01-06-2019 12:28 AM - edited 02-21-2020 08:38 AM
Hi,
I want to configure port forwarding on the firewall for all traffic coming on inside interface going to the internet with destination port 5222 I want to forward this port to 443 instead. What could be the syntax on ASA firewall from any source IP from inside to any destination on the outside?
01-06-2019 12:41 AM
These are high ports, most cases user not going to type http or ftp with that port as per i know.
can you explain more use case here..
belo document reference :
01-06-2019 03:46 AM
Do I understand you right that you want the following:
Whenever a client on the inside network accesses any IP on the outside network with the port TCP/5222, then the destination port has to be changed to TCP/443?
the you need to configure manual or twice NAT:
object service TCP-5222 service tcp destination eq 5222 object service TCP-443 service tcp destination eq https object network ANY subnet 0.0.0.0 0.0.0.0 ! nat (inside,outside) after-auto source dynamic any interface destination static ANY any service TCP-5222 TCP-443
Here the source IP is changed to the ASA interface IP as the client typically has a private IP and for any destination the port is changed from 5222 to 443.
01-07-2019 12:53 AM
Thank Bajaji and Karsten.I can be more spesifec. I would like all traffic reaching the firewall inside interface with destination port 5222 should immediately forward to port 443 because 5222 port is block on ISP side and application take so much time to connect because it tries to initiate connection first on port 5222.
01-07-2019 01:00 AM
Ok, the NAT-solution will work, but is not the best way to solve this problem. Better configure your firewall to deny this port. The ASA will send a TCP reset and the client will/should try the alternate port directly after that.
01-07-2019 02:16 AM - edited 01-07-2019 02:17 AM
@Karsten Iwenwill this rule wont come in section 1 instead of section 3 ? also if Adnan already have a rule in section 3 than he must have to define on top of the rule. where 1 give a priority to other rules in section 3 or either in section 1.
i understand as the section 3 will be last to check in.
(inside,outside) after-auto 1 source dynamic any interface destination static ANY any service TCP-5222 TCP-443
01-07-2019 02:21 AM
As always: it depends ... ;-)
Putting this rule in section three gives the easy possibility to overwrite this behavior for clients with "normal" NAT-needs.
In section three it has to be above the general PAT-rule which is done with the number "1" in the nat-statement. But it all depends on the rest of the NAT-config and has to be evaluated accordingly.
01-07-2019 02:28 AM
cheers Karsten. Appropriated for the quick reply.
01-06-2019 10:45 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide