Port Redirection on Cisco ASA 5500 (8.4 Code)
I figure I would make this one of my first posts since this is a recent change I made at my network.
How to do Port Redirection on a Cisco ASA running code train 8.4.x
First you need to identify your internal host and create an object to it:
object network obj-10.10.10.170
host 10.10.10.170
!
Next you need to create the object for your outside natted address:
object network obj-20.20.20.170
host 20.20.20.170
!
Now you create the actual internal port that you are redirecting.
object service obj-tcp-8080
service tcp source eq 8080
!
Next we'll create the port mapping to the external natted address.
object service obj-tcp-80
service tcp source eq 80
!
Once this is all complete we mesh everything all together and have a wonderful config like this:
nat (inside,outside) source static obj-10.10.10.170 obj-20.20.20.170 service obj-tcp-8080 obj-tcp-80
With this complete we have successfully created a port mapping. As with any other static nat, make sure it is placed before the dynamic nat for all other traffic. As so:
nat (inside,outside) source static obj-10.10.10.170 obj-20.20.20.170 service obj-tcp-8080 obj-tcp-80
nat (inside,outside) source dynamic any interface description DEFAULT_NAT
You can confirm that the configuration was successful by checking your xlate.
asa5510# show xlate
TCP PAT from inside:10.10.10.170 8080-8080 to outside:20.20.20.170 80-80
flags sr idle 0:22:33 timeout 0:00:00
Hope this is helpful to others. I got a lot of useful information from this link: https://supportforums.cisco.com/thread/2169361.
Thanks
David P.
Here is also how to do an outside to inside PAT with port matching for FTP. It will make all outside hosts coming in be natted to the inside interface of the firewall.
ReplyDeletenat (outside,inside) source dynamic any interface destination static interface obj-ftp_server service obj-ftp_ports obj-ftp_ports