cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2767
Views
0
Helpful
8
Replies

Setup Port Forwarding Cisco ASA

khoirul.iman
Level 1
Level 1

Hi All,

I want to setup port forwarding in Cisco ASA (5512-x/ASDM 7.4).

The scenario : Outside interface directly connected to Internet, Inside interface directly connected to Web server. NAT and ACL already setup but I want to telnet web server using port 80 the web server couldn't be access

8 Replies 8

carlguer
Level 1
Level 1

Hi khoirul.iman,

Port-forwarding in your ASA depends on the version that you are currently running.

Here's a link to configure port-forwarding in the version 8.2:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html

Here's a link to configure port-fordwarding in version 8.4 and latest:

https://supportforums.cisco.com/discussion/11596996/simple-port-forwarding-asa-84

example:

  • Port Forward

object network PORT-FORWARD

  host 192.168.1.100

  nat (inside,outside) static interface service tcp

Hi carlguer,

Version  of my device 9.4. Do you have reference ?

Hi khoirul.iman,

The configuration for the nat should be the same in 8.4 and in 9.4.

This is how it should look like:

  • Port Forward

object network PORT-FORWARD

  host 192.168.1.100

  nat (inside,outside) static interface service tcp

You can take a look at this link if you need additional information:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_objects.html

Hi carlguer,

My Problem has solved

Thank you for your help

Khoirul

Shivapramod M
Level 1
Level 1

Hi,

Can you share the NAT and ACL configuration (show run  nat, show run access-list)

 Can you run the packet tracer on the ASA and check if the firewall is dropping due to configuration error.

packet-tracer in outside tcp <source IP, any internet IP> 12345 <server public IP> 80 detail

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hi Shivapramod,

On attachment I attach my device show run

Hi,

NAT configuration is not changed above version 8.4 and it looks like the configuration is correct.

I can see you are doing a PAT of 80 to 8080.

First thing I can see in your configuration is that the IP address as 10.0.3.0 which looks like a broadcast IP address. Is it possible to change the IP address?

second thing is,

As per your configuration If the firewall gets the tcp packet with the destination IP as 10.0.3.0 with and destination port as 8080 then it will translate to port 80. if you are accessing the server from outside using destination port 80 then it will not work. you need to access it on destination port 8080.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hi Shivapramod,

My problem already solved. I tried to delete all NAT configuration and I reconfigure the NAT, I think there something that forgotten.

Thanks

Khoirul

Review Cisco Networking for a $25 gift card