ASA 5505 running 9.2(1) Port Forwarding

A question that's been asked millions of times and all my google searches and youtube videos still don't get me to where I need to be. The site has a single outside IP.

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic obj_any interface
    translate_hits = 32123, untranslate_hits = 4385

Manual NAT Policies (Section 3)
1 (dmz) to (outside) source dynamic obj_any interface
    translate_hits = 45677, untranslate_hits = 5205

I need to forward 80 and 443 to an inside ip of 10.10.1.246
I need to forward 8080 to inside ip 172.16.10.100
I also need corresponding access-list entries. None of mine seem to be working (i can't even get the hitcnt to show the attempt) so I'm leaving them out of this post.

There is a layer 3 switch doing routing of several subnets behind the inside interface.

Thanks for the help!
LVL 1
newimagentAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

vallegdCommented:
You need a PUBLIC IP for doing that port translation

To be secure I would define the PAT with a PUBLIC IP the one that you have assigned to your Dynamic interface so whenever someone is hitting the 216.X.X.10 the path would work translating the PUBLIC IP TO THE INTERNAL IP IN THE CORRESPONDING PORTS


Im supposing that your PUBLIC IP is  = 216.x.x.10 (You need to replace it with your real public ip)


--Configuring the public ip with a name to be used in the PAT

name 216.x.x.10 PUBLIC_IP

static (inside,outside) tcp PUBLIC_IP 80 10.10.1.246 80 netmask 255.255.255.255
static (inside,outside) tcp PUBLIC_IP 443 10.10.1.246 443 netmask 255.255.255.255

access-list out_in extended permit tcp any any eq 80
access-list out_in extended permit tcp any any eq 443

access-group out_in in interface outside
-----------------------------------------------------------------------------------------------------------------------------------

static (dmz,outside) tcp PUBLIC_IP 80 172.16.10.100 80 netmask 255.255.255.255
static (dmz,outside) tcp PUBLIC_IP 8080 172.16.10.100 8080 netmask 255.255.255.255

access-list dmz_in extended permit tcp any any eq 80
access-list dmz_in extended permit tcp any any eq 8080

access-group dmz_in in interface dmz

Let me know your comments or if you need me to fix it for your you will need to send me your configuration.

Let me know..
newimagentAuthor Commented:
ciscoasa(config)# static (inside,outside) tcp PUBLIC_IP 80 10.10.1.246 80 netmask 255.255.255.255
ERROR: This syntax of nat command has been deprecated.


It looks like i need some newer syntax
vallegdCommented:
For version 9.1

FOR VERSION 9.1

object network PUBLIC-IP
 host 216.X.X.10  <- REPLACE THIS WITH YOUR ACTUAL PUBLIC IP

object network obj-10.10.1.246
 host 10.10.1.246

object network obj-172.16.10.100
 host 172.16.10.100


nat (inside,outside) source static obj-10.10.1.246 PUBLIC-IP
nat (inside,outside) source static obj-10.10.1.246 PUBLIC-IP

access-list out_in extended permit tcp any any eq 80
access-list out_in extended permit tcp any any eq 443

access-group out_in in interface outside

------------------------------------------------------------------------------------------------------------------------------------------------

nat (dmz,outside) source static obj-172.16.10.100 PUBLIC-IP
nat (dmz,outside) source static obj-172.16.10.100 PUBLIC-IP

access-list dmz_in extended permit tcp any any eq 80
access-list dmz_in extended permit tcp any any eq 8080

access-group dmz_in in interface dmz

Let me know your comments
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

newimagentAuthor Commented:
ciscoasa(config-network-object)# nat (inside,outside) source static KenH-mgmt $
ERROR: Address PUBLIC-IP overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
vallegdCommented:
Try in this way ...

object network obj-10.10.1.246
 host 10.10.1.246
nat (inside,outside) dynamic interface

object network obj-172.16.10.100
 host 172.16.10.100
nat (dmz,outside) dynamic interface


access-list out_in extended permit tcp any any eq 80
access-list out_in extended permit tcp any any eq 443

access-list dmz_in extended permit tcp any any eq 80
access-list dmz_in extended permit tcp any any eq 8080


access-group dmz_in in interface dmz
access-group out_in in interface outside
newimagentAuthor Commented:
This was a real pain in the ass to figure out. I really dislike the way configuring cisco pix/asa are like a big guessing game. You clued me in with the object based config in the last post.

object network KenH-mgmt
host 10.10.1.246
nat (inside,outside) static interface service tcp 80 80

I used the asdm source any destination KenH-mgmt service www for the access list.

Thanks for the help!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newimagentAuthor Commented:
My comment is a template for the exact syntax necessary to use the interface ip with port forwarding to pass traffic from the internet into your network.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.