Port forwarding in ASA

Posted: August 11, 2015 in CISCO

Untitled

In this example we will configure ASA-1 to allow us to coonect from XP machine 50.50.50.10 to another XP machine (172.16.3.10)

ASA1 configuration:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 172.16.3.2 255.255.255.0
!

access-list 130 extended permit ip 50.50.50.0 255.255.255.0 172.16.3.0 255.255.255.0

access-group 130 in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.20.2

ASA2 configuration:

interface GigabitEthernet0
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 50.50.50.2 255.255.255.0
!

access-list 120 extended permit ip 172.16.3.0 255.255.255.0 50.50.50.0 255.255.255.0

access-group 120 in interface outside
route outside 0.0.0.0 0.0.0.0 20.20.20.2

 R1:

interface FastEthernet0/0
ip address 10.10.20.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 50.50.50.0 255.255.255.0 20.20.20.1
ip route 172.16.3.0 255.255.255.0 10.10.20.1

Enabling remote access on ASA-1

!creating object for machine which we need aceess to (172.16.3.10)
ciscoasa(config)# object network xp
ciscoasa(config-network-object)# host 172.16.3.10
!traffic which comes addressed as outside ASA-1 interface (10.10.20.1),on port 3389 translate to 172.16.3.10 on port 3389
!we will RDP to 10.10.20.1:3389 and it will be translated to 172.17.3.10:3389
ciscoasa(config-network-object)# nat (any,outside) static interface service tcp 3389 3389
ciscoasa(config-network-object)exit
!Create object-group service named rdp of type tcp
ciscoasa(config)# object-group service rdp tcp
!port number 3389
ciscoasa(config-service-object-group)# port-object eq 3389
ciscoasa(config-service-object-group)#exit
!ACL to permit tcp from outside interface and port 3389 to XP machine on address 172.16.3.10 on port 3389
ciscoasa(config)#access-list 140 extended permit tcp interface outside eq 3389 object xp object-group rdp

RDP from 50.50.50.10 to 10.10.20.1

Untitled

We are redirected to 172.16.3.10

Untitled

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s