Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
10
Helpful
6
Replies

Simple asa 5505 firewall NAT question

robbhanMid
Level 1
Level 1

‎02-25-2009 02:25 AM - edited ‎03-11-2019 07:56 AM

Hi,

I want to allow incoming trafic on port 444 to be NATed to an internal host. I also want to allow this traffic using ACL. Seems fairly simple but I can't figure it out.

The important part of my config:

xxx.xxx.xxx.xxx is my external IP address.

: Saved

:

ASA Version 7.2(3)

!

hostname x

domain-name x

enable password x

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 12

!

interface Ethernet0/6

!

interface Ethernet0/7

!

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any eq 444 host xxx.xxx.xxx.xxx eq 444

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp xxx.xxx.xxx.xxx 444 192.168.100.16 444 netmask 255.255.255.255

access-group outside_access_in in interface outside

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎02-25-2009 03:08 AM

Traffic coming from outside will not have both the src and dst port set to 444 so your acl will not work -

access-list outside_access_in extended permit tcp any eq 444 host xxx.xxx.xxx.xxx eq 444

assuming you are talking about traffic coming in with a destination port of 444 which you then want to send to your internal server 192.168.100.16 change the acl line to -

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444

Jon

andrew.prince
Level 10
Level 10

‎02-25-2009 03:12 AM

Your ACL is wrong, you are using a source port of 444 - It will be anything from 1024-65535.

Change the acl to:-

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444

HTH>

andrew.prince
Level 10
Level 10
In response to andrew.prince

‎02-25-2009 03:16 AM

and I always find it usefull when I am using the IP address of the outside interface to configure the acl & nat to use it, like:-

access-list outside_access_in extended permit tcp any interface outside eq telnet

static (inside,outside) tcp interface 23 192.168.100.16 23 netmask 255.255.255.255

HTH>

0 Helpful

robbhanMid
Level 1
Level 1
In response to andrew.prince

‎02-25-2009 07:06 AM

I changed the ACL to:

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444

But the problem still remains. Is there something wrong with my NAT rule perhaps?

0 Helpful

andrew.prince
Level 10
Level 10
In response to robbhanMid

‎02-25-2009 07:09 AM

post your current nat rule.

also try a clear xlate then re-test

0 Helpful

robbhanMid
Level 1
Level 1
In response to robbhanMid

‎02-25-2009 07:09 AM

Forget my last post. I got it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card