[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 802
  • Last Modified:

port forwarding on cisco asa 5510

Hi guys,

I have an internal site here on my lan it is http://192.168.20.211/zetta2go and i want to forward it from the outside I have tried adding the rule 79.140.211.194 but i cant get it to work?

Any ideas?

I have posted the config here

 Saved
:
ASA Version 8.0(4) 
!
hostname test
domain-name default.domain.invalid
names
name 192.168.20.90 Cam
name 192.168.20.116 up1
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 95.x.x.82 255.255.255.240 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.20.254 255.255.255.0 
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif OutsideNew
 security-level 0
 ip address 79.x.x.206 255.255.255.240 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
!
time-range inter
 periodic daily 19:12 to 19:14
!
time-range li
 periodic daily 19:26 to 19:29
!
time-range newstime
 periodic daily 16:50 to 16:58
 periodic weekdays 7:50 to 7:58
 periodic daily 13:50 to 13:58
 periodic daily 14:50 to 14:58
 periodic daily 15:50 to 15:58
 periodic daily 9:50 to 9:58
 periodic daily 11:50 to 23:58
 periodic daily 8:50 to 8:58
 periodic daily 10:50 to 10:58
 periodic daily 20:12 to 20:15
 periodic daily 17:50 to 17:58
 periodic daily 12:50 to 12:58
 periodic daily 18:50 to 18:58
!
time-range test
 periodic daily 18:32 to 18:35
!
time-range uy
 periodic daily 18:40 to 18:43
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network mailserver
 network-object host 192.168.20.1
object-group service SERVICES tcp
 port-object eq www
 port-object eq smtp
 port-object eq pop3
 port-object eq 3000
 port-object eq 3389
 port-object eq imap4
 port-object eq 587
 port-object eq 161
 port-object eq 162
 port-object eq 165
 port-object eq 166
object-group service UDPSERVICES udp
 port-object eq 3389
object-group network LAN
 network-object 192.168.20.0 255.255.255.0
object-group service WWW tcp
 port-object eq www
object-group service TIELINE tcp-udp
 port-object eq 9000
 port-object eq 9002
object-group network DM_INLINE_NETWORK_1
 network-object 0.0.0.0 0.0.0.0
 network-object host 192.168.20.189
object-group service cam tcp
 port-object eq 8081
object-group protocol port1
 protocol-object 165
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service up1
 service-object udp eq snmp 
 service-object udp eq snmptrap 
access-list WAN_LAN extended permit tcp any host 95.x.x.84 object-group SERVICES log 
access-list WAN_LAN extended permit udp any host 95.x.x.84 object-group UDPSERVICES log 
access-list WAN_LAN extended permit tcp any host 95.x.x.85 object-group WWW log 
access-list WAN_LAN extended permit tcp any host 95.x.x.86 object-group TIELINE log 
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 172.16.8.0 255.255.255.0 
access-list LAN-WAN extended permit tcp object-group LAN any object-group SERVICES 
access-list LAN-WAN extended permit ip object-group mailserver any 
access-list split standard permit 192.168.20.0 255.255.255.0 
access-list OutsideNew_access_in extended permit tcp any host 79.x.x.194 object-group SERVICES 
access-list OutsideNew_access_in extended permit udp any host 79.x.x.194 object-group UDPSERVICES 
access-list OutsideNew_access_in extended permit tcp any host 79.x.x.195 object-group WWW 
access-list OutsideNew_access_in extended permit tcp any host 79.x.x.197 object-group TIELINE 
access-list OutsideNew_access_in extended permit tcp 62.x.x.32 255.255.255.224 host 79.x.x.195 eq 3389 
access-list OutsideNew_access_in remark telnet
access-list OutsideNew_access_in extended permit tcp any host 79.x.x.194 eq telnet 
access-list OutsideNew_access_in extended permit tcp any host 79.x.x.194 object-group cam 
access-list OutsideNew_access_in extended permit object-group up1 any host 79.x.x.194 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host 95.x.x.85 object-group WWW 
access-list inside_access_in extended deny tcp host 192.168.20.231 any object-group WWW time-range newstime inactive 
pager lines 24
logging enable
logging timestamp
logging history informational
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu OutsideNew 1500
mtu management 1500
ip local pool vpnpool 172.16.8.2-172.16.8.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (OutsideNew) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) 95.x.x.85 192.168.20.2 netmask 255.255.255.255 
static (inside,outside) 95.x.x.86 192.168.20.52 netmask 255.255.255.255 
static (inside,outside) 95.x.x.84 192.168.20.1 netmask 255.255.255.255 dns 
static (inside,OutsideNew) 79.x.x.194 192.168.20.1 netmask 255.255.255.255 
static (inside,OutsideNew) 79.x.x.195 192.168.20.2 netmask 255.255.255.255 
static (inside,OutsideNew) 79.x.x.197 192.168.20.52 netmask 255.255.255.255 
static (inside,OutsideNew) 79.x.x.196 192.168.20.53 netmask 255.255.255.255 
static (inside,OutsideNew) 79.x.x.198 192.168.20.60 netmask 255.255.255.255 
static (inside,OutsideNew) 79.x.x.199 192.168.20.61 netmask 255.255.255.255 
static (inside,OutsideNew) 79.x.x.200 192.168.20.62 netmask 255.255.255.255 
access-group WAN_LAN in interface outside
access-group inside_access_in in interface inside
access-group OutsideNew_access_in in interface OutsideNew
route outside 0.0.0.0 0.0.0.0 95.x.x.81 1
route OutsideNew 0.0.0.0 0.0.0.0 79.x.x.193 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authorization command LOCAL 
aaa authorization exec authentication-server
http server enable
http 62.x.x.32 255.255.255.224 OutsideNew
http 192.168.1.0 255.255.255.0 management
http 192.168.20.0 255.255.255.0 inside
http 213.x.x.97 255.255.255.255 outside
snmp-server location Athlone
snmp-server contact Jonathan Duane
snmp-server enable traps syslog
snmp-server enable traps ipsec start
crypto ipsec transform-set vpnsettings esp-3des esp-md5-hmac 
crypto ipsec transform-set remotesettings esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map remoteclient 20 set transform-set remotesettings
crypto dynamic-map remoteclient 20 set security-association lifetime seconds 28800
crypto dynamic-map remoteclient 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map OutsideNew_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideNew_map interface OutsideNew
crypto isakmp identity address 
crypto isakmp enable OutsideNew
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 11
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5

ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.20.100-192.168.20.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpn3000 internal
group-policy vpn3000 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split

tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group vpn3000 type remote-access
tunnel-group vpn3000 general-attributes
 address-pool vpnpool
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 2
 isakmp ikev1-user-authentication none
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:e1cfd11a919f8a7ff9c0621f42b23cb0
: end

Open in new window

0
jonathanduane2010
Asked:
jonathanduane2010
1 Solution
 
AkinsdNetwork AdministratorCommented:
You need 2 things
- Permitting traffic through the outside interface to 192.168.20.211 on port 80
- Static NAT translating 79.140.211.194:80 to 192.168.20.211

Example
access-list OutsideNew_access_in extended permit tcp any host 79.140.211.194 eq www

object network obj-192.168.20.211
host 192.168.20.211

object network obj-79.140.211.194
host 79.140.211.194

nat (inside,outside) source static obj-192.168.20.211 obj-79.140.211.194 dns
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now