toddjustice
asked on
How do I configure a simple port forward using the ASDM on the ASA 5510?
My goal is extremely simple. I am trying to configure a port forward on a Cisco ASA 5510. I have been told to save myself some headache to use the ASDM on this device. I am running ASDM v5.1 with an ASA 5510 v7.1(2). I have run through the initial configuration wizard which suggested PAT (as we only have one public IP). I need to forward port 3389 TCP (RDP) to an internal server. For example we will use public IP 5.5.5.5 and internal IP 192.168.1.10. I have read other posts which explain that not only do we need an ACL configured, but an additional NAT Policy. I have tried it numerous ways and just can't seem to get it to float...any help is appreciated!
ASKER
Can this be done through the ASDM? - I would really like to understand the ASDM.
Honestly most hard core cisco gurus will tell you if you need it to be done right use the command line. The ADM doesnt always write the correct command and things get fouled up. I had that happen and from then on I learned the command line.
Go to Configuration - NAT. Click the "Add" button and choose "Add Static NAT rule". Put in the following information in the various fields:
Under "Real Address"
Interface : inside
IP Address : 192.168.1.10
Netmask : 255.255.255.255
Under "Static Translation"
Interface : outside
IP Address : <click on the drop down arrow pick list and choose (interface IP)>
Check the box named "Enable Port Address Translation (PAT)"
Protocol : TCP
Original Port : 3389
Translated Port : 3389
Click "OK"
Now, do the above procedure again, filling in all fields with the same info, except choose "UDP" for the protocol when modifying the PAT configuration.
Next, you need to allow the traffic you just specified in your port forwarding rules. Here's how:
Go to Configuration - Security Policy. Click "Add".
Under "Interface and Action"
Interface : outside
Direction : incoming
Action : permit
Under "Source"
Type : any
Under "Destination"
Type : <click on the drop down arrow pick list and choose (interface IP)>
Interface : outside
Under "Protocol and Service"
Protocol : tcp
Under "Source Port", leave all defaults
Under "Destination Port"
Leave "Service" radio button enabled, and where it says "any", type over this and put in 3389
Click "OK".
Click "Apply".
That should do it. That will port forward any traffic received on the outside interface on destination port TCP 3389 and forward it to port TCP 3389 on internal host 192.168.1.10 from any Internet host.
Under "Real Address"
Interface : inside
IP Address : 192.168.1.10
Netmask : 255.255.255.255
Under "Static Translation"
Interface : outside
IP Address : <click on the drop down arrow pick list and choose (interface IP)>
Check the box named "Enable Port Address Translation (PAT)"
Protocol : TCP
Original Port : 3389
Translated Port : 3389
Click "OK"
Now, do the above procedure again, filling in all fields with the same info, except choose "UDP" for the protocol when modifying the PAT configuration.
Next, you need to allow the traffic you just specified in your port forwarding rules. Here's how:
Go to Configuration - Security Policy. Click "Add".
Under "Interface and Action"
Interface : outside
Direction : incoming
Action : permit
Under "Source"
Type : any
Under "Destination"
Type : <click on the drop down arrow pick list and choose (interface IP)>
Interface : outside
Under "Protocol and Service"
Protocol : tcp
Under "Source Port", leave all defaults
Under "Destination Port"
Leave "Service" radio button enabled, and where it says "any", type over this and put in 3389
Click "OK".
Click "Apply".
That should do it. That will port forward any traffic received on the outside interface on destination port TCP 3389 and forward it to port TCP 3389 on internal host 192.168.1.10 from any Internet host.
ASKER
Ryansoto: I agree, every other piece of Cisco equipment I have ever worked on I have used the CLI. I would just like to understand more about the ASDM...
Batry_Boy: I had alread read that solution in another post, but my ASDM doesn show most of the fields that you were referencing. I don't see a field for "Real Address" or "Enable PAT". Also, under my Security Policy Screen If I choose the Outside Interface as the destination it errors out stating that the destination interface can't be the same as the Source Interface.
Batry_Boy: I had alread read that solution in another post, but my ASDM doesn show most of the fields that you were referencing. I don't see a field for "Real Address" or "Enable PAT". Also, under my Security Policy Screen If I choose the Outside Interface as the destination it errors out stating that the destination interface can't be the same as the Source Interface.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome - I will try this in the morning and let you know...
ASKER
That worked - the only thing that was different that may help someone else is that under the Security Policy window, under the source section I had to choose "Outside" with 0.0.0.0 0.0.0.0 and the Destination I had to choose "Inside" with the Public IP/255.255.255.255.
Thanks a bunch!
Thanks a bunch!
ASKER
Thanks again!
Can you open traffic for a port to come into your entire network? (i.e. I need to allow port 5060 to come into my netowrk for all my users)
You can, but you would need to provide NAT for your entire inside network to public addresses...that would be a lot of public addresses if you have a large internal network.
access-list XXX permit tcp any host externalipaddress eq 3389
Of course change the values to your needs. I believe this should fix you up