Forwarding Ports through a Cisco ASA 5505

Discussion in 'Cisco' started by logicalrich, Jan 31, 2007.

  1. logicalrich

    logicalrich Guest

    Hi There,

    If someone could help me that would be great. I have a Cisco ASA 5505
    that I'm trying to configure to allow any Internet IP Address to come
    through port 3206 and get to a workstation on the Internal network on
    the same port.

    I've changed my Outside IP in the following information for security
    sake. Also, I've typically been using the Cisco ASDM utility to
    perform the configuration as I'm not familiar with many of the command
    line commands (but feel free to help me via command line instructions
    if that's what you know).

    My setup is like this:
    Outside IP =
    Inside IP =
    I'm using PAT for my address translation as my client only has one
    Internet IP address.

    We need to initiate a connection from the Internet to port 3206 at IP

    I've created a static NAT rule as follows:

    Real Address:
    Interface: inside IP Address: Netmask:

    Static Translation:
    Interface: outside IP Address:

    Enable Port Address Translation (PAT):
    Protocol: tcp Original Port: 3206 Translated Port: 3206

    I think this NAT rule is configured OK (please confirm) and I'm pretty
    sure that I'm just running into problems with my Access Rules in the
    Security Policy area.

    I've tried creating all kinds of incoming rules on the Outside
    Interface (have also tried quite a few on the inside interface) but
    nothing seems to work and I can never make a connection from an
    external Internet IP Address.

    Would it be possible for one of you gurus to give me a detailed
    description on what security rules I need to create to get this to
    work? And/or let me know what's wrong with my NAT rule? It seems like
    no matter what rules I create it just won't work. In part of my
    testing I've even created incoming rules that permit any source
    address to any desitnation address and have applied this to both the
    IP protocal as well as to tcp port 3206. That still didn't work and I
    still couldn't get in.

    I'm also going to need to map external port 25 to go to,
    but I haven't even tried working on that yet as the mail server is not
    online yet and so therefore I can't test it very well. But I assume
    that if I can figure out the forarding of port 3206 then forwarding
    port 25 should be a snap.

    If someone can give me some instructions on what I need to do to get
    this working then I'll take you out for some beers (if you live in
    Vancouver or the surrounding areas) and I'd be eternally thankful.

    Let me know if you need more information regarding the setup, etc.
    This is the first time I've been trying to set up a Cisco device and
    so I'm not 100% sure what type of information you'll need.


    logicalrich, Jan 31, 2007
    1. Advertisements

  2. [Note: there are some details here that would be different on
    a PIX 6 setup.]

    I think this should work:

    static (inside,outside) tcp 3206 3206 netmask
    access-list out2in extended permit tcp any host eq 3206
    access-group out2in in interface outside

    For your smtp system, duplicate the static changing the port to 3206 to 25
    in both places, and changing the internal IP if necessary, and
    add another line to out2in duplicating the one shown above but
    changing the 3206 to 25 .
    Walter Roberson, Feb 1, 2007
    1. Advertisements

  3. logicalrich

    Rich Guest

    Hey Walter,

    Thanks for your time and adivce. I've entered those commands and the
    ASA took them OK and I can see the Outside policy in the Security
    Policy of the ASDM utility. However, I still can't connect to port

    I'm pretty stumped here...

    Can you give me the appropriate NAT command as well and I'll try re-
    inputting that?

    I don't know what else to do other than buying a Cisco support


    Rich, Feb 2, 2007
  4. There is no 'nat' command applicable to the situation. When you
    want to permit connections inward, you must use 'static'. The
    only exception to the rule (other than for VPNs) is if you
    are using identical public and internal addresses and tell the ASA
    to turn off Network Address Translation for the address by using
    nat (inside) 0 access-list . But that doesn't apply to you, as you
    have indicated that you are using private IP addresses internally.

    We might be able to see something if you post at least the following
    kinds of lines from your configuration (obfuscated if you prefer):

    - access-group, nat, static, any crypto map 'match address'
    - any access-list mentioned in any of the above lines
    - ip address
    - ip route

    When you encounter the problem, what do you see in your syslog when
    you make a connection attempt? Push your 'logging trap' settings up
    to at least 'informational' (level 6) to get the whole story.
    Walter Roberson, Feb 2, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.