Port forwarding on a Cisco ASA 5512

Hi,  we have a cisco 5512x firewall.  We only have one single static IP from the ISP.
We now need to forward ports 443, 25 and 389 to a server.  10.1.3.10 for example.  443 will be open to everyone, and 25 and 389 to a limited amount of IP addresses.
Using static nat entry I can forward these, but only one port at a time it would seem.  For example, if I foward 25 using nat (outside,inside) static interface service tcp smtp smtp, (configuring within the object already created) this will work.  But to repeat the command using ldap rather than smtp although works, smtp then stops working.  I am sure I am missing something silly.
Can anyone assist with the correct commands?
LVL 1
Samantha SmithAsked:
Who is Participating?
 
ffleismaSenior Network EngineerCommented:
Which software version do you have? (show ver).

Assuming 8.3 higher (and ports mentioned are all TCP), here is a sample configuration for port forwarding.
object service PORTFORWARD_TCP389
 service tcp destination eq 389
!
object service PORTFORWARD_TCP25
 service tcp destination eq 25
!
object service PORTFORWARD_TCP443
 service tcp destination eq 443

!
!
object network OBJECT_INTERNAL_IP
 host 10.1.3.10
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_INTERNAL_IP service PORTFORWARD_TCP389 PORTFORWARD_TCP389 unidirectional
nat (outside,inside) 2 source static any any destination static interface OBJECT_INTERNAL_IP service PORTFORWARD_TCP25 PORTFORWARD_TCP25 unidirectional
nat (outside,inside) 3 source static any any destination static interface OBJECT_INTERNAL_IP service PORTFORWARD_TCP443 PORTFORWARD_TCP443 unidirectional
!
!
access-list outside_access_in line 1 extended permit tcp Y.Y.Y.Y m.m.m.m object OBJECT_INTERNAL_IP eq 389 
access-list outside_access_in line 2 extended permit tcp Y.Y.Y.Y m.m.m.m object OBJECT_INTERNAL_IP eq 25 
access-list outside_access_in line 3 extended permit tcp any object OBJECT_INTERNAL_IP eq 443
!
access-group outside_access_in in interface outside

Open in new window

this configuration is using your outside interface public IP for the port forwarding. If you are using a public IP which is different from your outside interface IP, it would look similar but with little changes as follows
object network OBJECT_EXTERNAL_IP
 host x.x.x.x
!
object network OBJECT_INTERNAL_IP
 host 10.1.3.10
!
!
nat (outside,inside) 1 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP389 PORTFORWARD_TCP389 unidirectional
nat (outside,inside) 2 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP25 PORTFORWARD_TCP25 unidirectional
nat (outside,inside) 3 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP443 PORTFORWARD_TCP443 unidirectional

Open in new window

Also you'll probably need to remove the existing static NAT you have once you convert to port forwarding.

Hope this helps, if you have further questions be glad to help you out.
0
 
arnoldCommented:
You are looking a PAT configuration
Nat (inside,outside) any any host internal_IP eq portnumber
repeat the same for other ports.

There you would need to add access lists to much incoming ports to allow.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15243-19.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.