Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I forward a port on an ASA 5505

Posted on 2008-10-06
9
Medium Priority
?
254 Views
Last Modified: 2010-04-09
We have a client that has an ASA 5505 and I need to add a line (or lines) to the firewall config that forwards all incoming traffic directed at a specific port to a user's internal static IP address.  I'm still learning PIX/ASA, can anyone offer advice on how to do this?  Thanks,

James
0
Comment
Question by:james_axton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 8

Accepted Solution

by:
sstone55423 earned 500 total points
ID: 22656024
Here is a good reference  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t10
And one of the examples:
static (inside,outside) tcp 172.18.124.99 ftp 10.1.1.3   ftp netmask 255.255.255.255 0 0
 
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 500 total points
ID: 22656190
I assume you want to forward traffic that comes on the ip address assigned to the outside interface? If so, this is what you do, assume the port is tcp/80 (Change it to the port you want). x.x.x.x is the internal static ip address.

static (inside,outside) tcp interface 80 x.x.x.x 80 netmask 255.255.255.255

Now along with this you need an access list to allow this traffic to go in;

access-list <Name> permit tcp any interface outside eq 80

access-group <Name> in interface outside

You need the above 3 statements. If this is not clear, provide more information.

Cheers,
Rajesh
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 500 total points
ID: 22665863
Yes those commands will do it, but here's an example of a working port forwarding setup in an ASA forwarding port 80 (HTTP) requests to inside server 192.168.1.10.

access-list outside_access_in permit tcp any interface outside eq 80
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255
If this doesn't work for you or if you have other commands, just post your config and I'll give you the right commands to give the job done.
Cheers!
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:james_axton
ID: 22711694
Thanks to the three of you for your replies and my apologies for the lack of follow-up.  I have a better understanding now of how to bring the traffic in and route it, I just have two subsequent questions about these changes:

1) Can I add these entries on the fly without rebooting the ASA?
2) Does it matter where in the configuration file I place these entries?

Thanks for your continued assistance.

James
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22711780
Of course, changing anything does risk impacting the PIX negatively.  You can add the above commands without a reboot of the router, and it should not impact users --  but there is a chance.  Choosing a time when it is lower risk is always a better choice.
When you go into config mode and add the commands, it will put them in the proper place.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22711844
It should not affect any normal operation.

Cheers,
Rajesh
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22713487
The ASA is a wonderful device - it is designed to run for years without stopping.
The ONLY time you will need to reboot an ASA is when upgrading the software. EVERYTHING else can be done on the fly.
But still take care and only make major changes after business hours. If it's just a minor change that you know will work and are familiar with then it's probably fine to do it whenever.
Cheers!  Let me know if you have any questions!
0
 
LVL 8

Expert Comment

by:sstone55423
ID: 22713498
Save a copy of your configuration file before you make any changes.  Just in case.
0
 

Author Comment

by:james_axton
ID: 22717494
Thank you all very much!

James
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question