Cisco Firewall :: ASA 5520 Address Translation And Port Forwarding
Oct 31, 2011
I am trying to correctly configure our ASA 5520 and our Mitel Border Gateway in our DMZ. In the documentation for the Mitel border gateway it wants me to set up 2 external IP's on my ASA one to allow 443 traffice into the MBG, and another for 443 traffic that needs to be forwarded to port 4443 for the MGB in the DMZ. My problem is I don't know how to do this. the MBG only has one IP, and I need to have 2 different URL's mapped to two different external IP's both externally using port 443, and one of them forwarding to 4443 on the DMZ interface.
View 10 Replies
ADVERTISEMENT
Aug 22, 2011
I have an 8.3(2) ASA with a single outside IP. Dynamic PAT translates inside addresses to the outside interface address. I would like to use static NAT with port translation to access an inside syslog server. I got an error when I tried using the outside interface address. Can I use both dynamic PAT and Port Translation with the same outside address?This is what I would like to use but I receive an error saying there is an overlap using the outside interface address.(192.168.1.0 is my inside network. 10.10.1.10 is the outside interface IP.)
object network inside-net
subnet 192.168.1.0 255.255.255.0
nat (inside, outside) dynamic interface
object network SYSLOG_SERVER
host 192.168.1.50
nat (inside,outside) static 10.10.1.10 service tcp ssh ssh
View 6 Replies
View Related
Oct 3, 2012
I am trying to forward all the traffic of a particular port number to my outside interface forwarded to an internal IP address.
View 1 Replies
View Related
May 26, 2012
I am having cisco asa 5520 with internet having public ip and cisco 2911 with mpls link in my office. the mpls link is between my HO and my branchmi am putting my webserver in the branch side i want to port forward one of my publicip in my office to be forwarded to branch we, server.is it poosible on the firewall ouside the local network.
View 3 Replies
View Related
Dec 27, 2011
I have Cisco ASA 5505 Firewall with security plus license, Currently I open ports on 25,80,443 on public IP address 1.1.1.1 and perform static nat between the inside and outside IP address Such as i configured via CLI
access-list OUT_IN extended permit tcp any host 1.1.1.1 eq 80
access-list OUT_IN extended permit tcp any host 1.1.1.1 eq 443
access-list OUT_IN extended permit tcp any host 1.1.1.1 eq 25
[Code]......
View 1 Replies
View Related
May 28, 2013
I need the following ports forwarded for a single ip address Port 88 (UDP)Port 3074 (UDP and TCP)Port 53 (UDP and TCP)Port 80 (TCP) .Is there an easy way to to it with service objects/groups?
View 7 Replies
View Related
Aug 24, 2012
I am going with ASA 5520, know how many NAT translation is possible.
View 2 Replies
View Related
Mar 24, 2011
In my router I can set rule that all traffic incoming to router's extAddr:8888, is forwarded to my intAddr:8888. But I also need reverse rule that packets originating from intAddr:8888 are translated to extAddr:8888. Can I do that? What technique can I search on google to find more information, because it is not port forwarding. I would calll it reverse port forwarding or static port address translation, but I do not find anything useful in internet searching these keywords.
View 3 Replies
View Related
Aug 4, 2012
I have site to site vpn between cisco asa and cisco 2911 router.asa is static ip and cisco 2911 side is dynamic ip. my site to site vpn is working fine. I am just trying to make PAT over the vpn means i want forward one ip in my public pool to one of my local ip in the cisco 2911 side.
View 2 Replies
View Related
Dec 5, 2012
I have a server in a DMZ of my 8.4 ASA with nat:
object network FTP-SERVER
host 192.168.1.102
nat (dmz,outside) static interface tcp ftp ftp
And that's working well. However, I now need to translate the source address of connections from the outside to the FTP server as well. The aim is that the source address of packets when they reach the FTP server is an address on the DMZ subnet (as the default route for the FTP server now needs to be something else, not the ASA) as well as this outside-dmz NAT. I thought overloading the DMZ interface of the ASA? Or another IP in that range?
