You would then have just one NAT rule and 1 Access Rule (access rules allow you to specify tcp/udp). Unfortunately you cannot choose tcp/udp when setting up NAT rules so you have to create two rules in this example – as mentioned earlier if you have a number of external IP addresses available then you could set service to Any and control ports using Access rules. So I setup a separate network object for the UDP port forwarding: I also need to setup port forwarding for UDP port 25565 – Minecraft server requires both TCP and UDP protocols on port 25565. You can map to a different port on the internal server if you wish). In the example above I have a Minecraft server which needs to allow access on port 25565 so that’s what I enter for the Real and Mapped ports (real port is the one being hit on the outside interface. In my case I only have one external IP address so I need specify specific ports as I also want to run a web server from a different internal machine and I may add other devices in future. This does not mean that you are allowing access on any port to the server as you still have to setup Access rules to allow traffic through – you are just allowing access on any port from the ASA to the internal server.
![open port on cisco asa 5505 using asdm open port on cisco asa 5505 using asdm](https://www.cisco.com/c/dam/en/us/td/i/100001-200000/110001-120000/114001-115000/114414.tif/_jcr_content/renditions/114414.jpg)
You can assign a single external static IP for your internal server and set the NAT rule to Any service. You may want to allow any service if you have a range of external IP numbers that you can use. Select your ‘outside’ interface for the Translated Address.ĭestination Interface should be set to your ‘outside’ interface.Īt this point you can specify specific service ports to be used under the Real Port and Mapped Port options or you can leave them blank if you are happy for any service to be used. Tick the Add Automatic Address Translation Rules option. Click Add above the list.Įnter the name of the network object – this can be anything you like but should be descriptive of the type of server and service.Įnter the IP address of the server – the internal IP.Ĭlick on the NAT heading at the bottom to expand the NAT options. On the right hand side you should see a list of Network Objects – adding a network object is the easiest way to add a port forwarding NAT rule. The example given here is for port forwarding to a Minecraft server on the internal network at IP address 192.168.0.7 but is applicable to any device you want to make available on the internet. See Cisco ASA 5506 (and 5505, 5510) Basic Setup for details on setting up access. I mainly use ASDM for making changes as opposed to the command line.
![open port on cisco asa 5505 using asdm open port on cisco asa 5505 using asdm](https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/discussions-network-security/147824/1/asa_natrules_170111.jpg)
To setup port forwarding on a Cisco ASA (5505 or 5506 on my systems but is applicable to any PIX type Cisco firewall) you need to setup a NAT translation rule and Access rules.