Cisco ASA Port Forwarding

This example will apply to Cisco ASA 5506-X v9.6

The idea behind port forwarding is to be able to access a resource externally that is behind a NAT. For example, if we were hosting a website on port 80 and 443 on our company server but wanted employees to have access externally, then we would use port forwarding to expose those two ports on the internet and when one browses to your WAN Address/Domain Name, you would be forwarded to the internal server where those ports are listening on.

NOTE: The syntax for the following commands may differ slightly between versions and models of Cisco ASAs. But this should give you a general idea on how to configure a port forward.

Need a Cisco ASA for studying? Buy one here - https://amzn.to/2JnBp6G

1. Firstly we need to identify what is the IP of the server we want to forward. In this example i will port forward an Apache web server who's IP Address is 172.16.30.10. Now that we know our IP Address, create an Network Object for that host.

asa# enable
asa(config)# object network WEBSERVER_80
asa(config-network-object)# host 172.16.30.10
asa(config-network-object)# exit
asa(cofnig)# object network WEBSERVER_443
asa(config-network-object)# host 172.16.30.10
asa(config-network-object)# exit

2. Create a Static NAT statement to NAT port 80 and 443.

asa(config)# object network WEBSERVER_80
asa(config-network-object)# nat (inside, outside) static interface service tcp 80 80
asa(config-network-object)# exit
asa(config)# object network WEBSERVER_443
asa(config-network-object)# nat (inside, outside) static interface service tcp 443 443
asa(config-network-object)# exit

3. Create access-lists to allow those ports to the internal server and apply that set of access-lists to the external interface by setting its access-group.

asa(config)# access-list PORTFORWARD extended permit tcp any object WEBSERVER_80 eq 80
asa(config)# access-list PORTFORWARD extended permit tcp any object WEBSERVER_443 eq 443
asa(config)# access-group PORTFORWARD in interface outside

Now if we try to access our webserver from the WAN, we should be forwarded to the server hosting the Apache website.

Port 80 / HTTP

Port 443 / HTTPS

Need a Cisco ASA for studying? Buy one here - https://amzn.to/2JnBp6G