View 2 Replies
View Related
Jan 19, 2013
Is it possible to perform static Nat's through an internal network?I have a ASA 5510 with a public outside interface (let’s call it 68.68.68.1), and I have an inside private IP address (192.168.1.2/24). The inside IP address leads to a 4900m with that interface being configured with a 192.168.1.1 (no switching). On the 4900 M I have several VLANs one of them is an internal DMZ of sorts. (192.168.2.0/24). Within this DMZ network are several Web servers which need to be associated a public IP address (68.68.68.x).
Every time I configure a static Nat to associating a public IP address with an internal IP address within the DMZ, packet Tracer on the ASA informs me that the packet gets dropped at the static Nat and I cannot figure out why this is so.Safe it to say my question still stands is it possible to Nat (68.68.68.222 to and 92.168.2.60) given the configuration above, and how would I go about configuring in such the manner above so that I acn apply static nat through the 192.168.1.0 network to reach the 192.168.2.0 network.
View 11 Replies
View Related
May 30, 2011
I'm trying to migrate from olda PIX to newest ASA 8.4.1. Everything seems to be good except the static NAT. [code]
The inside interface uses implicit rule. ( permit any less secure network )
Although te above config the ASA logs the following.
TCP access denied by ACL from 94.94.94.94/2003 to outside:86.101.228.221/80
The 86.101.228.221 our public Internet IP whic are used as outside IP also.
View 8 Replies
View Related
Mar 1, 2012
I have some issues with Twin PAT on ASA (8.4.2), there is sth I dont udnerstand FTP server is on the inside and client is in outside.
I did sth like this
object network NATED-11
host 20.20.20.11
object network REAL-2
host 10.200.200.2
object service SRV-FTP
service tcp destination eq ftp
nat (outside,inside) source static any any destination static NATED-11 REAL-2 service SRV-FTP SRV-FTP so teoretically there should be a problem in NAT cause there is a second channel for data etc. BUT according to docs "For applications that require application inspection for secondary channels (for example, FTP and VoIP),the ASA automatically translates the secondary ports."
The problem is that it doesn't work at all and got the syslogs
Debug on ASA shows
ASA5510(config)# nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: translation - outside:20.20.20.252/37924 failed - port is not found in xlate(0-0)
[code]....
To make it work I need to modify the nat rule to sth like this (translate source of client to inside inteface of ASA) nat (outside,inside) 1 source static any interface destination static NATED-11 REAL-2 service SRV-FTP SRV-FTP / why its not working in the first place? aaa I forgot to mention that both modes of FTP were tested (passive and active)
View 1 Replies
View Related
Mar 10, 2012
Trying to translate telnet for switches to the outside ip address at some random ports.
172.16.200.2:23 -> 10.199.199.2:2300
172.16.200.3:23 -> 10.199.199.2:2301
172.16.200.4:23 -> 10.199.199.2:2302
etc....
ASA 5510 running 8.4(3):
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.199.199.2 255.255.255.248
interface Ethernet0/1.200
vlan 200
nameif inside
security-level 100
ip address 172.16.200.254 255.255.255.0
[code]....
I can not access the switch at 10.199.199.2:2301 . What am I doing wrong? Or should cleaning toilets be something I really should look at! Now if i run this NAT statment:
object network Switch_TN
nat (inside,outside) static 10.199.199.3 service tcp telnet 2301
I am able to access the switch at 10.199.199.3:2301
View 7 Replies
View Related
Mar 6, 2013
I have a server on the inside of my network (with a internet Routable IP). It has been requested to me that people from the internet access port 80, and that is translated at the firewall to port 7080. I have set up a temp Access rule to allow access to 7080 from the outside and it is accessable. I am not sure what I am doing wrong, but I am tion from 80 not able to get the translato 7080 to work.
