related to NAT on the 9.1(1) software

I dont personally ever use ASDM for NAT and ACL configurations but here is how I would configure Port Forward / Static PAT through the ASDM

Go to Configuration -> Firewall -> NAT Rules -> Right Mouse Click to open the menu -> Choose Add "Network Object" NAT Rule

It will open the following window which you can configure in the following way

Where

  • PORT-FORWARD = Is the name of the Object that will contain the Real IP address of the host and the actual NAT configuration
  • 10.0.0.100 = Is a example Real IP address
  • WAN = Is the "nameif" of my "outside" interface

Next click Advanced on the window, it will open the following window, where you can fill the port and interface information

Where

  • LAN = Is my "inside" interface
  • WAN = Is my "outside" interface
  • tcp = Is the protocol used (can be udp if you want/need)
  • 1111 = Is the actual port on the LAN host
  • 2222 = is the mapped port that is visible to the WAN

Finally Click Ok on all windows and then Apply

The ASDM will insert the configurations in CLI format to the ASA

      object network PORT-FORWARD

        host 10.0.0.100

        nat (LAN,WAN) static interface service tcp 1111 2222

As you can see pretty simple configurations on the CLI instead of jumping between different windows and options on the ASDM.

Naturally you will need an ACL allowing this traffic also from the "outside" or "WAN" interface, whatever you are using.

You will need to open the traffic by using the REAL IP and REAL PORT

So for example the ACL rule allowing this traffic from Internet could look like this

access-list WAN-IN extended permit tcp host 1.1.1.1 object PORT-FORWARD eq 1111

Please rate if the information has been helpfull

- Jouni

Highlighted

Long dead thread, but this saved my assignment tonight.

thanks! 

Content for Community-Ad