Port forwarding

JonRM1970 · ‎06-12-2015

I have an easy question for someone. I am used to the pre-8.3 IOS version of nat'ing and am having some trouble on a newer version nat.

What I am wanting to do is port inbound http/https traffic from the outside in and send it to port 5081 on the inside address of 10.10.10.104. Can someone give me a hand on getting the ACL and nat statement for this?

What I have tried is this and it does not work:

access-list Outside_in extended permit tcp any any eq http

access-list Outside_in extended permit tcp any any eq https

nat (inside,outside) static outside 5081 10.10.10.104 5081 eq http

Any help would be appreciated.

-Jon

Akshay Rastogi · ‎06-13-2015

Hi Jon,

When you say version pre-8.3, i am expecting you are mentioning version 8.2(just to say). In that case, this nat would not work as syntax is incorrect.

As per the description, here is my understanding :

Real Address : 10.10.10.104, Real Port 5081

Mapped Address : Outside interface IP address, mapped port 443 or 80

Suggested configuration:

static (inside,outside) tcp <outside-int-ip> <mapped-port> 10.10.10.104 5581

- In case of https, you might get some error that 443 can not be reserved. This comes when you have enabled 'http server enable'. This default use '443' for asdm traffic. Configure something like 'http server enable 4443'. Then you need to access asdm on port 4443 instead of 443 and this time ASA would take the nat statement.

- You can not redirect 80 and 443 traffic to same IP and Port of inside server through same mapped address.

Access-list looks fine:

access-list Outside_in extended permit tcp any any eq https

do not forget to attach it to interface:

access-group Outside_in in interface outside

Access below link to understand and configure the same :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_staticpat.html#wp1071777

Let me know if you have any query on this.

Thanks and Regards,

Akshay Rastogi