[Last Call] Learn how to a build a cloud-first strategyRegister Now


Port Forwarding Multiple Ports to Single IP Address

Posted on 2014-08-25
Medium Priority
Last Modified: 2014-08-30
I have been given the task of moving a Cisco PIX 525 to a Cisco ASA 5515-X. The PIX is running 6.3(5), the ASA 9.1(1). I'm plodding along, but now I am stuck. I would like to port forward multiple ports to a single internal IP address.  The code on the PIX looks like this:

access-list outside_access_in permit tcp any host eq https
access-list outside_access_in permit tcp any host eq 5704
static (inside,outside) netmask 0 0

How does one go about doing this on the ASA 9.1?

This is my first time working with these new ASA devices.
Question by:OmniSystems
  • 3
  • 2
LVL 20

Accepted Solution

rauenpc earned 2000 total points
ID: 40284048
Create a network object with nat, access list almost like normal... the big difference is that ACL's are all "real IP" access lists so the outside_access_in acl will reference private IP's, not public. I like to go all object based whenever possible.

access-list outside_access_in permit tcp any host eq https
access-list outside_access_in permit tcp any host eq 5704
static (inside,outside) netmask 0 0

will become

object net EXTHOST-

object net HOST-
nat (inside,outside) static EXTHOST-

object service SERVICE-HTTPS
service tcp destination eq https
description HTTPS port 443

object service SERVICE-TCP-5704
service tcp destination eq 5704

service-object object SERVICE-HTTPS
service-object object SERVICE-TCP-5704

access-list outside_access_in permit object-group EXTSERVICES-HOST- any object HOST-

I realize that my example makes it seem like 9.1 requires a TON of extra work... yes and no. There are ways to make 9.1 pretty much as short as 8.2.5 and below, but in the long run going object based for everything will end up make life pretty awesome when it comes to making changes. For example, if you needed to open port 80 to the server, you only need to add the service-object to EXTSERVICES-HOST- and it will take effect on all references with no need to touch all the ACL's.

Author Comment

ID: 40286289
Thanks for this information. I will be working with it today. Question.

Would the command - "access-group outside_access_in in interface outside" still be needed?

Author Comment

ID: 40286291
BTW, the object oriented approach makes a lot of sense in the long run.
LVL 20

Expert Comment

ID: 40286364
Yes, attaching the ACL to the interface is required for the inbound functions that you want. You can name the ACL whatever you want of course, but it must be applied to the interface in the direction you need it applied.

Author Closing Comment

ID: 40294755
Great help and example given was clearly explained.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 3 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question