?
Solved

CISCO ASA 5505 8.2 port forwarding from Inside to outside

Posted on 2014-02-14
5
Medium Priority
?
3,534 Views
Last Modified: 2014-02-17
Hi I have below requirement which may have been answered earlier but i could not find anything.

Device : ASA 5505
IOS : 8.2

inside IP : 10.1.1.1
NAT IP : 192.168.1.1 ( not interface IP, one of the IP from pool)

traffic from 10.1.1.1 on port 25 from inside should be sent out on port 547 after natting to 192.168.1.1
How do i configure port redirection/ forwarding from inside to outside.  
I have ACL configured on inside and outside to allow respective IP for all ports.

global (outside) 3 192.168.1.1
nat (inside) 3 10.1.1.1 255.255.255.255

I am not sure how to configure  "static " command for this requirement.

Regards,
Amar
0
Comment
Question by:Amar_1984
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 39860776
Are you doing this via CLI or ASDM?

CLI:
static (Inside,Outside)  tcp 192.168.1.1 547 10.1.1.1 25 netmask 255.255.255.255

ASDM
Static NAT Rule

Another way is to do a Static Policy NAT

CLI:
access-list Inside_nat_static line 1 extended permit tcp host 10.1.1.1 eq smtp any
        
static (Inside,Outside)  tcp 192.168.1.1 547 access-list Inside_nat_static

ASDM:
Static Policy NAT
Hope this helps and let us know if you have any further questions.
0
 

Author Comment

by:Amar_1984
ID: 39860811
Will this be bi-directional or only from Inside to Outside.  

If the traffic from outside comes on port 547 will it be forwarded to port 25 on internal IP.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39860830
yes it would be both ways.

static (Inside,Outside)  tcp 192.168.1.1 547 10.1.1.1 25 netmask 255.255.255.255

I've tested on GNS3 as follows:

packet-tracer input inside tcp 10.1.1.1 25 192.168.1.1 25


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 10.1.1.1/25 to 192.168.1.1/547 using netmask 255.255.255.255

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 0, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa#


packet-tracer input outside tcp 2.2.2.2 547 192.168.1.1 547

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.1/547 to 10.1.1.1/25 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.1.1 547 10.1.1.1 smtp netmask 255.255.255.255
  match tcp inside host 10.1.1.1 eq 25 outside any
    static translation to 192.168.1.1/547
    translate_hits = 1, untranslate_hits = 1
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

ciscoasa#
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 2000 total points
ID: 39860834
ow, by the way, the key difference between the two configuration I've shown is that,

for the second item (Static Policy NAT), if you have two different destination IP address and you want to have different port translations

ex:
source: 10.1.1.1
destination 1.1.1.1

NAT source: 192.168.1.1
NAT destination: same
NAT port destination: 547

source: 10.1.1.1
destination 2.2.2.2

NAT source: 192.168.1.1
NAT destination: same
NAT port destination: 8888

access-list Inside_nat_static_1 line 1 extended permit tcp host 10.1.1.1 eq smtp 1.1.1.1
access-list Inside_nat_static_2 line 1 extended permit tcp host 10.1.1.1 eq smtp 2.2.2.2
       
static (Inside,Outside)  tcp 192.168.1.1 547 access-list Inside_nat_static_1        
static (Inside,Outside)  tcp 192.168.1.1 8888 access-list Inside_nat_static_2

see the difference? let me know if you have any further questions, and be glad to help out. Hope this helps!
0
 

Author Comment

by:Amar_1984
ID: 39864191
Thanks,

I had exact same configuration, but somehow it didnt work. Probably some other ACl getting in way. wanted an expert second opinion

Thanks for your inputs, i am accepting this as a solution.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question