Solved

CISCO ASA 5505 8.2 port forwarding from Inside to outside

Posted on 2014-02-14
5
3,337 Views
Last Modified: 2014-02-17
Hi I have below requirement which may have been answered earlier but i could not find anything.

Device : ASA 5505
IOS : 8.2

inside IP : 10.1.1.1
NAT IP : 192.168.1.1 ( not interface IP, one of the IP from pool)

traffic from 10.1.1.1 on port 25 from inside should be sent out on port 547 after natting to 192.168.1.1
How do i configure port redirection/ forwarding from inside to outside.  
I have ACL configured on inside and outside to allow respective IP for all ports.

global (outside) 3 192.168.1.1
nat (inside) 3 10.1.1.1 255.255.255.255

I am not sure how to configure  "static " command for this requirement.

Regards,
Amar
0
Comment
Question by:Amar_1984
  • 3
  • 2
5 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 39860776
Are you doing this via CLI or ASDM?

CLI:
static (Inside,Outside)  tcp 192.168.1.1 547 10.1.1.1 25 netmask 255.255.255.255

ASDM
Static NAT Rule

Another way is to do a Static Policy NAT

CLI:
access-list Inside_nat_static line 1 extended permit tcp host 10.1.1.1 eq smtp any
        
static (Inside,Outside)  tcp 192.168.1.1 547 access-list Inside_nat_static

ASDM:
Static Policy NAT
Hope this helps and let us know if you have any further questions.
0
 

Author Comment

by:Amar_1984
ID: 39860811
Will this be bi-directional or only from Inside to Outside.  

If the traffic from outside comes on port 547 will it be forwarded to port 25 on internal IP.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39860830
yes it would be both ways.

static (Inside,Outside)  tcp 192.168.1.1 547 10.1.1.1 25 netmask 255.255.255.255

I've tested on GNS3 as follows:

packet-tracer input inside tcp 10.1.1.1 25 192.168.1.1 25


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 10.1.1.1/25 to 192.168.1.1/547 using netmask 255.255.255.255

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 0, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa#


packet-tracer input outside tcp 2.2.2.2 547 192.168.1.1 547

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.1/547 to 10.1.1.1/25 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

ciscoasa#
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 39860834
ow, by the way, the key difference between the two configuration I've shown is that,

for the second item (Static Policy NAT), if you have two different destination IP address and you want to have different port translations

ex:
source: 10.1.1.1
destination 1.1.1.1

NAT source: 192.168.1.1
NAT destination: same
NAT port destination: 547

source: 10.1.1.1
destination 2.2.2.2

NAT source: 192.168.1.1
NAT destination: same
NAT port destination: 8888

access-list Inside_nat_static_1 line 1 extended permit tcp host 10.1.1.1 eq smtp 1.1.1.1
access-list Inside_nat_static_2 line 1 extended permit tcp host 10.1.1.1 eq smtp 2.2.2.2
       
static (Inside,Outside)  tcp 192.168.1.1 547 access-list Inside_nat_static_1        
static (Inside,Outside)  tcp 192.168.1.1 8888 access-list Inside_nat_static_2

see the difference? let me know if you have any further questions, and be glad to help out. Hope this helps!
0
 

Author Comment

by:Amar_1984
ID: 39864191
Thanks,

I had exact same configuration, but somehow it didnt work. Probably some other ACl getting in way. wanted an expert second opinion

Thanks for your inputs, i am accepting this as a solution.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA Deny No Connection PSH ACK, Traffic is dropped 10 85
Cisco IP NAT Translation not working 9 33
Cisco UCS: C-Series, bios failed power-on self test 2 37
Cisco ASA 3 27
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question