View 1 Replies
View Related
Jan 27, 2013
After adding a NAT rule on Friday morning, I'm now getting a bunch of "portmap translation creation failed" messages from my ASA5520. (It's currently running 8.4(3).) The failure errors appear to have nothing to do with the change that was made. [code] I have very similar rules in place for other vendors to access other machines. The only difference between this new one and those old ones is the use of the objects in the rule instead of the direct IP addresses. This is also the first one that invovles a range instead of a specific address or network. [code]
View 4 Replies
View Related
Nov 29, 2011
i need to Forwarding to IP Address 192.168.11.61 [code]
What is the command should i give and how can i apply in my router as per my above mention required ?
View 5 Replies
View Related
Nov 3, 2011
At one of our client premises they have an Cisco 1841 router. We need to connect from outside (other location in another country) with Remote Desktop connection port 3389 to an internal IP address ( a server).From any IP address it have to permit a connection on port 3389 to be forwarded to the server.
View 2 Replies
View Related
Dec 2, 2011
So here is my network.
ASA5505--->Cisco1841--->Cat2960
Code
ASA asa831-k8.bin
Cisco 1841 c1841-adventerprisek9-mz.151-4.M2.bin
Cat 2960 c2960-lanbasek9-mz.122-55.SE1.bin
and here is my dilemma.
I can SSH from the internet to my ASA on default port 22, directly to my public IP. I can SSH from the internet to my Cisco 1841 on port 2001. I can not however, SSH to my Cat 2960. From what i can tell, on the Cat2960 i can't change the default port 22 for SSH to different port, just like i did on the Cisco 1841. I looked to see if I can change the default port for SSH on he ASA, it does not look like this is an option.
The bottom line is that i want to be able to SSH to all three devices from the internet. I only have one public IP. As of now, what i can do is only SSH to the ASA on default port 22 directly to the public IP and Cisco 1841 on port 2001. It appears that changing the default SSH port on Cat 2960 is not an option. It also appears that I can't change the default SSH port on the ASA, if i could, i would and then i should be able to SSH to the Cat 2960 on port 22. No matter what i did on the ASA, it always listens on port 22 for SSH connections.
show asp table socket
TCP 001f549f <<pub IP>>:22 0.0.0.0:* LISTEN
how do i make it listen on different port?
Here is relevent config for SSH for cisco 1841 (port forwarding)
ON ASA
object network ROUTER
host 10.10.1.1
[Code].....
View 28 Replies
View Related
Jun 28, 2011
I've just changed my router to a Belkin N+ Wireless Router (F5D8235uk4) My home network is on the 10.0.0.0 ip address range.
I changed the routers IP address to 10.0.0.2 (same as my last one) and the subnet is set to 255.0.0.0
My problem is that whilst my PC's are in the 10.0.0.10 to 10.0.0.20 range my NAS ip is 10.10.10.10 and when I go into the port forwarding (virtual servers) settings on the router it only let's me set the last octet with the first three octets set to 10.0.0. and these can't be changed so I can't port forward to my nas.
Surely the virtual servers should be able to forward to any PC in the subnet, not just those in a 255.255.255.0 subnet? I don't want to change my nas IP address even though that would fix this issue.
View 5 Replies
View Related
Mar 3, 2013
I have a RV120W; configured to perform port forwarding. I have Configured a Port Forwarding and Access Rule
* Sample Firewall: Access Rules:
Action | Service | Status | Connection Type | Source IP | Destination IP
[Code]....
Everything works, but in my destination server, i see as remote address the IP for the RV120W. I want it to forward also the originating IP address of the client (the remote address)
Is it possible to configure this?
I have also configured DMZ for my server, but see same behaviour
Firmware: 1.0.3.10
View 3 Replies
View Related
Sep 10, 2012
When I try to set a port for forwarding and set the IP address to forward to:192.168.1.108 (of course, I only type in that last number, 108)I get an error message that the number must be between 1 and 65535. It is! Why am I getting this error message?
View 5 Replies
View Related
Apr 7, 2013
I am trying to open up port 32400 on my 881w Cisco router but I have not had any success I need to configure manual port-forward to enable my Plex Media server.
