Solved

How do I forward a port on an ASA 5505

Posted on 2008-10-06
9
208 Views
Last Modified: 2010-04-09
We have a client that has an ASA 5505 and I need to add a line (or lines) to the firewall config that forwards all incoming traffic directed at a specific port to a user's internal static IP address.  I'm still learning PIX/ASA, can anyone offer advice on how to do this?  Thanks,

James
0
Comment
Question by:james_axton
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 8

Accepted Solution

by:
sstone55423 earned 125 total points
ID: 22656024
Here is a good reference  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t10
And one of the examples:
static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3   ftp netmask 255.255.255.255 0 0
 
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 125 total points
ID: 22656190
I assume you want to forward traffic that comes on the ip address assigned to the outside interface? If so, this is what you do, assume the port is tcp/80 (Change it to the port you want). x.x.x.x is the internal static ip address.

static (inside,outside) tcp interface 80 x.x.x.x 80 netmask 255.255.255.255

Now along with this you need an access list to allow this traffic to go in;

access-list <Name> permit tcp any interface outside eq 80

access-group <Name> in interface outside

You need the above 3 statements. If this is not clear, provide more information.

Cheers,
Rajesh
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 125 total points
ID: 22665863
Yes those commands will do it, but here's an example of a working port forwarding setup in an ASA forwarding port 80 (HTTP) requests to inside server 192.168.1.10.

access-list outside_access_in permit tcp any interface outside eq 80
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255
If this doesn't work for you or if you have other commands, just post your config and I'll give you the right commands to give the job done.
Cheers!
0
 

Author Comment

by:james_axton
ID: 22711694
Thanks to the three of you for your replies and my apologies for the lack of follow-up.  I have a better understanding now of how to bring the traffic in and route it, I just have two subsequent questions about these changes:

1) Can I add these entries on the fly without rebooting the ASA?
2) Does it matter where in the configuration file I place these entries?

Thanks for your continued assistance.

James
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 8

Expert Comment

by:sstone55423
ID: 22711780
Of course, changing anything does risk impacting the PIX negatively.  You can add the above commands without a reboot of the router, and it should not impact users --  but there is a chance.  Choosing a time when it is lower risk is always a better choice.
When you go into config mode and add the commands, it will put them in the proper place.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22711844
It should not affect any normal operation.

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22713487
The ASA is a wonderful device - it is designed to run for years without stopping.
The ONLY time you will need to reboot an ASA is when upgrading the software. EVERYTHING else can be done on the fly.
But still take care and only make major changes after business hours. If it's just a minor change that you know will work and are familiar with then it's probably fine to do it whenever.
Cheers!  Let me know if you have any questions!
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22713498
Save a copy of your configuration file before you make any changes.  Just in case.
0
 

Author Comment

by:james_axton
ID: 22717494
Thank you all very much!

James
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now