Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 260
  • Last Modified:

How do I forward a port on an ASA 5505

We have a client that has an ASA 5505 and I need to add a line (or lines) to the firewall config that forwards all incoming traffic directed at a specific port to a user's internal static IP address.  I'm still learning PIX/ASA, can anyone offer advice on how to do this?  Thanks,

James
0
james_axton
Asked:
james_axton
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
sstone55423Commented:
Here is a good reference  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t10
And one of the examples:
static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3   ftp netmask 255.255.255.255 0 0
 
0
 
rsivanandanCommented:
I assume you want to forward traffic that comes on the ip address assigned to the outside interface? If so, this is what you do, assume the port is tcp/80 (Change it to the port you want). x.x.x.x is the internal static ip address.

static (inside,outside) tcp interface 80 x.x.x.x 80 netmask 255.255.255.255

Now along with this you need an access list to allow this traffic to go in;

access-list <Name> permit tcp any interface outside eq 80

access-group <Name> in interface outside

You need the above 3 statements. If this is not clear, provide more information.

Cheers,
Rajesh
0
 
PugglewuggleCommented:
Yes those commands will do it, but here's an example of a working port forwarding setup in an ASA forwarding port 80 (HTTP) requests to inside server 192.168.1.10.

access-list outside_access_in permit tcp any interface outside eq 80
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255
If this doesn't work for you or if you have other commands, just post your config and I'll give you the right commands to give the job done.
Cheers!
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
james_axtonAuthor Commented:
Thanks to the three of you for your replies and my apologies for the lack of follow-up.  I have a better understanding now of how to bring the traffic in and route it, I just have two subsequent questions about these changes:

1) Can I add these entries on the fly without rebooting the ASA?
2) Does it matter where in the configuration file I place these entries?

Thanks for your continued assistance.

James
0
 
sstone55423Commented:
Of course, changing anything does risk impacting the PIX negatively.  You can add the above commands without a reboot of the router, and it should not impact users --  but there is a chance.  Choosing a time when it is lower risk is always a better choice.
When you go into config mode and add the commands, it will put them in the proper place.
0
 
rsivanandanCommented:
It should not affect any normal operation.

Cheers,
Rajesh
0
 
PugglewuggleCommented:
The ASA is a wonderful device - it is designed to run for years without stopping.
The ONLY time you will need to reboot an ASA is when upgrading the software. EVERYTHING else can be done on the fly.
But still take care and only make major changes after business hours. If it's just a minor change that you know will work and are familiar with then it's probably fine to do it whenever.
Cheers!  Let me know if you have any questions!
0
 
sstone55423Commented:
Save a copy of your configuration file before you make any changes.  Just in case.
0
 
james_axtonAuthor Commented:
Thank you all very much!

James
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now