Cisco ASAv - Dynamic PAT (Port forwarding)

To forward ports to your inside network, you need to use Dynamic PAT (Port Address Translation) to translate ports from your NATted IP to your inside network to access services externally.

First create a network object, specifying the IP address of the inside host to forward to and then the Dynamic PAT rule as follows, in this case I'm forwarding smtp port 25 for an email server:

conf t
object network MAIL
host 192.168.3.7
nat (inside,outside) static interface service tcp smtp smtp

In the 2nd example I'm going to forward HTTPS port 443 to a server hosting webmail.

object network WEBMAIL
host 192.168.3.8
nat (inside,outside) static interface service tcp https https

If you also have access restrictions via access lists (not using the 'ip any any' acl rule), you may need to create an ACL entry:

access-list Outside_access_in extended permit tcp any object MAIL eq smtp
access-list Outside_access_in extended permit tcp any object WEBMAIL eq https

You should now be able to telnet the port from your external IP.

comments powered by Disqus