Solved

CISCO ASA 5505 8.2 port forwarding from Inside to outside

Posted on 2014-02-14
5
3,266 Views
Last Modified: 2014-02-17
Hi I have below requirement which may have been answered earlier but i could not find anything.

Device : ASA 5505
IOS : 8.2

inside IP : 10.1.1.1
NAT IP : 192.168.1.1 ( not interface IP, one of the IP from pool)

traffic from 10.1.1.1 on port 25 from inside should be sent out on port 547 after natting to 192.168.1.1
How do i configure port redirection/ forwarding from inside to outside.  
I have ACL configured on inside and outside to allow respective IP for all ports.

global (outside) 3 192.168.1.1
nat (inside) 3 10.1.1.1 255.255.255.255

I am not sure how to configure  "static " command for this requirement.

Regards,
Amar
0
Comment
Question by:Amar_1984
  • 3
  • 2
5 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 39860776
Are you doing this via CLI or ASDM?

CLI:
static (Inside,Outside)  tcp 192.168.1.1 547 10.1.1.1 25 netmask 255.255.255.255

ASDM
Static NAT Rule

Another way is to do a Static Policy NAT

CLI:
access-list Inside_nat_static line 1 extended permit tcp host 10.1.1.1 eq smtp any
        
static (Inside,Outside)  tcp 192.168.1.1 547 access-list Inside_nat_static

ASDM:
Static Policy NAT
Hope this helps and let us know if you have any further questions.
0
 

Author Comment

by:Amar_1984
ID: 39860811
Will this be bi-directional or only from Inside to Outside.  

If the traffic from outside comes on port 547 will it be forwarded to port 25 on internal IP.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39860830
yes it would be both ways.

static (Inside,Outside)  tcp 192.168.1.1 547 10.1.1.1 25 netmask 255.255.255.255

I've tested on GNS3 as follows:

packet-tracer input inside tcp 10.1.1.1 25 192.168.1.1 25


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 10.1.1.1/25 to 192.168.1.1/547 using netmask 255.255.255.255

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 0, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa#


packet-tracer input outside tcp 2.2.2.2 547 192.168.1.1 547

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.1/547 to 10.1.1.1/25 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

ciscoasa#
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 39860834
ow, by the way, the key difference between the two configuration I've shown is that,

for the second item (Static Policy NAT), if you have two different destination IP address and you want to have different port translations

ex:
source: 10.1.1.1
destination 1.1.1.1

NAT source: 192.168.1.1
NAT destination: same
NAT port destination: 547

source: 10.1.1.1
destination 2.2.2.2

NAT source: 192.168.1.1
NAT destination: same
NAT port destination: 8888

access-list Inside_nat_static_1 line 1 extended permit tcp host 10.1.1.1 eq smtp 1.1.1.1
access-list Inside_nat_static_2 line 1 extended permit tcp host 10.1.1.1 eq smtp 2.2.2.2
       
static (Inside,Outside)  tcp 192.168.1.1 547 access-list Inside_nat_static_1        
static (Inside,Outside)  tcp 192.168.1.1 8888 access-list Inside_nat_static_2

see the difference? let me know if you have any further questions, and be glad to help out. Hope this helps!
0
 

Author Comment

by:Amar_1984
ID: 39864191
Thanks,

I had exact same configuration, but somehow it didnt work. Probably some other ACl getting in way. wanted an expert second opinion

Thanks for your inputs, i am accepting this as a solution.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now