11-03-2017 11:01 AM - edited 02-21-2020 06:38 AM
I am trying to portforward 80 and 443 to host a website . ASA 5506-X is used as firewall . I was able to configure in ASDM in previous versions, but unable to do the same in the new 6.2.2 FTD image. The traffic doesnt seem to flow . Have created static NAT from outside to inside interface with outside interface ip as source and server ip from internal networrk as destination with http-8080 port. Can someone suggest what is wrong with my configuration?
(www.piems4u.com, an personal income expense Management system)
Solved! Go to Solution.
11-05-2017 03:30 AM - edited 11-05-2017 03:33 AM
Your ACL is not correct. You are specifying that the source port should also be tcp/8080. source port is almost always a random high number unless it is manually manipulated by the source user. So your ACL should look like this:
outside_zone Any Any Inside_zone Management_S... http-8080 Any Any Any
This is assuming that the server on the inside is listening on port tcp/8080 as it suggests in your NAT statement. If the server is listening on port tcp/80 and you want to access it using port tcp/8080 then you need to change both NAT and ACL.
11-03-2017 01:24 PM
Hello @jeba1521
Original Packet should come with Any IP address and Any port as source.
Destination address Outside-interface and Destination port 80.
Translated Packet should be Management as source address and Source port as 80.
Destination address the Web server and destination port 8080.
-If I helped you somehow, please, rate it as useful.-
11-05-2017 02:58 AM - edited 11-05-2017 03:12 AM
Hi Flavio Miranda,
This is a test server and the url for request will be http://www.piems4u.com:8080/mfa/faces/index.xhtml. Hence port translation from 80 to 8080 is not required. I have recreated it as automatic static NAT and I have attached the screen shot.still its not working.
In older ASDM, the reverse NAT was automatically created. But in new FTD image, as it was not created, I have created one as well. Still its not working.
Thanks and Regards
Jeba J
11-04-2017 04:17 PM
First off I would suggest doing static NAT with the source being inside and destination outside. Not that what you are doing wont work, it will, just easier to read and a better practice.
have you created an ACP entry for the NAT rule? Could you post the configuration?
11-05-2017 02:57 AM
11-05-2017 03:30 AM - edited 11-05-2017 03:33 AM
Your ACL is not correct. You are specifying that the source port should also be tcp/8080. source port is almost always a random high number unless it is manually manipulated by the source user. So your ACL should look like this:
outside_zone Any Any Inside_zone Management_S... http-8080 Any Any Any
This is assuming that the server on the inside is listening on port tcp/8080 as it suggests in your NAT statement. If the server is listening on port tcp/80 and you want to access it using port tcp/8080 then you need to change both NAT and ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide