Version 8.2

Okay. It may be easier if you coiuld post what you have, but you'll need to map the ip/port that you want and then allow it through the ASA via an access-list. Say you wanted to allow port 80 into public address 1.1.1.1. You want to map the public address 1.1.1.1 to 192.168.1.1 on your lan. You'd do something like the following:

access-list OUTSIDE permit tcp any host 1.1.1.1 eq 80

static (inside, outside) tcp 1.1.1.1 80 192.168.1.1 80 netmask 255.255.255.255

access-group OUTSIDE in interface WAN

If you only want to map the address that the provider assigns you (a single address), you can do that with the interface command:

static (inside,outside) tcp interface 80 192.168.1.1 80 netmask 255.255.255.255

with an access-list:

access-list OUTSIDE permit tcp any interface eq 80

If this doesn't help, you'll need to post your config.

HTH,
John

*** Please rate all useful posts ***

Hello John;

Thanks for responding. It is helpful.

I guess it would be better if I more clearly illustrate what I am trying to do.

Basically; we have personal fax solution from our VOIP vendor which requires ports 9080 and 5280 open in order for the client based software to contact THEIR server. So I need my internal network 192.168.x.x to be able to communicate through my external interface 209.125.x.x on ports 9080 and 5280 and vice versa...now as this fax client can be installed on multiple machines inside the network; it makes since to allow those ports to communicate from any machine on the inside...right? Particularly since I don't have a specific IP or IPs that the external VOIP servers will be trying to come in FROM....

If your clients are initiating the connection, you can define it in a class map and then add that to the policy map and inspect it. Otherwise, you'll need to allow those ports back in. Post your config please...

HTH,
John

*** Please rate all useful posts ***

Okay...here is the most important part...

: Saved

:

ASA Version 8.2(5)

!

hostname ASA-Test

domain-name domain.local

enable password xxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxx encrypted

names

name 12.208.xx.xxx Test_Firewall

name 192.168.x.0 Test_Subnet

name 192.168.xxx.0 Test2_Subnet

name 192.168.x.0 Test_Remote_VPN_Network

name 50.197.xxx.xx FTP

name 192.168.xxx.xx TST-APP01

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

speed 100

duplex full

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

switchport access vlan 3

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.xxx.x 255.255.255.0

!

interface Vlan2

description Outside Interface

nameif outside

security-level 0

ip address 50.197.xxx.xx 255.255.255.248

!

interface Vlan3

description Public (DMZ)

no forward interface Vlan1

nameif Public

security-level 50

ip address 192.168.21x.x 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.xxx.20

domain-name domain.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RemoteDesktop tcp

description Terminal Server port

port-object eq 3389

object-group network PUBLIC_outside

object-group network public_outside

object-group network DM_INLINE_NETWORK_1

network-object Test_Subnet 255.255.255.0

network-object Test_Remote_VPN_Network 255.255.255.0

object-group network DM_INLINE_NETWORK_3

network-object Test_Subnet 255.255.255.0

network-object Test_Remote_VPN_Network 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object host xxx-APP01

network-object host FTP

object-group service Star2Star tcp

description Port used for Star2Star fax connections

port-object eq 9080

port-object eq 5280

access-list outside_1_cryptomap extended permit ip Test2_Subnet 255.255.255.0 Test_Subnet 255.255.255.0

access-list outside_1_cryptomap extended permit ip Test2_Subnet 255.255.255.0 Test_Remote_VPN_Network 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any interface outside object-group Star2Star

access-list inside_nat0_outbound extended permit ip Test2_Subnet 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip Test2_Subnet 255.255.255.0 Test_Remote_VPN_Network 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 Test2_Subnet 255.255.255.0

access-list outside_access_in extended permit tcp any host FTP eq ftp

access-list outside_access_in extended permit icmp any host FTP

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq ftp

access-list outside_access_in extended permit tcp any interface inside object-group Star2Star

access-list Public_access_in extended permit ip any any

access-list Public_access_in extended permit tcp any any object-group Star2Star

pager lines 24

logging enable

logging asdm informational : Saved
:

Can you post:

show run access-group

show run policy-map

show run class-map

HTH,
John

*** Please rate all useful posts ***