Solved: Syntax looks ok to me. You

chevymannie · ‎12-30-2016

Wanted to make sure I had my syntax right for this. I'm trying to forward a port say 8030 from my outside interface to a host on the inside on 3389.

Here's what I have so far

object network 1.1.1.1

host 1.1.1.1

nat (inside,outside) static interface service tcp 3389 8030

access-list outside_in extended permit tcp any host 1.1.1.1 eq 8030

Trying to get this to work and I'm not seeing any hits on my outside ACL.

Karsten Iwen · ‎12-30-2016

1.1.1.1 is your internal IP in this scenario?
In the ACL you have to use the real port, same as you use the real IP (1.1.1.1):

access-list outside_in extended permit tcp any host 1.1.1.1 eq 3389

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

Karsten Iwen · ‎12-30-2016

1.1.1.1 is your internal IP in this scenario?
In the ACL you have to use the real port, same as you use the real IP (1.1.1.1):

access-list outside_in extended permit tcp any host 1.1.1.1 eq 3389

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

chevymannie · ‎01-10-2017

Worked like a charm once I put the real port in the outside ACL. Thanks Karsten.

Rahul Govindan · ‎12-30-2016

NAT Syntax looks ok to me, just need to check the ACL port to . You can use this guide as reference:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli#NETWORK-OBJECT-NAT

Can you run a packet-tracer from outside to inside to see what happens to the packet?

packet-tracer input outside tcp 4.2.2.2 12345 <public interface ip> 8030 detailed

Port Forwarding Outside Interface