I have a Cisco ASA-5505 firewall, which is currently configured to share our internet connection and do NAT for my LAN, as well as forward port 443 to an internal machine.
I need to forward port 2222 to a second internal machine, and I'm running into a bit of trouble. My understanding is that typically packets are forwarded to a machine with a rule like:
static (inside,outside) [Public IP] [Internal IP] netmask 255.255.255.255
However, when I try to add two of these rules, they conflict with each other.
I tried adding port-specific rules like this instead:
static (inside,outside) tcp interface 443 [internal IP 1] 443 netmask 255.255.255.255
static (inside,outside) tcp interface 2222 [internal IP 2] 2222 netmask 255.255.255.255
But then both ports were filtered (as per nmap from a remote machine).
My access-list rules currently look like this:
access-list outside-in line 1 extended permit tcp any host [public IP] eq 443
access-list outside-in line 2 extended permit tcp any host [public IP] eq 2222
Can anyone provide me a working set of static and access-list rules that will forward port 443 to one machine, and port 2222 to a different machine?
EDIT: I should mention that, unfortunately, the only access I have to this ASA is via telnet – I can't use ASDM.
Best Answer
FIrst, there can be some discrepancies based on what level of code you are running...
There's a difference betweeen your old static NAT rule and the new rules that would be required to split up the ports from a single WAN IP to multiple internal IPs.
You can get the details from Cisco on how to do this here: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html
Youtube can also help visual learners..see here:
http://www.youtube.com/watch?v=ZvjrN9lYtsI