• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1305
  • Last Modified:

Cisco ASA5505 port forwarding

I am trying to open port 44111 and have a cisco ASA5505 which sits behind a BT ADSL router.

On the Cisco I have an inside address of and an outside address of

I am configuring through ADSM 6.3 and cannot work out how to set up the correct forwarding/translation rule.

I have set up the forwarding on the ADSL router (  to allow 44111 traffic to the Cisco ( but with no success.

Any help would be appreciated. Thanks
  • 9
  • 6
1 Solution
Are you seeing the port 44111 traffic on the outside interface of your ASA?

If you do not know, this would be handy information to find out first. If you setup the firewall to syslog to somewhere, you could look at the logs. Or you could just setup a packet capture on the outside interface and see if you're getting that traffic.

Example for packet capture:
access-list cap permit ip any any eq 44111
capture out access-list cap buffer 1000000 interface outside pac 1500

Then if you want to view the packet capture, you would run a "show cap out" on the CLI. I'm sure there is a way to do it within the ASDM, but I use that thing as little as possible so I couldn't tell you where to look in that thing.

If you're getting the packets at the ASA, then the problem is with the ASA config. If not, the problem is with the router's port forwarding.

If problem with the ASA, can you post the config?
There is an answered question how to port forward traffic using ASDM


It is much faster and simpler to do it via console. Here is an example (also from experts exchange)



jerryhattAuthor Commented:
Thanks for the responses although I am having trouble configuring perhaps because the ASA is behind an ADSL router with a 192 address.

I cannot run the packet capture command as it errors:
Result of the command: "access-list cap permit ip any any eq 44111"
access-list cap permit ip any any eq 44111
ERROR: % Invalid input detected at '^' marker.

I have set up 44111 forwarding from the ADSL router ( to the external interface IP address of the Cisco box -

When I look at the pasted examples above they relate to an older version of adsm which has different syntax.

I will attach an image of the Add NAT Rule screen as this is puzzling me.

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Sorry - typo. Try access-list cap permit tcp any any eq 44111

Note you also have to be in config terminal mode.

Yeah I'm not familiar with the ASDM. But the packet capture will tell you if the packets are making it to the firewall. This tells you where you need to focus your attention on - being the router or the firewall. If you see the packets in the capture, the router is good and you can focus on the firewall. If it's not getting to the firewall, then we have to look at the router first.

If the cap shows it's the firewall, a config post would help tremendously.
jerryhattAuthor Commented:
Thanks guitar7man, I have captured the packets that are arriving at the Cisco, so ADSL forwarding is correct.

All I need to do now is to add the correct NAT rule and forward it. I will attempt this now and report back.

How do I stop it capturing the port data btw?
To stop:
no cap out
clear conf access-l cap

To create the NAT, you could do it a couple ways, but on the CLI you could try:

static (inside,outside) tcp 44111 a.b.c.d X netmask

Where equals the destination IP (assuming and a.b.c.d is the NAT'd destination IP, and X is the intended port. If you don't need to PAT (port translation, you could skip that part and just do something like:

static (inside,outside) a.b.c.d netmask
jerryhattAuthor Commented:
Thanks, tried this:
static (inside,outside) netmask is the Ip of the Cisco and is the PC behind the Cisco

It says syntax is deprecated however. I had a look at help nat and got this:

  [no] nat [(real_ifc,mapped_ifc)]
         [<line>| {after-auto [<line>]}]
         source {static|dynamic} {<src-obj-or-grp>| any} {{any| <m-src-or-grp>} [interface]}| interface
         [destination static {<m-dst-obj-or-grp> [interface]}| interface {<dst-obj-or-grp>| any}
         [service {<src-dst-svc-obj>| any>} <m-src-dst-svc-obj>]
         [dns] [unidirectional] [inactive] [description <desc>]

  show nat [interface <real_ifc>] [<real_ip> <real_mask>|
           object <real-obj-name>| object-group <real-obj-grp-name>]
           [translated [interface <mapped_ifc>]
           [<mapped_ip> <mapped_mask>| object <mapped-obj-name>|
           object-group <mapped-obj-grp-name>]]

  clear nat counters [interface <real_ifc>] [<real_ip> <real_mask>|
            object <real-obj-name>| object-group <real-obj-grp-name>]
            [translated [interface <mapped_ifc>]
            [<mapped_ip> <mapped_mask>| object <mapped-obj-name>|
            object-group <mapped-obj-grp-name>]]


nat      Configure, display or clear NAT policy counters


<line>                       Position of the rule to be added within section-1
after-auto <line>            Position of the rule to be added within section-3
source                       Beginning of source specific parameters
static | dynamic             Source NAT translation mode
service                      Beginning of service parameters
destination                  Beginning of destination specific parameters
static                       Destination NAT translation mode
<src-obj-or-grp>             Real source network object or object-group name
<msrc-obj-or-grp>            Mapped source network object or object-group name
<dst-src-or-grp>             Real destination network object or object-group name
<mdst-src-or-grp>            Mapped destination network object or object-group name
any                          Keyword to match any, wildcard
<src-dst-svc-obj>            Real singleton service object names,
                             includes both source & destination ports
<m-src-dst-svc-obj>          Mapped singleton service object names,
                             includes both source & destination ports
dns                          Overwrite embedded addresses in DNS reply
unidirectional               Configure per-session static NAT
inactive                     Disable a rule
description <desc>           Short comment to describe the rule
interface                    Keyword to specify interface
object                       Keyword to specify a network/service object
object-group                 Keyword to specify a network object-group
translated                   Keyword to specify mapped parameters
pool                         Keyword to display NAT/ PAT pool usage
real_ifc                   Specify real interface to filter
real_ip                         Specify real IP address to filter
real_mask                   Specify mask for real IP address
real-obj-name                Specifiy the real object name to filter
real-obj-grp-name            Specify the real object-group name to filter
mapped_ifc                   Specify destination interface to filter
mapped_ip                   Specify destination IP address to filter
mapped_mask                   Specify mask for destination IP address
mapped-obj-name              Specifiy the mapped object name to filter
mapped-obj-grp-name          Specify the mapped object-group name to filter

