Port Forwarding on the ASA/FWSM/PIX

May 27, 2008
By Aaron Conaway

Here’s a simple one since I haven’t updated in a while. I have my ASA 5505 at home and want to forward TCP/80 traffic to my public IP to my webserver at 10.10.10.10. There are two steps here — forward the port and open the ACL.

To forward the port, I would use the static directive, but there are two ways to do that. I can either set up a one-to-one NAT or a port redirection. In the one-to-one NAT, you have a outside address that’s mapped directly to an inside address, and any traffic to that IP is passed to the inside host (if it passes ACLS, of course). One of the limitation, though, of using this setup is that you can’t use that IP as your PAT address, and, since I only have one IP, no other inside hosts would have a outside address to which to be NATted. The other method — port redirection — is a much better solution. In this setup, I actually forward a protocol/port on a outside address to a protocol/port on an inside address. Since there are other ports available on that outside address, the address is still available for other hosts to use as a NAT address.

In an enterprise, I would probably use an address out of my pool for the port forwarding, but, since I only have one address at home, I’ve got another decision to make. I can configure the static statement with an IP address or I can use the reserved word interface to indicate the IP that is on an interface. This is a great feature, actually, since my outside IP could potentially change without notice. I’m going to use that feature, too.

static (inside,outside) tcp interface 80 10.10.10.10 80

This is pretty simple, but I’ll explain.  The ASA will take any request that comes in on TCP/80 (HTTP) on its outside interface’s IP and forward it to TCP/80 of 10.10.10.10.  If my webserver ran on TCP/81 on my box, I could just change the last 80 to 81 to make it work.

The port is redirecting, but I still need to open the ACL.  When that’s done, everything should work as expected.

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

Download article as PDF

Tags: , , , ,

4 Responses to Port Forwarding on the ASA/FWSM/PIX

  1. Clint Young on May 27, 2008 at 22:39

    As soon as I put my ASA 5505 back onto my network I will be doing the exact same thing. Renovations have taken my network down to the most basic wifi router & laptop for the time being. lol. Nice writeup!

  2. Aaron Conaway on May 28, 2008 at 07:47

    Thanks, Clint.

  3. Kashi on September 4, 2009 at 05:31

    Hi Aaron,

    How can i redirect ntp port traffic to my internal server using a NATd IP which is already exposed outside.

    Thanks,Kashi

  4. Aaron Conaway on September 4, 2009 at 08:34

    Hi, Kashi.

    NTP runs over UDP/123, so you would just change up the command a bit. If you want to have your interface IP listen for NTP, you would do this.

    static (inside,outside) udp interface 123 your.internal.host.ip 123

    If you wanted to use an IP other then your interface, you woud do this.

    static (inside,outside) udp your.external.host.ip 123 your.internal.host.ip 123

    Don’t forget to open your ACLs up.

    Hope that helps.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Calendar

May 2008
S M T W T F S
« Apr   Jun »
 123
45678910
11121314151617
18192021222324
25262728293031

Switch to our mobile site