Jump to content
Sadikhov IT Certification forums
Eyasu

Unable to Port Forward on ASA 5512-X ver. 9.1

Recommended Posts

Hey, guys.

 

i am kind of new to this forums. And, now, i need your expertise about PORT FORWARDING ASA 5512-X ver.9.1 based on the topology and my detail ASA configuration. All port forwarded worked on Router 2600 series. now, we just remove the Router and replace it with ASA .

 

My detail topology is below. Further clarification, there is an EPON bridge in between ASA and ISP-Router

 

 sheger topology.png

 

DETAIL OF ASA CONFIGURATION:

===============================================================================

ASA Version 9.1(2) 
!
hostname CORE-FW
domain-name 
enable password encrypted
names
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 10.130.80.2 255.255.255.252 
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 172.24.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 80
ip address 172.24.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif Management
security-level 90
ip address 192.168.1.1 255.255.255.0 
!
ftp mode passive
dns server-group DefaultDNS
domain-name 
object network PUBLIC_IPS
range 196.188.28.217 196.188.28.218
object network PUBLIC_IP1
host 196.188.28.217
object network PUBLIC_IP2
host 196.188.28.218
object network INSIDE_NET
subnet 172.24.10.0 255.255.255.0
object network DMZ_NET
subnet 172.24.16.0 255.255.255.0
object network SERVER_IP
host 172.24.16.8
access-list ALLOW-SERVER extended permit icmp any any echo log
access-list ALLOW-SERVER extended permit icmp any any echo-reply
access-list ALLOW-SERVER extended permit tcp any object SERVER_IP eq 3309
access-list ALLOW-SERVER extended permit tcp any object SERVER_IP range 2002 2003
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu Management 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network INSIDE_NET
nat (INSIDE,OUTSIDE) dynamic pat-pool PUBLIC_IPS
object network DMZ_NET
nat (DMZ,OUTSIDE) dynamic pat-pool PUBLIC_IPS 
object network SERVER_IP
nat (DMZ,OUTSIDE) static PUBLIC_IP1
access-group ALLOW-SERVER in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 10.130.80.1 1
route INSIDE 172.24.0.0 255.255.240.0 172.24.10.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 172.24.10.0 255.255.255.0 INSIDE
telnet 192.168.1.0 255.255.255.0 Management
telnet timeout 5
ssh 172.24.10.0 255.255.255.0 INSIDE
ssh 192.168.1.0 255.255.255.0 Management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username password encrypted
!
class-map inspection_default
match default-inspection-traffic
class-map inspection_defualt
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
dns-guard
protocol-enforcement
nat-rewrite
policy-map global_policy
class inspection_default
inspect dns preset_dns_map 
inspect ftp 
inspect h323 h225 
inspect h323 ras 
inspect rsh 
inspect rtsp 
inspect esmtp 
inspect sqlnet 
inspect skinny 
inspect sunrpc 
inspect xdmcp 
inspect sip 
inspect netbios 
inspect tftp
inspect ip-options
inspect icmp 
inspect http 
policy-map global-policy
!
service-policy global_policy global

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×