Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

CISCO ASA 5505 8.2 port forwarding from Inside to outside

Posted on 2014-02-14
5
Medium Priority
?
3,617 Views
Last Modified: 2014-02-17
Hi I have below requirement which may have been answered earlier but i could not find anything.

Device : ASA 5505
IOS : 8.2

inside IP : 10.1.1.1
NAT IP : 192.168.1.1 ( not interface IP, one of the IP from pool)

traffic from 10.1.1.1 on port 25 from inside should be sent out on port 547 after natting to 192.168.1.1
How do i configure port redirection/ forwarding from inside to outside.  
I have ACL configured on inside and outside to allow respective IP for all ports.

global (outside) 3 192.168.1.1
nat (inside) 3 10.1.1.1 255.255.255.255

I am not sure how to configure  "static " command for this requirement.

Regards,
Amar
0
Comment
Question by:Amar_1984
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 39860776
Are you doing this via CLI or ASDM?

CLI:
static (Inside,Outside)  tcp 192.168.1.1 547 10.1.1.1 25 netmask 255.255.255.255

ASDM
Static NAT Rule

Another way is to do a Static Policy NAT

CLI:
access-list Inside_nat_static line 1 extended permit tcp host 10.1.1.1 eq smtp any
        
static (Inside,Outside)  tcp 192.168.1.1 547 access-list Inside_nat_static

ASDM:
Static Policy NAT
Hope this helps and let us know if you have any further questions.
0
 

Author Comment

by:Amar_1984
ID: 39860811
Will this be bi-directional or only from Inside to Outside.  

If the traffic from outside comes on port 547 will it be forwarded to port 25 on internal IP.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39860830
yes it would be both ways.

static (Inside,Outside)  tcp 192.168.1.1 547 10.1.1.1 25 netmask 255.255.255.255

I've tested on GNS3 as follows:

packet-tracer input inside tcp 10.1.1.1 25 192.168.1.1 25


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 10.1.1.1/25 to 192.168.1.1/547 using netmask 255.255.255.255

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 0, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa#


packet-tracer input outside tcp 2.2.2.2 547 192.168.1.1 547

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.1/547 to 10.1.1.1/25 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

ciscoasa#
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 2000 total points
ID: 39860834
ow, by the way, the key difference between the two configuration I've shown is that,

for the second item (Static Policy NAT), if you have two different destination IP address and you want to have different port translations

ex:
source: 10.1.1.1
destination 1.1.1.1

NAT source: 192.168.1.1
NAT destination: same
NAT port destination: 547

source: 10.1.1.1
destination 2.2.2.2

NAT source: 192.168.1.1
NAT destination: same
NAT port destination: 8888

access-list Inside_nat_static_1 line 1 extended permit tcp host 10.1.1.1 eq smtp 1.1.1.1
access-list Inside_nat_static_2 line 1 extended permit tcp host 10.1.1.1 eq smtp 2.2.2.2
       
static (Inside,Outside)  tcp 192.168.1.1 547 access-list Inside_nat_static_1        
static (Inside,Outside)  tcp 192.168.1.1 8888 access-list Inside_nat_static_2

see the difference? let me know if you have any further questions, and be glad to help out. Hope this helps!
0
 

Author Comment

by:Amar_1984
ID: 39864191
Thanks,

I had exact same configuration, but somehow it didnt work. Probably some other ACl getting in way. wanted an expert second opinion

Thanks for your inputs, i am accepting this as a solution.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question