View 1 Replies
View Related
Jun 11, 2012
We have an ASA 5520 and it's inside interface is currently plugged into a fast ethernet port on a 3750. I have just bought a 1gig SFP module and have copied the fast ethernet port config to the gigabit port, but the port seems to be flapping
The port conf gi is this:
interface GigabitEthernet1/0/4
description Link to Inside ASA
switchport access vlan 2
switchport trunk encapsulation dot1q
View 1 Replies
View Related
Jan 2, 2012
I have got ASA 5520. How to use the management port as a normal port on ASA. What are the basic reqirements for that.
View 3 Replies
View Related
Aug 9, 2012
I have a cisco 5520 with 8.4.4(1) and I already have a NAT for an email server on it.Here is the IP and ports on current configuration:
Email Server Private IP: 1.1.1.1
Email Server Public IP: 2.2.2.2
Email Server Local Ports : 25, 587
Right now I have ports 25 and 587 opened for 2.2.2.2 so, now I need to add a port redirection for another port:
New Port : 8925
I need to redirect 2.2.2.2:8925 to 1.1.1.1:587
View 1 Replies
View Related
Apr 11, 2013
i'm having a problem portforwarding/redirection for the pix 501?I'm trying to open the ports 49003 and 40085 in order to view our dvr remotely and i'm not exactly sure how to it.
View 11 Replies
View Related
Nov 5, 2012
I have an issue with portforwarding in my teleeye cctv behind asa 8.4. I can browse the DVR outside via http however when i attempt to login, "server busy" will prompt afterwards. Note: Theres no issue when acesssing the DVR locally.
Heres my config.
OUTSIDE INTERFACE:
interface Ethernet0/3
speed 100
duplex full
[Code]...
View 4 Replies
View Related
Feb 26, 2011
Does the FWSM v 4.1.3 is capable to forward return packets to the MAC address that sent them to it first?
View 6 Replies
View Related
May 2, 2011
i have a asa with a outside IP address of 140.32.121.5. behind this firewall i have a cisco MWR 2941 that i would like to connect to via telnet. its inside ip address is 10.10.10.2. my reasoning for this is because i cannot SSH or telnet from a ASA so i need to have the ASA push my telnet request to the router on its inside interface.i have tried some NAT examples but i am very green with NAT. i have also built access lists that look like the follow " access-list 101 permit tcp any 10.10.50.2 eq 23. and then tied the access-group 101 with the outside interface. this also with no success.
View 1 Replies
View Related
Oct 30, 2012
I need to open port range 554 - 558 to a DVR on the internal network. Also, I need to NAT one of my public IP's to the DVR. How is this accomplished in 8.4? I was able to do it in an older version ASA software.
View 3 Replies
View Related
Sep 4, 2012
I've tried setting up some simple port forwarding on my ASA, where I want to forward one port on the external interface for both UDP and TCP to the same port on an internal server.
It works fine for UDP, but all TCP packets are dropped on the outside interface, even though the configuration for UDP and TCP is basically the same! This is my config:
object network MY_SERVER
host 10.10.1.4
object service TCP_MY_SERVICE
[Code].....
Port count goes up on line 2 (UDP) but never for line 1. I just see the packet denied instead. Same thing happens in the packet tracer, a packet destined for my external interface on that port for UDP is allowed and NAT'd just fine. TCP it gets dropped by the ACL on the outside interface.
View 15 Replies
View Related
Oct 23, 2012
I have a Cisco ASA 5510 appliance running ASDM 6.3 We have a number of public IP addresses associated with our company. In order to utilise the IP addresses effectively I want to use one puplic IP address for two servers running on different ports.e.g.
Public IP address 78.109.174.100
for both
Server 1 HTTPS and HTTP
Server 2 FTP
Both Servers live in the same subnet (DMZ) I believe this maybe port forwarding but could be completely wrong. I've tried creating a NAT rule that goes from Server 2 Network object to Server 1 external but this didn't work.
View 2 Replies
View Related
