Sign-in / Sign-up
Your question

Adding port forwarding on Cisco ASA

Tags:
  • Routers
  • Port Forwarding
  • Internet Service Providers
  • Servers
  • Networking
Last response: in Networking
March 16, 2011 3:52:12 PM

Hi all, we have an ASA 5505 and I need to set up port forwarding for an unusual

port number which will be used for FTP on an IIS server.

It's a bit complex as there are 3 VLANs: these are called ISP, Server and LAN-

side VPN. We need to add a TCP port 8521 forward from the server's IP in Server

WAN to ISP WAN VLAN with public IP address.

As far as I'm aware, normally for simple port forwarding on a 5505 I can do the

following:

  1. configure terminal
  2. object network FTP_Server
  3. host [IP address of the destination server]
  4. nat (inside,outside) static interface service tcp 8521 8521
  5. exit
  6. access-list inbound permit tcp any object FTP_Server eq 8521
  7. access-group inbound in interface outside
  8. write memory


However, will this work given that we want to forward the port from the IP

address of the server in the Server WAN VLAN, to a public IP address in the ISP

VLAN?

Also when I try to add a new host IP address for port forwarding on a Cisco ASA

5505:

  1. conf t
  2. object network FTPServer


(Then I try doing this)

host 192.168.3.211

But it says the syntax is wrong? I don't understand as I should be able to add

the IP address for the new object?

Also I notice at the command prompt I have asa (config-network) as the prompt

text, whereas I should have asa (config-network-object) - anyone know why this

is happening?

Please let me know?


More about : adding port forwarding cisco asa

March 20, 2011 2:36:40 AM

What version of the ASA software are you using? <= 8.2 is a lot different than >= 8.3. Ultimately your nat statements will vary with the version of the ASA software. I'm also not 100% clear what you're trying to accomplish. Ultimately you'll need 2 things with NAT with port address translation:

1) You'll need the nat statement to translate the IP / Port

2) You'll need to add an access list and assign it via the access-group command to the interface to allow the traffic from a low security interface to a high security interface.

If you can give some quick examples of exactly what you're trying to accomplish that may make it easier. The vlans aren't so much a concern as all of the 5505 interfaces are ultimately assigned to and designated in terms of vlans. Also I just ran the commands you discussed regarding creating network objects on my home asa 5505 and it worked:

config t
object network blah-deleteme
host 192.168.1.87

Seemed to work fine... I'm running ASA 8.4(1).