Solved

How do I forward a port on an ASA 5505

Posted on 2008-10-06
9
228 Views
Last Modified: 2010-04-09
We have a client that has an ASA 5505 and I need to add a line (or lines) to the firewall config that forwards all incoming traffic directed at a specific port to a user's internal static IP address.  I'm still learning PIX/ASA, can anyone offer advice on how to do this?  Thanks,

James
0
Comment
Question by:james_axton
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 8

Accepted Solution

by:
sstone55423 earned 125 total points
ID: 22656024
Here is a good reference  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t10
And one of the examples:
static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3   ftp netmask 255.255.255.255 0 0
 
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 125 total points
ID: 22656190
I assume you want to forward traffic that comes on the ip address assigned to the outside interface? If so, this is what you do, assume the port is tcp/80 (Change it to the port you want). x.x.x.x is the internal static ip address.

static (inside,outside) tcp interface 80 x.x.x.x 80 netmask 255.255.255.255

Now along with this you need an access list to allow this traffic to go in;

access-list <Name> permit tcp any interface outside eq 80

access-group <Name> in interface outside

You need the above 3 statements. If this is not clear, provide more information.

Cheers,
Rajesh
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 125 total points
ID: 22665863
Yes those commands will do it, but here's an example of a working port forwarding setup in an ASA forwarding port 80 (HTTP) requests to inside server 192.168.1.10.

access-list outside_access_in permit tcp any interface outside eq 80
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255
If this doesn't work for you or if you have other commands, just post your config and I'll give you the right commands to give the job done.
Cheers!
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:james_axton
ID: 22711694
Thanks to the three of you for your replies and my apologies for the lack of follow-up.  I have a better understanding now of how to bring the traffic in and route it, I just have two subsequent questions about these changes:

1) Can I add these entries on the fly without rebooting the ASA?
2) Does it matter where in the configuration file I place these entries?

Thanks for your continued assistance.

James
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22711780
Of course, changing anything does risk impacting the PIX negatively.  You can add the above commands without a reboot of the router, and it should not impact users --  but there is a chance.  Choosing a time when it is lower risk is always a better choice.
When you go into config mode and add the commands, it will put them in the proper place.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22711844
It should not affect any normal operation.

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22713487
The ASA is a wonderful device - it is designed to run for years without stopping.
The ONLY time you will need to reboot an ASA is when upgrading the software. EVERYTHING else can be done on the fly.
But still take care and only make major changes after business hours. If it's just a minor change that you know will work and are familiar with then it's probably fine to do it whenever.
Cheers!  Let me know if you have any questions!
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22713498
Save a copy of your configuration file before you make any changes.  Just in case.
0
 

Author Comment

by:james_axton
ID: 22717494
Thank you all very much!

James
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question