1. Old NAT commands - static, global, alias, nat-control have been deprecated
   and the functionality may be achieved by using the new 'nat' command.
   Please refer to documentation for more details.
2. The interface fallback is supported only for dynamic NAT.
3. The unidirectional option is supported only for static NAT.
4. Service objects having protocols other than TCP or UDP are not supported.

see also:   object, object-group
It says it's deprecated on the ASA? Maybe that's just for the lower-end models? I use that command all the time on my company's ASA's without a problem. Weird. Did it still take the command though if you do a "show run static"?

Here's a Cisco ASDM walkthrough I found for NAT - http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/dmz.html. You'll need to adjust for what you're trying to do obviously.

Also, you'll want to make sure your rules allow for port 44111 inbound.
jerryhattAuthor Commented:

This is one of the captured packets if that helps:

24: 09:22:55.098414 802.1Q vlan#2 P0 > S 1151194551:1151194551(0) win 5840 <mss 1460,sackOK,timestamp 262096470 0,nop,wscale 7>

My (incorrect nat configuration) is:

nat (outside,inside) source static any any service 44111 44111

44111 is what I called the service I added in the services section. I am not sure where to put the IPs which I probably need instead of any any
jerryhattAuthor Commented:
My confusion is regarding the description of where things are going.

By 'destination' I am assuming th inside network address of the PC ?

I do not know where the 'source' is. Is this the outside interface of the Cisco or the ADSL router?

Apologies for all the questions.
I'm not sure man... can you post the config? "Show run"

I still don't get why you can't run that static command.
jerryhattAuthor Commented:
This is a brand new asa and apparently the syntax has changed and you have to enter something like: nat (inside,outside) source static etc.

Perhaps you could answer a couple of questions that might help me understand how to format the command.

From your previous post:
static (inside,outside) tcp 44111 a.b.c.d X netmask
Where equals the destination IP (assuming and a.b.c.d is the NAT'd destination IP, and X is the intended port. If you don't need to PAT (port translation, you could skip that part and just do something like:

What is meant by DESTINATION IP ??  Is this the final destination? i.e. my PC's ip address on the network or the outside interface of the cisco that is recieveing the packet?

What is the NAT'd destination IP? I thought this would be my computers IP address?

Where X is the intended port - I need to have port 44111 open and forwarded to my PC so could X be anything other than 44111?

Thanks again. I will post config but have removed the nat entires I have tried as they were complete rubbish.
jerryhattAuthor Commented:
Here's the config. I have opened the firewall to evert=ything for troubleshooting and the NAT rule works for browsing.

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
object network obj_any
object network PC
object service 44111TCP
 service tcp source eq 44111 destination eq 44111
object service 44111UDP
 service udp source eq 44111 destination eq 44111
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service Port44111 tcp-udp
 port-object eq 44111
access-list global_access extended permit ip any any
access-list cap extended permit tcp any any eq 44111
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
access-group global_access global
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
: end
no asdm history enable
Traffic starts from the Internet, sourced from an unknown, destined for your public address. The router then has to NAT that destination to so it knows to get to the firewall. That is happen according to your packet capture.

24: 09:22:55.098414 802.1Q vlan#2 P0 > S 1151194551:1151194551(0) win 5840 <mss 1460,sackOK,timestamp 262096470 0,nop,wscale 7>

So then the firewall has to then take that and NAT that to which you know. The flow would look something like this:

Public IP
|      Router      |

|     Firewall     |

|    Host          |

Typically, on ASA's you do that with a static command. That command would look like this:

static (inside,outside) tcp 44111 44111 netmask

But your device is saying that the command is deprecated. I don't get it! I use it all the time. Must be something with version 8.3 code? But if we go by your output above that you pasted in for nat syntax, then that would mean it might take something like this:

nat (inside,outside) source static service 44111 44111


Does that get you there? If not, the above link shows something like this too:

object network obj-44111
   nat (inside,outside) static service tcp 44111 44111
jerryhattAuthor Commented:
Thanks for the excellent explanation.

Unfortunately none of the commands work. I have done lots more reading about the new format commands and it seems everything is moving to object/group based commands. I have found lots of forums with people having the same issues but no real resolutions.

If I create a network object called outside, with as the member, an object called MyPC with as the member and a TCP group called 44111TCP, the command as I understand it should go:

nat (inside,outside) source static outside outside destination MyPC MyPC service 4411TCP 4411TCP

This does not work and believe me I have tried every permutation and swap araound I can muster.
The double entry for each object is apparently pre and post nat.

When testing I can see the request coming in on the correct port and ASA translates it to a random port, telling me it is not picking up the rule. gah. At least I'm not the only one. About to start on process to downgrade the asa.
jerryhattAuthor Commented:
Downgraded to 8.22, ran:

static (inside,outside) tcp interface 44111 44111 netmask

command and port open. 2 mins flat. thanks for all your help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now