01-22-2014 09:29 AM - edited 03-07-2019 05:43 PM
hi all ,
i have cisco asa 8.4 with asdm and want to make portforward
my simple topology is as below :
inside---------------------ASA-------------outside-------------------------------------internet
inside with security 100
outside with security level 0
the outside interface has an ip public assume it is 1.1.1.1
and in my lan i have 3 private ips :
192.168.1.2
192.168.1.3
192.168.1.4
i want to open rdp for 192.168.1.2 by portforward from asa
also i want to open http for 192.168.1.3
also https for 192.168.1.4
as an example
if somebody from internet need to access the host 192.168.1.2 rdp , he has to use the ip 1.1.1.1 with port of rdp
and who want to access web of 192.168.1.3========>1.1.1.1:80
and who want to access https 192.168.1.4=========1.1.1.1:443
i read alot , and googled alot , i dnt have clear solution about how to do my object above
any any one give me brief steps ?
im using asdm but no luck , it always fail !
i know that i need to do nat and allow access rules but still no luck
wish to help
regards
01-22-2014 09:47 AM
Hello.
Coudl you please show:
NAT should be like:
object network MY_RDP
host 192.168.1.2
nat (inside,outside) static interface service tcp 3389 3389
PS: on outside ACL in you need to allow access to 192.168.1.2:3389, 192.168.1.3:80 and 192.168.1.4:443
01-22-2014 09:47 AM
object network RDP_Server
host 192.168.1.2
nat (inside,outside) static 1.1.1.1 service tcp rdp rdp
!
object network HTTP_Server
host 192.168.1.3
nat (inside,outside) static 1.1.1.1 service tcp http http
!
object network HTTPS_Server
host 192.168.1.4
nat (inside,outside) static 1.1.1.1 service tcp https https
Also ensure your rules allow the connections.
01-22-2014 10:15 AM
hi all ,
thanks alot ,
but im fond of doing it by ASDM
im not good by cli , im still beginner
should i make print screen for u for my iusse ??
i will some print screen for u
01-22-2014 10:28 AM
hi ,
mr jami ,
here is my lab asdm image :
here is sh run :
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif UP
security-level 30
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet1
nameif DOWN
security-level 50
ip address 50.60.70.1 255.255.255.0
!
interface GigabitEthernet2
nameif LEFT
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet3
nameif RIGHT
security-level 0
ip address 12.13.14.1 255.255.255.0
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network gpohost
host 192.168.1.50
object service 8090
service tcp destination eq 8090
object service telnet
service tcp destination eq telnet
object network xp10
subnet 12.0.0.0 255.0.0.0
object network gogogogo
host 12.13.14.1
object network virus
range 16.16.16.1 16.16.16.255
object network nat_192
host 192.168.1.50
object network pool
range 4.4.4.4 4.4.4.10
object network 809055
subnet 12.0.0.0 255.255.255.0
object network nattt
host 192.168.1.50
description kkkkk
object network iiiiii
host 192.168.1.50
description hhhhhhhhhhh
object network jjjj
host 1.1.1.1
object network pppppppp
host 192.168.1.50
description ooooooooo
object network kkkkk
host 192.168.1.5
description iiiii
object network ll
host 192.168.50.1
object network portforwarddddd
host 192.168.1.50
object network RDP_Server
host 192.168.1.50
access-list RIGHT_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu UP 1500
mtu LEFT 1500
mtu DOWN 1500
mtu RIGHT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-204.bin
no asdm history enable
arp timeout 14400
access-group RIGHT_access_in in interface RIGHT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.10.10.0 255.255.255.0 UP
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.10.10.0 255.255.255.0 UP
telnet 12.0.0.0 255.0.0.0 RIGHT
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 DOWN
ssh timeout 5
console timeout 0
dhcpd auto_config UP
dhcpd update dns override
!
dhcpd address 192.168.1.50-192.168.1.60 LEFT
dhcpd dns 8.8.8.8 interface LEFT
dhcpd enable LEFT
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username virus password 8GQz2i.ViIn9Z/x8 encrypted
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:bdd486511991a5b7be4dd6a2daac1a55
: end
===================================
herer is topoloy :
quick trial :
from asa console
object network RDP_Server
host 192.168.1.50
ciscoasa(config-network-object)#
nat (LEFT,RIGHT) static 12.13.14.1 service tcp rdp rdp
ERROR: Address 12.13.14.1 overlaps with RIGHT interface address.
ERROR: NAT Policy is not downloaded
why it failed ???
it give me the same error when i try from asdm ??
it say
ERROR: Address 12.13.14.1 overlaps with RIGHT interface address.
ERROR: NAT Policy is not downloaded
why ?
01-22-2014 11:50 AM
Use Mikahil's NAT statements ie. instead of using the public IP address use the "interface" keyword instead.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide