Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3735
  • Last Modified:

CISCO ASA 5505 8.2 port forwarding from Inside to outside

Hi I have below requirement which may have been answered earlier but i could not find anything.

Device : ASA 5505
IOS : 8.2

inside IP : 10.1.1.1
NAT IP : 192.168.1.1 ( not interface IP, one of the IP from pool)

traffic from 10.1.1.1 on port 25 from inside should be sent out on port 547 after natting to 192.168.1.1
How do i configure port redirection/ forwarding from inside to outside.  
I have ACL configured on inside and outside to allow respective IP for all ports.

global (outside) 3 192.168.1.1
nat (inside) 3 10.1.1.1 255.255.255.255

I am not sure how to configure  "static " command for this requirement.

Regards,
Amar
0
Amar_1984
Asked:
Amar_1984
  • 3
  • 2
1 Solution
 
ffleismaCommented:
Are you doing this via CLI or ASDM?

CLI:
static (Inside,Outside)  tcp 192.168.1.1 547 10.1.1.1 25 netmask 255.255.255.255

ASDM
Static NAT Rule

Another way is to do a Static Policy NAT

CLI:
access-list Inside_nat_static line 1 extended permit tcp host 10.1.1.1 eq smtp any
        
static (Inside,Outside)  tcp 192.168.1.1 547 access-list Inside_nat_static

ASDM:
Static Policy NAT
Hope this helps and let us know if you have any further questions.
0
 
Amar_1984Author Commented:
Will this be bi-directional or only from Inside to Outside.  

If the traffic from outside comes on port 547 will it be forwarded to port 25 on internal IP.
0
 
ffleismaCommented:
yes it would be both ways.

static (Inside,Outside)  tcp 192.168.1.1 547 10.1.1.1 25 netmask 255.255.255.255

I've tested on GNS3 as follows:

packet-tracer input inside tcp 10.1.1.1 25 192.168.1.1 25


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 10.1.1.1/25 to 192.168.1.1/547 using netmask 255.255.255.255

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 0, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa#


packet-tracer input outside tcp 2.2.2.2 547 192.168.1.1 547

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.1/547 to 10.1.1.1/25 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

ciscoasa#
0
 
ffleismaCommented:
ow, by the way, the key difference between the two configuration I've shown is that,

for the second item (Static Policy NAT), if you have two different destination IP address and you want to have different port translations

ex:
source: 10.1.1.1
destination 1.1.1.1

NAT source: 192.168.1.1
NAT destination: same
NAT port destination: 547

source: 10.1.1.1
destination 2.2.2.2

NAT source: 192.168.1.1
NAT destination: same
NAT port destination: 8888

access-list Inside_nat_static_1 line 1 extended permit tcp host 10.1.1.1 eq smtp 1.1.1.1
access-list Inside_nat_static_2 line 1 extended permit tcp host 10.1.1.1 eq smtp 2.2.2.2
       
static (Inside,Outside)  tcp 192.168.1.1 547 access-list Inside_nat_static_1        
static (Inside,Outside)  tcp 192.168.1.1 8888 access-list Inside_nat_static_2

see the difference? let me know if you have any further questions, and be glad to help out. Hope this helps!
0
 
Amar_1984Author Commented:
Thanks,

I had exact same configuration, but somehow it didnt work. Probably some other ACl getting in way. wanted an expert second opinion

Thanks for your inputs, i am accepting this as a solution.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now