Forwarding Ports through a Cisco ASA 5505

Discussion in 'Cisco' started by logicalrich@hotmail.com, Jan 31, 2007.

  1. Guest

    Hi There,

    If someone could help me that would be great. I have a Cisco ASA 5505
    that I'm trying to configure to allow any Internet IP Address to come
    through port 3206 and get to a workstation on the Internal network on
    the same port.

    I've changed my Outside IP in the following information for security
    sake. Also, I've typically been using the Cisco ASDM utility to
    perform the configuration as I'm not familiar with many of the command
    line commands (but feel free to help me via command line instructions
    if that's what you know).

    My setup is like this:
    Outside IP = 1.2.3.4
    Inside IP = 192.168.0.254
    I'm using PAT for my address translation as my client only has one
    Internet IP address.

    We need to initiate a connection from the Internet to port 3206 at IP
    192.168.0.206.


    I've created a static NAT rule as follows:

    Real Address:
    Interface: inside IP Address: 192.168.0.206 Netmask:
    255.255.255.255

    Static Translation:
    Interface: outside IP Address: 1.2.3.4

    Enable Port Address Translation (PAT):
    Protocol: tcp Original Port: 3206 Translated Port: 3206

    I think this NAT rule is configured OK (please confirm) and I'm pretty
    sure that I'm just running into problems with my Access Rules in the
    Security Policy area.

    I've tried creating all kinds of incoming rules on the Outside
    Interface (have also tried quite a few on the inside interface) but
    nothing seems to work and I can never make a connection from an
    external Internet IP Address.

    Would it be possible for one of you gurus to give me a detailed
    description on what security rules I need to create to get this to
    work? And/or let me know what's wrong with my NAT rule? It seems like
    no matter what rules I create it just won't work. In part of my
    testing I've even created incoming rules that permit any source
    address to any desitnation address and have applied this to both the
    IP protocal as well as to tcp port 3206. That still didn't work and I
    still couldn't get in.

    I'm also going to need to map external port 25 to go to 192.168.0.30,
    but I haven't even tried working on that yet as the mail server is not
    online yet and so therefore I can't test it very well. But I assume
    that if I can figure out the forarding of port 3206 then forwarding
    port 25 should be a snap.


    If someone can give me some instructions on what I need to do to get
    this working then I'll take you out for some beers (if you live in
    Vancouver or the surrounding areas) and I'd be eternally thankful.

    Let me know if you need more information regarding the setup, etc.
    This is the first time I've been trying to set up a Cisco device and
    so I'm not 100% sure what type of information you'll need.

    Thanks,

    Rich
     
    , Jan 31, 2007
    #1
    1. Advertising

  2. In article <>,
    <> wrote:

    >If someone could help me that would be great. I have a Cisco ASA 5505
    >that I'm trying to configure to allow any Internet IP Address to come
    >through port 3206 and get to a workstation on the Internal network on
    >the same port.


    >My setup is like this:
    >Outside IP = 1.2.3.4
    >Inside IP = 192.168.0.254
    >I'm using PAT for my address translation as my client only has one
    >Internet IP address.


    >We need to initiate a connection from the Internet to port 3206 at IP
    >192.168.0.206.


    [Note: there are some details here that would be different on
    a PIX 6 setup.]

    I think this should work:

    static (inside,outside) tcp 1.2.3.4 3206 192.168.0.206 3206 netmask 255.255.255.255
    access-list out2in extended permit tcp any host 1.2.3.4 eq 3206
    access-group out2in in interface outside

    For your smtp system, duplicate the static changing the port to 3206 to 25
    in both places, and changing the internal IP if necessary, and
    add another line to out2in duplicating the one shown above but
    changing the 3206 to 25 .
     
    Walter Roberson, Feb 1, 2007
    #2
    1. Advertising

  3. Rich Guest

    On Feb 1, 9:37 am, (Walter Roberson) wrote:
    > In article <>,
    >
    > <> wrote:
    > >If someone could help me that would be great. I have a Cisco ASA 5505
    > >that I'm trying to configure to allow any Internet IP Address to come
    > >through port 3206 and get to a workstation on the Internal network on
    > >the same port.
    > >My setup is like this:
    > >Outside IP = 1.2.3.4
    > >Inside IP = 192.168.0.254
    > >I'm using PAT for my address translation as my client only has one
    > >Internet IP address.
    > >We need to initiate a connection from the Internet to port 3206 at IP
    > >192.168.0.206.

    >
    > [Note: there are some details here that would be different on
    > a PIX 6 setup.]
    >
    > I think this should work:
    >
    > static (inside,outside) tcp 1.2.3.4 3206 192.168.0.206 3206 netmask 255.255.255.255
    > access-list out2in extended permit tcp any host 1.2.3.4 eq 3206
    > access-group out2in in interface outside
    >
    > For your smtp system, duplicate the static changing the port to 3206 to 25
    > in both places, and changing the internal IP if necessary, and
    > add another line to out2in duplicating the one shown above but
    > changing the 3206 to 25 .


    Hey Walter,

    Thanks for your time and adivce. I've entered those commands and the
    ASA took them OK and I can see the Outside policy in the Security
    Policy of the ASDM utility. However, I still can't connect to port
    3206.

    I'm pretty stumped here...

    Can you give me the appropriate NAT command as well and I'll try re-
    inputting that?

    I don't know what else to do other than buying a Cisco support
    contract...


    Thanks,

    Rich
     
    Rich, Feb 2, 2007
    #3
  4. In article <>,
    Rich <> wrote:
    >On Feb 1, 9:37 am, (Walter Roberson) wrote:
    >> In article <>,
    >> <> wrote:
    >> >If someone could help me that would be great. I have a Cisco ASA 5505
    >> >that I'm trying to configure to allow any Internet IP Address to come
    >> >through port 3206 and get to a workstation on the Internal network on
    >> >the same port.


    >> I think this should work:


    >Thanks for your time and adivce. I've entered those commands and the
    >ASA took them OK and I can see the Outside policy in the Security
    >Policy of the ASDM utility. However, I still can't connect to port
    >3206.


    >Can you give me the appropriate NAT command as well and I'll try re-
    >inputting that?


    There is no 'nat' command applicable to the situation. When you
    want to permit connections inward, you must use 'static'. The
    only exception to the rule (other than for VPNs) is if you
    are using identical public and internal addresses and tell the ASA
    to turn off Network Address Translation for the address by using
    nat (inside) 0 access-list . But that doesn't apply to you, as you
    have indicated that you are using private IP addresses internally.


    We might be able to see something if you post at least the following
    kinds of lines from your configuration (obfuscated if you prefer):

    - access-group, nat, static, any crypto map 'match address'
    - any access-list mentioned in any of the above lines
    - ip address
    - ip route


    When you encounter the problem, what do you see in your syslog when
    you make a connection attempt? Push your 'logging trap' settings up
    to at least 'informational' (level 6) to get the whole story.
     
    Walter Roberson, Feb 2, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    3,368
  2. Martin Bilgrav
    Replies:
    0
    Views:
    562
    Martin Bilgrav
    May 6, 2008
  3. Steffen Mauch
    Replies:
    0
    Views:
    2,534
    Steffen Mauch
    Nov 14, 2008
  4. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    673
    Dogg Child
    Jun 7, 2010
  5. Dogg Child

    ASA 5550 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    4
    Views:
    1,089
    Morph
    Jun 8, 2010
Loading...

Share This Page