I am currently setting up a Cisco ASA 5505. Now I’ve had plenty experience with Cisco PIXs and the 800 series routers but not an ASA before. I’ve always been one for using the CLI (command line interface) as I feel it makes you understand better what is going off, rather than just ticking a few boxes.

Since version 8.3 of their IOS on the ASAs they have changed the way NAT works. After some head scratching here is how to do it along with mapping a port across to an inside server. It was a bit more of an added head scratcher for me as I was testing this on a connection with a dynamic external IP and all the examples I could find were using a static IP(s).

General NAT and forwarding to the same port

NAT anything object (I can’t specify the external IP(s) as they’re dynamic)..

object network obj_any 
   subnet 0.0.0.0 0.0.0.0

Create an entry for the IP of the webserver (you have to do this for each different port from what I can see, which seems a bit silly - some one please correct me I am wrong!)…

object network webserver_www
   host 192.168.1.254

This allows anything outside to access port 80 on the webserver..

access-list outside_access extended permit tcp any any eq www log 

This perform general NAT on the anything (as specified above in the same obj)…

object network obj_any
   nat (inside,outside) dynamic interface

This nats port 80 on the outside interface to the inside interface (see more below for when you have different ports.. they’ve changed it.. it’s back to front now!)…

object network webserver
   nat (inside,outside) static interface service tcp www www 

This tells it where to apply the access-list outside_access made above (outside interface on traffic coming in)..

access-group outside_access in interface outside

Port forwarding from a different port on the outside to the inside

So imagine now we want to open SSH to the web server.

Create the object with the internal IP (see, why do we have to do this again? I can’t see how you can apply more than one NAT rule to the same object though)…

object network webserver_ssh 
   host 192.168.1.254

Allow anyone to SSH in. Note here we are about to open this port 24 on the outside to port 22 (normal port) on the inside. Yet with the access-list you tell it the inside port. See, back to front to what I am use to!…

access-list outside_access extended permit tcp any any eq ssh 

If you want to strict this at all..

access-list outside_access extended permit tcp host <outside IP> host <inside IP> eq ssh 

Now perform that NAT..

object network webserver_ssh
   nat (inside,outside) static interface service tcp ssh 24