NAT (port forward)

Hi all,


  I have a really hard time to configure "Port Forward" in my Cisco ASA5505, someone can help me?

I need to access my NAS outside my network so I have:

Cisco ASA5505(pppoe) ------> QNAP Server(192.168.1.20) (port 1443)



Here What I did:

1 - NAT Rule (picture 1)
2 - Add Access Rule to the port 1443 (picture 2)



Thank you!
Richard
1.png
2.png
rwcsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Henk van AchterbergSr. Technical ConsultantCommented:
in your NAT picture you should change destination address to the outside interface and the translated destination address should be the qnap. the direction should be unidirectional.
Proxy arp can be disabled.

In the access list please use the QNAP as destination address.
0
Fred MarshallPrincipalCommented:
The general concept is this:
Packets arrive at the public interface which are directed to a port such as:
99.99.99.99:80
The router will direct packets to a local address through port forwarding to an internal address like 192.168.1.22 AND to a particular port number which is specified.

So 99.99.99.99:80 may be translated to 192.168.1.22:50 according to the router port forwarding setup.

And, often, the port number in and out may remain the same as in this case, 80.
So: 99.99.99.99:80 would be translated to 192.168.1.22:80
Again, in accordance with what you set it up to do.
0
rwcsAuthor Commented:
Hi Guys,

  I tried all the suggestion and still not working..... I attach  the screen about the NAT and the Access Rules, I have done NAT in many system, CISCO is the first one... I think I miss some concept.... I order a book to learn more but I need to get this done first.



Thank you!
NAT1.png
AcessRules1.png
NAT2.png
AcessRules2.png
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Henk van AchterbergSr. Technical ConsultantCommented:
In nat1.jpg the destination interface must be INSIDE!
0
rwcsAuthor Commented:
Hi all,

  Maybe the graphical interface have some bugs... I really don't know but works for me using the console and run below commands:


object network Qnap_TS269Pro
host 192.168.1.8

object service Qnap_1443
service tcp source eq 1443

nat (inside,outside) 1 source static Qnap_TS269Pro service Qnap_1443 Qnap_1443
access-list outside_in permit tcp any host 192.168.1.8 eq 1443
access-group outside_in in interface outside


Please checkout the screens after I run those line in the console....

I use the below version: (Mac OS X)

Cisco Adaptive Security Appliance Software Version 9.0(1)
Device Manager Version 7.1(1)52
Nat1.png
AccessRules.png
Nat-Rules.png
0
Henk van AchterbergSr. Technical ConsultantCommented:
now you have a rule with the direction "both", that is why it works.

When you use the unidirectional direction you only have configured inbound nat, now it is also outbound. It works but it aint pretty.

Your NAT rule was almost perfect, you only had to change the interface to inside as I said earlier.

Glad this worked out though.
0
rwcsAuthor Commented:
Hi henkva,

  I'm search and finally found something that make a little more sense to me. :) I have long experience with Linux Firewalls but I don't know why cisco don't the things easy... :)

Here is the commands that works well for me now.

conf t
object network Outside_to_Inside_NAS
host 192.168.1.8
nat (inside,outside) static interface service tcp 1443 1443
access-list OutsideToNAS permit tcp any host 192.168.1.8 eq 1443
access-group OutsideToNAS in interface outside


Please guys let me know is those is ok, or please point out some good documentation about it, from cisco I really didn't found something that explain to me those things together...

Someone have the below book?
The Accidental Administrator: Cisco ASA Security Appliance: A Step-by-Step Configuration Guide



Thank you all!
0
Henk van AchterbergSr. Technical ConsultantCommented:
To be honest, I would go for this configuration:

object network Qnap_TS269Pro
 host 192.168.1.8

object service Qnap_1443
 service tcp destination eq 1443

nat (outside,inside) source static any any destination static interface Qnap_TS269Pro service Qnap_1443 Qnap_1443 unidirectional no-proxy-arp

access-list outside_access_in extended permit object Qnap_1443 any object Qnap_TS269Pro

access-group outside_access_in in interface outside

the logic is as this:

nat (outside,inside) source static <original source address> <translated source address> destination static <original destination address> <translated destination address> <original service> <translated service> unidirectional no-proxy-arp

unidirectional is only one way, only from outside to inside, just what we want.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rwcsAuthor Commented:
Thank you @henvka, actually bidirectional is not so bad :) because from inside my network I can access by hostname that point-out to my Internet IP.


I'm still get use of Cisco world, I use massive Linux for pretty most for everything....


Thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.