Forwarding Ports through a Cisco ASA 5505

Hi There,

If someone could help me that would be great. I have a Cisco ASA 5505 that I'm trying to configure to allow any Internet IP Address to come through port 3206 and get to a workstation on the Internal network on the same port.

I've changed my Outside IP in the following information for security sake. Also, I've typically been using the Cisco ASDM utility to perform the configuration as I'm not familiar with many of the command line commands (but feel free to help me via command line instructions if that's what you know).

My setup is like this: Outside IP = 1.2.3.4 Inside IP = 192.168.0.254 I'm using PAT for my address translation as my client only has one Internet IP address.

We need to initiate a connection from the Internet to port 3206 at IP

192.168.0.206.

I've created a static NAT rule as follows:

Real Address: Interface: inside IP Address: 192.168.0.206 Netmask:

255.255.255.255

Static Translation: Interface: outside IP Address: 1.2.3.4

Enable Port Address Translation (PAT): Protocol: tcp Original Port: 3206 Translated Port: 3206

I think this NAT rule is configured OK (please confirm) and I'm pretty sure that I'm just running into problems with my Access Rules in the Security Policy area.

I've tried creating all kinds of incoming rules on the Outside Interface (have also tried quite a few on the inside interface) but nothing seems to work and I can never make a connection from an external Internet IP Address.

Would it be possible for one of you gurus to give me a detailed description on what security rules I need to create to get this to work? And/or let me know what's wrong with my NAT rule? It seems like no matter what rules I create it just won't work. In part of my testing I've even created incoming rules that permit any source address to any desitnation address and have applied this to both the IP protocal as well as to tcp port 3206. That still didn't work and I still couldn't get in.

I'm also going to need to map external port 25 to go to 192.168.0.30, but I haven't even tried working on that yet as the mail server is not online yet and so therefore I can't test it very well. But I assume that if I can figure out the forarding of port 3206 then forwarding port 25 should be a snap.

If someone can give me some instructions on what I need to do to get this working then I'll take you out for some beers (if you live in Vancouver or the surrounding areas) and I'd be eternally thankful.

Let me know if you need more information regarding the setup, etc. This is the first time I've been trying to set up a Cisco device and so I'm not 100% sure what type of information you'll need.

Thanks,

Rich

Reply to
logicalrich
Loading thread data ...

[Note: there are some details here that would be different on a PIX 6 setup.]

I think this should work:

static (inside,outside) tcp 1.2.3.4 3206 192.168.0.206 3206 netmask

255.255.255.255 access-list out2in extended permit tcp any host 1.2.3.4 eq 3206 access-group out2in in interface outside

For your smtp system, duplicate the static changing the port to 3206 to 25 in both places, and changing the internal IP if necessary, and add another line to out2in duplicating the one shown above but changing the 3206 to 25 .

Reply to
Walter Roberson

Hey Walter,

Thanks for your time and adivce. I've entered those commands and the ASA took them OK and I can see the Outside policy in the Security Policy of the ASDM utility. However, I still can't connect to port

3206.

I'm pretty stumped here...

Can you give me the appropriate NAT command as well and I'll try re- inputting that?

I don't know what else to do other than buying a Cisco support contract...

Thanks,

Rich

Reply to
Rich

There is no 'nat' command applicable to the situation. When you want to permit connections inward, you must use 'static'. The only exception to the rule (other than for VPNs) is if you are using identical public and internal addresses and tell the ASA to turn off Network Address Translation for the address by using nat (inside) 0 access-list . But that doesn't apply to you, as you have indicated that you are using private IP addresses internally.

We might be able to see something if you post at least the following kinds of lines from your configuration (obfuscated if you prefer):

- access-group, nat, static, any crypto map 'match address'

- any access-list mentioned in any of the above lines

- ip address

- ip route

When you encounter the problem, what do you see in your syslog when you make a connection attempt? Push your 'logging trap' settings up to at least 'informational' (level 6) to get the whole story.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.