Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
3
Replies

Port Forward with Cisco ASA 5505

plaethos75
Level 1
Level 1

‎01-23-2015 08:06 PM - edited ‎03-05-2019 12:38 AM

I am feeling frustrated and yet, I feel lame...  I am trying to setup a general access list allowance on my asa.  I would like to set a permit via the gui for now where

 

source = any

port allowed is tcp/udp 15488

 

As for the destination, do I set it to INSIDE, the inside IP of my asa, or do I set it for the inside IP of my next hop thats off the inside interface?

 

 permit tcp any eq 15488 host 192.168.250.2 eq 15488 log informational

 permit udp any eq 15488 host 192.168.250.2 eq 15488 log informational

 

 

192.168.250.2 is the ip of the device I have connected to my asa on the inside.

 

Thanks in Advance!

Labels:
0 Helpful
3 Replies 3

Reza Sharifi
Hall of Fame
Hall of Fame

‎01-23-2015 09:03 PM

Not sure about using the gui, but here is an example of access-list configuration using the cli.

the access-list should apply to the outside interface.  Assuming that is the interface that connects to Internet.

see link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/nwaccess.html

HTH

0 Helpful

plaethos75
Level 1
Level 1
In response to Reza Sharifi

‎01-24-2015 03:55 PM

thank you for the info.  I still am missing something as I did what this said and still nothing.  In order to allow say, web traffic through my asa...questions come to mind...

where do I put the acl?  

Do I place the acl on my outside interface or my inside?  and with that, do I place an "ANY" as source and my destination as my Outside interface on my outside interface or do I place   "ANY" as my source  and my destination as an internal route on my Outside interface?

 

Logic would say, place the ACL on my outside interface as:   any Outside eq www (to keep it simple) so no matter where it comes from, if it hits my outside address, it will accept all traffic from anywhere going to the VIP of my Outside interface going to a destination port of 80.

the above is all under the presumption that port 80 isn't being blocked by my ISP.  I'm doing some searches on it and I'm not finding what I'm looking for.  Of course, I could also be looking up the wrong key words too...  regardless, thank you -- I've uncovered other steps in which I missed or overlooked.

 

0 Helpful

plaethos75
Level 1
Level 1
In response to plaethos75

‎01-31-2015 11:41 AM

Still no resolve.

these are the configs for everything:

interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute

!

interface Ethernet0/0
 switchport access vlan 2
!

boot system disk0:/asa841-k8.bin

!

object service sec-cam 
 service tcp source eq 15488 destination eq 15488

!

access-list outside_access_in_1 extended permit object sec-cam any any log debugging

!

nat (outside,inside) source dynamic any interface destination static interface 192.168.250.2 service sec-cam sec-cam

 

 

 

I think this is all I need to include.  Here are some main points.

The only time I see hits against my ACL is if I am running the ingress packet capture.

The packet capture shows my hits match my acl.

My NAT is based on several youtube videos showing how to config it and also includes static and pat mappings from related cisco docs.

 

I've enclosed a pic of my network layout as well in hopes it helps.

I have EIGRP running and my routes are fine as I can navigate throughout my network from any point.

 

Preview file
26 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card