cisco asa 5505 port forwarding help

cymrich
cymrich used Ask the Experts™
on
I have servers hosted at a colo and I am trying to allow printing from the app on the servers to the office.  I am having trouble figuring out how exactly to do this.

so basically... the outside IP of the office router is 172.31.1.1 and I need anything sent to port 9100 to be forwarded to 192.168.1.30.  

172.31.1.1 is attached to interface vlan2... when I try to add a static map it won't allow me to specify that IP address and gives some error about using PAT and having to use interface instead of the IP.  so it ends up being something like:

static (inside,outside) tcp interface 9100 192.168.1.30 9100 netmask 255.255.255.255

where it says interface it won't allow me to use the IP or vlan2 or even outside... anything besides interface gives me an error.  I added a line to the access list to allow port 9100 also (and also cleared the translation tables) and it doesn't work.  any idea what I'm doing wrong here?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Well, I would like to have a closer look at your configuration and the errors you get.
So could you post a sanitized configuration over here, along with the errors you get?

Author

Commented:
I've removed the crypto stuff and a few other things to make it shorter as I don't think they are related to this... and I spaced out the access list to make it easier to see the related line and added both the different access lines I tried (not at the same time).  


ASA Version 8.0(4)
!
hostname XXXXX
domain-name XXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
no names
name XX.XXX.XXX.XXX XXXXXXXXXX
name XX.XXX.XXX.XXX XXXXXXXXXX
name XX.XXX.XXX.XXX XXXXXXXXXX
name XXX.XXX.XXX.XXX XXXXXXXXXX
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.31.1.1 255.255.255.0
!
interface Vlan5
  nameif XXXXX
 security-level 50
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan15
 nameif XXXXXXXXX
 security-level 50
 ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 15
 speed 100
 duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
dns server-group DefaultDNS
 domain-name XXXXXXXXXXXXX
object-group service XXXXXXXXXXXXXXX tcp
 port-object eq www
object-group service XXXXXXXXXXXXXXX tcp
 port-object eq 3389
 port-object eq https
object-group service XXXXXXXXXXXXXXX tcp
 port-object eq 993
 port-object eq https
 port-object eq smtp
object-group service XXXXXXXXXXXXXXX tcp-udp
 port-object eq 9100
 port-object eq www
access-list outside_access_in extended permit ip any XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
access-list outside_access_in extended permit icmp 172.31.XXX.XXX 255.255.252.0 any echo-reply
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group XXXXXXXXXXXXXXX
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group XXXXXXXXXXXXXXX
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group XXXXXXXXXXXXXXX
access-list outside_access_in extended permit ip host XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX 255.255.255.252



access-list outside_access_in extended permit tcp any eq 9100 host 172.31.1.1 eq 9100


access-list outside_access_in extended permit tcp host 172.31.1.1 eq 9100 host 192.168.1.30 eq 9100



access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.128
access-list VTC-DMZ_nat0_outbound remark VTC
access-list VTC-DMZ_nat0_outbound extended permit ip XXX.XXX.XXX.XXX 255.255.255.252 any
access-list VTC-DMZ_access_in extended permit ip any any
no pager
logging enable
logging monitor debugging
logging buffered emergencies
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu VTC-DMZ 1500
ip local pool VPN-Pool 192.168.2.10-192.168.2.100 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (VTC-DMZ) 0 access-list VTC-DMZ_nat0_outbound
static (inside,outside) XXX.XXX.XXX.XXX 192.168.1.3 netmask 255.255.255.255
static (inside,outside) XXX.XXX.XXX.XXX 192.168.1.2 netmask 255.255.255.255
static (inside,outside) XXX.XXX.XXX.XXX 192.168.1.102 netmask 255.255.255.255
static (inside,outside) tcp interface 192.168.1.30 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group VTC-DMZ_access_in in interface VTC-DMZ
route outside 0.0.0.0 0.0.0.0 172.31.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy XXXXXXXXXXXXXXXX internal
group-policy XXXXXXXXXXXXXXXX attributes
 dns-server value 192.168.1.1
 vpn-tunnel-protocol IPSec
 default-domain value XXXXXXXXXXXXXXX
username XXXXXXXXX password XXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXXXX password XXXXXXXXXXXX encrypted
tunnel-group XXXXXXXXXXXXXXX type remote-access
tunnel-group XXXXXXXXXXXXXXX general-attributes
 address-pool VPN-Pool
 default-group-policy XXXXXXXXXXXXXXXXXX
tunnel-group XXXXXXXXXXXXXXXXX ipsec-attributes
 pre-shared-key *
Sr. Systems Engineer
Top Expert 2008
Commented:
try this combination

static (inside,outside) tcp interface 9100 192.168.1.30 9100 netmask 255.255.255.255
outside_access_in extended permit tcp any interface outside eq 9100
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Irmoore, those lines didn't do it... I made sure to clear xlate after adding them but it seems to have had no effect.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
You said I removed the crypto stuff

So there are vpn's? And is the colo perhaps connected through a vpn?

Author

Commented:
there is a VPN setup however nobody is using it... it predates me.  I think it may have been used before a dedicated circuit was added connecting the office and colo.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Ok, a dedicated circuit...

I feel a need to try and visualize this, where does this link fit in to the picture?

Author

Commented:
while on the phone with my ISP I described this issue hoping to find out if there was anything on their end that was somehow interfering... as we started looking in to it I happened to check the port settings... it turns out I typo'd the ip address in the printer settings on the server I was trying to print from and it was actually working the entire time.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial