NAT and Port Forwarding on the Cisco ASA 5505

What is NAT? It stands for Network Address Translation. It means that we can have a public IP outside the Cisco Firewall, and it will route traffic inside to the internal address we select. Of course, because it’s a firewall, we need to tell the ASA5055 what traffic to allow through the firewall to the inside address. The decision on what to allow through is based on what port the traffic is coming in on.

This is all very easy to do on consumer grade hardware, but it’s difficult to do on the ASA5505 using the Cisco ASDM. I’m going to go through the steps I went through to set up NAT and port forwarding using the ASDM software.

First, setting up NAT

  1. Use the ASDM software to log into your device.
  2. Click “Configuration” at the top, then “NAT” on the left.
  3. Click “Add,” then select “Add Static NAT Rule…”
  4. Under “Real Address” type the destination, or internal address. For example: “192.168.10.111”
  5. Change Netmask to: “255.255.255.255”
  6. Under “Static Translation,” change the Interface to: “outside.”
  7. Enter the outside, routable IP which you want to use to access the device from outside the firewall.
  8. Click “OK.”
  9. Click “Apply.”

Allowing traffic through the firewall, or Port Forwarding

Now all packets which are allowed through the firewall and are addressed to the outside IP address we just named will be delivered to the internal IP address. So, to use our internal IP address as a server, we need to open the firewall to allow traffic to come to this device.

  1. Click “Security Policy” on the left.
  2. First, we are going to define the services we want to let through. Click the “Services” tab in the right pane.
  3. You’ll see a list of pre-defined services. This is helpful (especially http and https), but there are probably services you’ll use that aren’t listed here.
    • Fileshares:
      Click “Add,” then TCP-UDP Service Group
      Type in a “Group Name” such as “fileshare.”
      Check the “Port #” radio button.
      Type in “137” to “139” and click the “Add >>” button.
      Next type in “445” to “445” and click the “Add >>” button.
    • Remote Desktop:
      Click “Add,” then TCP-UDP Service Group
      Type in a “Group Name” such as “remotedesktop.”
      Check the “Port #” radio button.
      Type in “3389” to “3389” and click the “Add >>” button.
    • SQL Connections
      Click “Add,” then TCP Service Group
      Type in a “Group Name” such as “sql.”
      Check the “Port #” radio button.
      Type in “3306” to “3306” and click the “Add >>” button.
  4. Next, we want to define groups of IP addresses that are allowed to access different services. For our setup, we have a few subnets that are all allowed access to all services, but you might want to restrict more. You should create a group for each security level.
    • Click the “Addresses Tab.”
    • Click “Add” and select “Network Object Group…”
    • Choose a group name, for example: “office.”
    • Add the subnets you wish to allow. You probably want outside-network/24, which is the subnet of the units external interface. Click that and click “Add >>”
    • Enter new subnets by typing in the IP address as: “xxx.xxx.xxx.0″ for example: “172.25.204.0”, and setting the Netmask to: “255.255.255.0” This will allow 172.25.204.1 through 172.25.204.254. click “Add >>”
      When you are done, Click “OK.”
  5. Now to define which networks are allowed on which services.
    • Click “Security Policy” on the left and then in the center pane, click “Add.”
    • Change the Interface dropdown to “Outside” and make sure Direction says: “incoming.”
    • Under Source, change Type to “Network Object Group,” then select the group name we set previously.
    • Under Destination, click the “…” button by IP address, and select the outside, world-routable IP address of the device you wish to allow access to.
    • Change the Protocol dropdown to “tcp.”
    • Leave Source Port as “any.”
    • Under Destination Port, select the “Group” radio button.
    • In the dropdown, select the service group we previously defined.
    • Click OK.
    • Click “Apply.”
    • Now to save and reload the box, click ‘Tools/System reload’
    • Select ‘Save the running configuration at time of reload’
    • Click ‘Schedule Reload’

Update your server’s software firewall

Lastly, don’t forget to update the exceptions in the server’s software firewall!
If you were managing which subnets have access on the server’s software firewall, instead of doubling up your efforts you may choose to change the option to “Any computer” and let the Cisco ASA 5505 restrict by subnet. If not, you may still want to add the new internal subnet so that other servers behind the firewall can have access too.

***If your NAT isn’t working***

I used these directions to set up my NAT, but found that my NAT’ed addresses were not able to access network resources outside of the firewall. Luckily, if you are having that trouble, I posted my solution here!

7 thoughts on “NAT and Port Forwarding on the Cisco ASA 5505”

  1. What version of ASDM are you using? I’m on 5.2(4) and I’m seeing different things than you.

    For instance: When adding static NAT rule, I see Original and Translated, not Real Address and Static Translation, and there’s nowhere to modify the netmask. I add the internal IP of the server I’m forwarding to under Original, and when I Enter the outside, routable IP which you want to use to access the device from outside the firewall (the public static IP from the ISP) under Translated it says both IPs must have the same subnet mask and won’t let me continue.

  2. I’m setting up my first ASA 5505 and it definitely isn’t intuitive at all. Thank you for taking the time to share this information! I tried to start a blog that documented things I’ve figure out as well and it was a lot of work.

    I also wanted to say that apparently they changed everything around in ASDM 6.2. Along with the things mentioned by the previous commenter, adding a custom service like RDP doesnt seem to follow the same procedure.

  3. It seems like there’s a “public server” option where you can configure remote access to internal servers using different external IP. So far my test in the lab worked great. You can also manually add the port as tcp/3389 or whatever. So unless I’m missing something, they streamlined the process down from what you had to go through

    1. That sounds like it! I imagine they’ve made it easier to do, I don’t believe they could make these things any harder to configure. It’s like they were trying to sell CNA classes or something… ;)

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>