Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Port forwarding on 5505

Port forwarding on 5505 7 years 9 months ago #29575

  • grh27839
  • grh27839's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
I'm am brand new to the cisco asa 5505. I have it configured and able to ping from inside to outside but need to do port forwarding.

this is a closed network not connected to the internet.

we have a t1 going to a cisco router and we did only have 1 server connected to it. now we have a need for 2 and the addition of a firewall.

with this said we need to split the traffic coming in to 2 ports tcp 9001 going to 1 server and udp 22000 going to another.

please see the config I have so far;

ASA Version 8.0(2)
!
hostname oesmda
enable password ***************encrypted
names
name 192.168.122.254 Motorola description Motorola Router inside
name 10.1.1.10 AVL description Motorola AVL Server
name 10.1.1.11 RADIX description RADIX Mobile Data Server
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.122.11 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service AVL udp
description Motorola AVL Server
port-object eq 22000
object-group service RADIX tcp
description RADIX Mobile Data Server
port-object eq 9001
object-group network Motorola
network-object host Motorola
object-group network internal
network-object 10.1.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp host 192.168.122.10 host RADIX eq 9001
access-list outside_access_in extended permit udp host 192.168.122.10 host AVL eq 22000
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) tcp interface 9001 RADIX 9001 netmask 255.255.255.255 d
ns
access-group outside_access_in in interface outside
!
router rip
!
route outside 0.0.0.0 0.0.0.0 Motorola 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns Motorola
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:862beb84fa3689a2fbf1878768ad6f98
: end
oesmda(config)#

any help to set this up will be very much appreciated.

also any recommendation for a good port scanner in order to test it would be helpful to.
The administrator has disabled public write access.

Re: Port forwarding on 5505 7 years 8 months ago #29609

  • Patiot
  • Patiot's Avatar
  • Offline
  • Frequent Member
  • Posts: 45
  • Karma: 0
Pretty simple :


You need 2 static statements to do the job for you :

static (inside,outside) tcp "outside ip" " port1" "inisde server ip" "port" netmask 255.255.255.255
static (inside,outside) tcp "outside ip" " port2" "inisde server ip" "port" netmask 255.255.255.255

And on the outside you need these access-lists

access-list outside_access_in permit tcp any "outside ip " eq port1
access-list outside_access_in permit tcp any "outside ip " eq port2

Here port1 port2 and the ip addresses are their actual values and not the words

Thanks
Patiot
The administrator has disabled public write access.

Thanks 7 years 8 months ago #29614

  • grh27839
  • grh27839's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
I put those lines in but for a couple of things

for access-list outside_access_in permit tcp any "outside ip" eq "port1"

gave me a invalid host address error

so I used the GUI and it wrote the following: access-list outside_access_in extended permit tcp any host "outside ip" eq "port1" adding extended and host. is this correct? I did use the actual outside ip address and port number.

one more question what is a good way to test that this is working before I try to put it in production.

Thanks
The administrator has disabled public write access.

Re: Port forwarding on 5505 7 years 8 months ago #29626

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Yes that is correct.

Best way is to test the application works through the firewall. If you are unable to, then PortPeeker will be able to simulate the TCP port on the inside server and then on a client, telnet to the port through the firewall.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
Time to create page: 0.083 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup