NAT (port forward)

Hi all,

  I have a really hard time to configure "Port Forward" in my Cisco ASA5505, someone can help me?

I need to access my NAS outside my network so I have:

Cisco ASA5505(pppoe) ------> QNAP Server( (port 1443)

Here What I did:

1 - NAT Rule (picture 1)
2 - Add Access Rule to the port 1443 (picture 2)

Thank you!
Who is Participating?
Henk van AchterbergConnect With a Mentor Sr. Technical ConsultantCommented:
To be honest, I would go for this configuration:

object network Qnap_TS269Pro

object service Qnap_1443
 service tcp destination eq 1443

nat (outside,inside) source static any any destination static interface Qnap_TS269Pro service Qnap_1443 Qnap_1443 unidirectional no-proxy-arp

access-list outside_access_in extended permit object Qnap_1443 any object Qnap_TS269Pro

access-group outside_access_in in interface outside

the logic is as this:

nat (outside,inside) source static <original source address> <translated source address> destination static <original destination address> <translated destination address> <original service> <translated service> unidirectional no-proxy-arp

unidirectional is only one way, only from outside to inside, just what we want.
Henk van AchterbergSr. Technical ConsultantCommented:
in your NAT picture you should change destination address to the outside interface and the translated destination address should be the qnap. the direction should be unidirectional.
Proxy arp can be disabled.

In the access list please use the QNAP as destination address.
Fred MarshallPrincipalCommented:
The general concept is this:
Packets arrive at the public interface which are directed to a port such as:
The router will direct packets to a local address through port forwarding to an internal address like AND to a particular port number which is specified.

So may be translated to according to the router port forwarding setup.

And, often, the port number in and out may remain the same as in this case, 80.
So: would be translated to
Again, in accordance with what you set it up to do.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

rwcsAuthor Commented:
Hi Guys,

  I tried all the suggestion and still not working..... I attach  the screen about the NAT and the Access Rules, I have done NAT in many system, CISCO is the first one... I think I miss some concept.... I order a book to learn more but I need to get this done first.

Thank you!
Henk van AchterbergSr. Technical ConsultantCommented:
In nat1.jpg the destination interface must be INSIDE!
rwcsAuthor Commented:
Hi all,

  Maybe the graphical interface have some bugs... I really don't know but works for me using the console and run below commands:

object network Qnap_TS269Pro

object service Qnap_1443
service tcp source eq 1443

nat (inside,outside) 1 source static Qnap_TS269Pro service Qnap_1443 Qnap_1443
access-list outside_in permit tcp any host eq 1443
access-group outside_in in interface outside

Please checkout the screens after I run those line in the console....

I use the below version: (Mac OS X)

Cisco Adaptive Security Appliance Software Version 9.0(1)
Device Manager Version 7.1(1)52
Henk van AchterbergSr. Technical ConsultantCommented:
now you have a rule with the direction "both", that is why it works.

When you use the unidirectional direction you only have configured inbound nat, now it is also outbound. It works but it aint pretty.

Your NAT rule was almost perfect, you only had to change the interface to inside as I said earlier.

Glad this worked out though.
rwcsAuthor Commented:
Hi henkva,

  I'm search and finally found something that make a little more sense to me. :) I have long experience with Linux Firewalls but I don't know why cisco don't the things easy... :)

Here is the commands that works well for me now.

conf t
object network Outside_to_Inside_NAS
nat (inside,outside) static interface service tcp 1443 1443
access-list OutsideToNAS permit tcp any host eq 1443
access-group OutsideToNAS in interface outside

Please guys let me know is those is ok, or please point out some good documentation about it, from cisco I really didn't found something that explain to me those things together...

Someone have the below book?
The Accidental Administrator: Cisco ASA Security Appliance: A Step-by-Step Configuration Guide

Thank you all!
rwcsAuthor Commented:
Thank you @henvka, actually bidirectional is not so bad :) because from inside my network I can access by hostname that point-out to my Internet IP.

I'm still get use of Cisco world, I use massive Linux for pretty most for everything....

Thank you!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.