Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: Port forwarding on 5505

Port forwarding on 5505 9 years 11 months ago #29575

I'm am brand new to the cisco asa 5505. I have it configured and able to ping from inside to outside but need to do port forwarding.

this is a closed network not connected to the internet.

we have a t1 going to a cisco router and we did only have 1 server connected to it. now we have a need for 2 and the addition of a firewall.

with this said we need to split the traffic coming in to 2 ports tcp 9001 going to 1 server and udp 22000 going to another.

please see the config I have so far;

ASA Version 8.0(2)
hostname oesmda
enable password ***************encrypted
name Motorola description Motorola Router inside
name AVL description Motorola AVL Server
name RADIX description RADIX Mobile Data Server
interface Vlan1
nameif inside
security-level 100
ip address
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service AVL udp
description Motorola AVL Server
port-object eq 22000
object-group service RADIX tcp
description RADIX Mobile Data Server
port-object eq 9001
object-group network Motorola
network-object host Motorola
object-group network internal
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp host host RADIX eq 9001
access-list outside_access_in extended permit udp host host AVL eq 22000
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 dns
static (inside,outside) tcp interface 9001 RADIX 9001 netmask d
access-group outside_access_in in interface outside
router rip
route outside Motorola 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns Motorola
dhcpd auto_config outside

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
: end

any help to set this up will be very much appreciated.

also any recommendation for a good port scanner in order to test it would be helpful to.

Re: Port forwarding on 5505 9 years 11 months ago #29609

Pretty simple :

You need 2 static statements to do the job for you :

static (inside,outside) tcp "outside ip" " port1" "inisde server ip" "port" netmask
static (inside,outside) tcp "outside ip" " port2" "inisde server ip" "port" netmask

And on the outside you need these access-lists

access-list outside_access_in permit tcp any "outside ip " eq port1
access-list outside_access_in permit tcp any "outside ip " eq port2

Here port1 port2 and the ip addresses are their actual values and not the words


Thanks 9 years 11 months ago #29614

I put those lines in but for a couple of things

for access-list outside_access_in permit tcp any "outside ip" eq "port1"

gave me a invalid host address error

so I used the GUI and it wrote the following: access-list outside_access_in extended permit tcp any host "outside ip" eq "port1" adding extended and host. is this correct? I did use the actual outside ip address and port number.

one more question what is a good way to test that this is working before I try to put it in production.


Re: Port forwarding on 5505 9 years 11 months ago #29626

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1390
  • Karma: 1
  • Thank you received: 0
Yes that is correct.

Best way is to test the application works through the firewall. If you are unable to, then PortPeeker will be able to simulate the TCP port on the inside server and then on a client, telnet to the port through the firewall.
Wayne Murphy Team Member

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit or PM me for details.
  • Page:
  • 1
Time to create page: 0.115 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup