Port forwarding on a Cisco ASA 5512

Hi,  we have a cisco 5512x firewall.  We only have one single static IP from the ISP.
We now need to forward ports 443, 25 and 389 to a server.  10.1.3.10 for example.  443 will be open to everyone, and 25 and 389 to a limited amount of IP addresses.
Using static nat entry I can forward these, but only one port at a time it would seem.  For example, if I foward 25 using nat (outside,inside) static interface service tcp smtp smtp, (configuring within the object already created) this will work.  But to repeat the command using ldap rather than smtp although works, smtp then stops working.  I am sure I am missing something silly.
Can anyone assist with the correct commands?
LVL 1
Samantha SmithAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
You are looking a PAT configuration
Nat (inside,outside) any any host internal_IP eq portnumber
repeat the same for other ports.

There you would need to add access lists to much incoming ports to allow.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15243-19.html
0
ffleismaSenior Network EngineerCommented:
Which software version do you have? (show ver).

Assuming 8.3 higher (and ports mentioned are all TCP), here is a sample configuration for port forwarding.
object service PORTFORWARD_TCP389
 service tcp destination eq 389
!
object service PORTFORWARD_TCP25
 service tcp destination eq 25
!
object service PORTFORWARD_TCP443
 service tcp destination eq 443

!
!
object network OBJECT_INTERNAL_IP
 host 10.1.3.10
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_INTERNAL_IP service PORTFORWARD_TCP389 PORTFORWARD_TCP389 unidirectional
nat (outside,inside) 2 source static any any destination static interface OBJECT_INTERNAL_IP service PORTFORWARD_TCP25 PORTFORWARD_TCP25 unidirectional
nat (outside,inside) 3 source static any any destination static interface OBJECT_INTERNAL_IP service PORTFORWARD_TCP443 PORTFORWARD_TCP443 unidirectional
!
!
access-list outside_access_in line 1 extended permit tcp Y.Y.Y.Y m.m.m.m object OBJECT_INTERNAL_IP eq 389 
access-list outside_access_in line 2 extended permit tcp Y.Y.Y.Y m.m.m.m object OBJECT_INTERNAL_IP eq 25 
access-list outside_access_in line 3 extended permit tcp any object OBJECT_INTERNAL_IP eq 443
!
access-group outside_access_in in interface outside

Open in new window

this configuration is using your outside interface public IP for the port forwarding. If you are using a public IP which is different from your outside interface IP, it would look similar but with little changes as follows
object network OBJECT_EXTERNAL_IP
 host x.x.x.x
!
object network OBJECT_INTERNAL_IP
 host 10.1.3.10
!
!
nat (outside,inside) 1 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP389 PORTFORWARD_TCP389 unidirectional
nat (outside,inside) 2 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP25 PORTFORWARD_TCP25 unidirectional
nat (outside,inside) 3 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP443 PORTFORWARD_TCP443 unidirectional

Open in new window

Also you'll probably need to remove the existing static NAT you have once you convert to port forwarding.

Hope this helps, if you have further questions be glad to help you out.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.