Cisco ASA NAT Port Forwarding

ReneMolenaar · May 6, 2020, 11:18am

Like Lazaros mentioned, this is the default policy-map on the ASA. It’s not needed for this lesson so I’ll get rid of it.

Rene

agrozdanov · May 6, 2020, 2:33pm

Thank you Laz !
Best,
Asen

agrozdanov · May 6, 2020, 2:33pm

Thank you Rene !
Best,
Asen

gordonflash984 · July 26, 2020, 6:12am

I may need some clarity on the output below if I am mistaken. What I have found says if the connection is initiated from the outside address you will see this as an untranslated_hit because this is a mapped IP to real translation. Is this correct?

(DMZ) to (outside) source static SSH_SERVER interface  service tcp ssh 10022
    translate_hits = 0, untranslate_hits = 1

lagapidis · July 27, 2020, 5:37am

Hello Donald

Yes you are correct. An translate hit is one that takes place in the “forward direction” or the direction of the interfaces specified in the NAT rule. An untranslate hit is one that takes place in the opposite direction. The following documentation describes it in great detail, and should clarify any further questions you may have:

I hope this has been helpful!

Laz

gordonflash984 · July 27, 2020, 7:16pm

I’ll read the Cisco doc. Thanks for the link.

mohammed.eisa21 · October 7, 2020, 8:21am

Hi Rene ,
I Have problem in this topic port forwarding I want to forward 3 port to server in dmz i have public ip for this server i use this config i put the 3 port object serves group anad i create object network :

object network x
host x.x.x.x
(dmz) to (outside) source static service object  y.y.y.y public ip

the result only one port working i trace the packet all phase ALLOW but only one port is working

lagapidis · October 8, 2020, 8:54am

Hello Mohamed

You have to make sure that you include all three ports in the access lists that you create. For example, if the ports you want to forward are TCP ports 80 81 and 82, then you must ensure that you have created the appropriate objects, and have the following access lists:

access-list MY_SERVER extended permit tcp any host 192.168.1.10 eq 80
access-list MY_SERVER extended permit tcp any host 192.168.1.10 eq 81
access-list MY_SERVER extended permit tcp any host 192.168.1.10 eq 82

…assuming the IP address of your server is 192.168.1.10.

I hope this has been helpful!

Laz

ahmad.n.ashkar · May 11, 2022, 8:06pm

Hi Rene!
Can we port-forward another tcp port to same server? For example, I want to port-forward both TCP ports 22 and 443 to same server 192.168.3.3.

When I add the 2nd NAT statement, it replaces the 1st NAT as though the ASA doesn’t allow more than one NAT statement of each type, TCP or UDP.

lagapidis · May 15, 2022, 7:08am

Hello Ahmad

You can achieve what you want by creating two objects with the same IP address. For example:

ASA1(config)# object network HTTPS_SERVER
ASA1(config-network-object)# host 192.168.3.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static interface service tcp 443 443

ASA1(config)# object network SSH_SERVER
ASA1(config-network-object)# host 192.168.3.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static interface service tcp 22 22

Only one NAT statement can be assigned within an object, but you can create multiple objects using the same IP address.

I hope this has been helpful!

Laz