6

I'm trying to open some ports in my ASA 5505 Firewall with the 9.0(1) software. I've being using another ASA with a lower software version. As you can imagine I'm quite confused and have been reading all CLI guides from Cisco and looking at different blogs for help.

I'm trying to open some external ports and trying to map them into my inside servers. I would like to use different ports on the onside and translate them to the original port on the inside.

outside = 77.77.77.77
inside = 10.203.5.1

I'm trying to open for port 10001 and send that into my network while translating it into port 3389. So I'm basically trying to open for multiple servers via RDP but I only got 1 public IP address to work with. I would like to keep the port 3389 on all servers, so when on the inside LAN people can connect to the server without worrying about custom ports. When they are on the outside the have to use 77.77.77.77:10001 to connect to the server through the ASA.

As I understand the commands have changed quiet a bit since I last did the above configuration and that is I'm feeling stuck. I've tried following the examples on this link but without getting lucky. I think i read somewhere that I need 2 objects to do a correct NAT with a PAT configuration or am I way of here?

I would appreciate it if any one could point me in some direction because where I'm now I can't the ASA to do what I believe it is built to do :o)

Mötz
  • 215
  • 1
  • 3
  • 7
  • Yeah, Cisco made a mess of it in 8.3+. *My* advise, if you don't need anything 9.0 brings, stay with 8.2. – Ricky Jun 03 '14 at 22:19
  • I don't know how to downgrade and I believe that sooner or later we will all have to use the new style. So lets play with the new version to get familiar with it. – Mötz Jun 04 '14 at 12:11
  • PAT is really made up. The RFCs use NAPT for what some people call PAT. See _[RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations, Section 4.1.2 Network Address Port Translation (NAPT)](https://tools.ietf.org/html/rfc2663#section-4.1.2)_: "_NAPT extends the notion of translation one step further by also translating transport identifier (e.g., TCP and UDP port numbers, ICMP query identifiers). This allows the transport identifiers of a number of private hosts to be multiplexed into the transport identifiers of a single external address._" There is more in the RFC. – Ron Maupin Jan 30 '17 at 15:53

1 Answers1

8

Here's an example configuration for what you're looking to accomplish.

First create an object for you server:

object network SRV1
host 10.203.5.1

Next, create the PAT rule that uses your outside interface IP:

object network SRV1
nat (inside,outside) static interface service tcp 3389 10001

The packet processing order of operations on 8.2 code and below is ACL --> NAT. Post 8.3 code is NAT --> ACL, so your ACL will have a permit to the inside network IP.

Finally, create your ACL rule:(assuming your access list name is outside_access_in)

access-list outside_access_in extended permit tcp any object SRV1 eq 3389

Rinse and repeat.

James.Birmingham
  • 746
  • 5
  • 10