Answer the question
In order to leave comments, you need to log in
S
S
Sergey2015-04-03 15:32:08
Sergey, 2015-04-03 15:32:08
How to configure port forwarding on Cisco ASA 5510?
Colleagues help out
Two interfaces, look one in LAN, the other in the LAN of a "foreign" network
interface Port-channel1.2
description OFFICE_NET
vlan 2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Port-channel1.3
description OTHER_NET
vlan 3
nameif othernet
security-level 10
ip address 10.10.30.4 255.255.255.0It is necessary to forward ports from the internal server 192.168.0.9 for clients on the "othernet" network.
I do this:
object network SERVER
host 192.168.0.9
nat (inside,othernet) static 10.10.30.3 service udp 4569 4569
access-list othernet_acl extended permit udp any object SERVER eq 4569
access-group othernet_acl in interface othernetAnd everything seems to be a bunch, but! It is necessary for me that also a ping went. And then shnyaga on the "other" side categorically does not want to connect.
Additionally, how else can ports be forwarded through the same interface?
2 answer(s)
@bk0011m
@poisons
the first line is needed so that the traffic that I have in the tunnel to the remote asa does not natitsya. When checking the availability of a port from the outside, the acl hit counter does not increase.
When checking packet-tracer -increments, but packets are dropped.
packet-tracer input outside-d tcp 8.8.8.8 1234 192.168.88.204 43117
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside-d) source dynamic NET-FOR-NAT interface
NET rule -FOR-NAT I need packets to flow from the inside of the interface. Ports are 100% open on the target machine. Google produces articles where they stubbornly repeat the same thing on the topic "create an object, write acl". Where to dig?
There I have 2 networks, 192.168.87.0/24 - hangs directly on the inside interface and 192.168.88.0/24 hangs behind another router (the firewall / nat is turned off there, the piece of iron transfers packets from interface to interface).
H
Heizenberg, 2015-04-04 @bk0011m
security-level must be the same on both interfaces
add something like
static (inside,othernet) 192.168.10.9 192.168.10.9 netmask 255.255.255.254
static (othernet,inside) 10.10.30.3 10.10.30.3 netmask
255.255.255.254 asa inter vlan routing
P
poisons, 2015-12-28 @poisons
Apnu question, the situation is
asa 5505 9.2(4), I want to forward the port for the torrent client.
Settings
show running-config nat
nat (inside,outside-d) source static NET-LOCAL NET-LOCAL destination static NET-OVH NET-OVH
nat (inside,outside-d) source dynamic NET-FOR-NAT interface
object network media-server
nat (inside,outside-d) static interface service tcp 43117 43117
asa-home(config)# show running-config access-list
access-list outside_access_in extended permit tcp any object media-server eq 43117
show running-config object
object network media-server
host 192.168.88.204the first line is needed so that the traffic that I have in the tunnel to the remote asa does not natitsya. When checking the availability of a port from the outside, the acl hit counter does not increase.
When checking packet-tracer -increments, but packets are dropped.
packet-tracer input outside-d tcp 8.8.8.8 1234 192.168.88.204 43117
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside-d) source dynamic NET-FOR-NAT interface
NET rule -FOR-NAT I need packets to flow from the inside of the interface. Ports are 100% open on the target machine. Google produces articles where they stubbornly repeat the same thing on the topic "create an object, write acl". Where to dig?
There I have 2 networks, 192.168.87.0/24 - hangs directly on the inside interface and 192.168.88.0/24 hangs behind another router (the firewall / nat is turned off there, the piece of iron transfers packets from interface to interface).
Similar questions
A
A
S
S
K
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question