Adding port forwarding on Cisco ASA

Toggle sidebar Toggle sidebar
S

snifflepuff

Distinguished
Mar 16, 2011
1
0
18,510
Hi all, we have an ASA 5505 and I need to set up port forwarding for an unusual

port number which will be used for FTP on an IIS server.

It's a bit complex as there are 3 VLANs: these are called ISP, Server and LAN-

side VPN. We need to add a TCP port 8521 forward from the server's IP in Server

WAN to ISP WAN VLAN with public IP address.

As far as I'm aware, normally for simple port forwarding on a 5505 I can do the

following:

Code: 
configure terminal
object network FTP_Server
host [IP address of the destination server]
nat (inside,outside) static interface service tcp 8521 8521 
exit
access-list inbound permit tcp any object FTP_Server eq 8521
access-group inbound in interface outside
write memory

However, will this work given that we want to forward the port from the IP

address of the server in the Server WAN VLAN, to a public IP address in the ISP

VLAN?

Also when I try to add a new host IP address for port forwarding on a Cisco ASA

5505:

Code: 
conf t
object network FTPServer

(Then I try doing this)

host 192.168.3.211

But it says the syntax is wrong? I don't understand as I should be able to add

the IP address for the new object?

Also I notice at the command prompt I have asa (config-network) as the prompt

text, whereas I should have asa (config-network-object) - anyone know why this

is happening?

Please let me know?


 
B

Brian_tii

Distinguished
Feb 9, 2010
292
0
18,810
What version of the ASA software are you using? <= 8.2 is a lot different than >= 8.3. Ultimately your nat statements will vary with the version of the ASA software. I'm also not 100% clear what you're trying to accomplish. Ultimately you'll need 2 things with NAT with port address translation:

1) You'll need the nat statement to translate the IP / Port

2) You'll need to add an access list and assign it via the access-group command to the interface to allow the traffic from a low security interface to a high security interface.

If you can give some quick examples of exactly what you're trying to accomplish that may make it easier. The vlans aren't so much a concern as all of the 5505 interfaces are ultimately assigned to and designated in terms of vlans. Also I just ran the commands you discussed regarding creating network objects on my home asa 5505 and it worked:

config t
object network blah-deleteme
host 192.168.1.87

Seemed to work fine... I'm running ASA 8.4(1).
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom