Cisco ASA 5510 Port Forwarding ASDM

Hi everyone, I'm using the Cisco ASDM gui interface to put a quick port forwarding rule in.

Basically I have a application on our network that needs to be accessed via the web which requires a few ports forwarded.

I followed these two guides located here:



Everything is going great besides one small problem. Being a little bit of a newbie I want to ask your advise on what should I do.

I put the NAT static rule in for port 22 for example and it worked just fine...

However when I put the NAT static rule in for 443, it states it will not let me do this, because the static rule is already been applied somewhere else...which shows me there is indeed a rule already in place, but it's pointing towards our small business server.

I need this ported forwarded also to point to this other application server I have.

How do I go about this without screwing up the config for the small business server?
Who is Participating?
Jan SpringerConnect With a Mentor Commented:
You probably ought to consider just using a dedicated IP and not mess with port forwarding.

That IP will either get routed individually or as part of a subnet or it's part of the subnet of the outside interface and when you create your static nat entry, all that's left is to update the outside access list to allow that traffic into the firewall.
Jan SpringerConnect With a Mentor Commented:
If you are port forwarding 443 to one server you cannot also forward it to another server.

Should you need 443 on two internal servers, you need additional public IPs and should ask your ISP for a /29 (check to see if they charge) and have it routed to your outside IP.

If this is incorrect, please post your nat statements and the inside IP of this new web server.
Pancake_EffectAuthor Commented:
That makes sense, and I called them and we do have a 3 extra available to us, one is already in use for another application at for example.

Would we need a interface dedicated for each IP address? I see for example on our main outside address it states:

interface Ethernet0/0
 nameif outside
 security-level 100
 ip address

However for the other one in use already at ( I don't see a interface created for it, looks like it's just defined in the nat and access rules.

Will that be all that I have to do?
pgstephanConnect With a Mentor Commented:
If your internet provider is saying you have another 3 extra IP address, then you have been allocated a total of 4 Public IP address (a /30 public range).

I would recommend you use as few public IP addresses as possible and leverage port forwarding on your firewalls to forward the inbound traffic to the relevant server.

Make sure you check first the ports required for your applications and that they don't share the same ports (or whether they all use SSL (443)). If they don't then continue with your port forwarding but please know that the ASA will accept a single port forwarding rule per port.
A good way of looking at this would be to get your IP address and go on a BGP public looking glass for any of the Tier-1 Internet carriers (Level3, Verizon or AT&T) and put your IP address then you'll know your total public range if it's /30 and you'll know the rest of the information about your specific route.

Please let me know if that helps.

Pancake_EffectAuthor Commented:
Thanks everyone, that was very helpful. I ended up using another IP just because we had one not in use, and I figured I would change the ports for any other application if they have to use the same ports in the future. It's nice to know I can do that though.

Everything is working great now, thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.