Cisco ASA Port Forwarding

Create and add your ports:
object-group service TEST tcp
port-object eq 443

Now create an access-list:
access-list outside_access_in extended permit tcp any interface outside object-group TEST

Create a static PAT mapping:
static (inside,outside) tcp interface 443 443 netmask

Create the access-group:
access-group outside_access_in in interface outside

ERROR: unable to reserve port 443 for static PAT

The issue here is that the http service on the ASA is runnnig off of the standard port 80. Login to the firewall and run the following.

no http server enable

http server enable 8080

Now you should be able to add a NAT/PAT on port 443 to another server of your liking. Just remember when you attempt to use ASDM to manage the ASA in the future to specify the new port 8080.

Enable SSH and TELNET login on Cisco ASA 7.x inside Interface

Configuration with ASDM 6.x

Complete these steps:

  1. Choose Configuration > Device Management > Users/AAA > User Accounts in order to add a user with ASDM.ssh-inside-out-pix7x-8.gif
  2. Choose Configuration > Device Management > Users/AAA > AAA Access > Authentication in order to set up AAA authentication for SSH with ASDM.ssh-inside-out-pix7x-9.gif
  3. Choose Configuration > Device Setup > Device Name/Password in order to change the Telnet password with ASDM.ssh-inside-out-pix7x-10.gif
  4. Choose Configuration > Device Management > Certificate Management > Identity Certificates, click Add and use the default options presented in order to generate the same RSA keys with ASDM.ssh-inside-out-pix7x-11.gif
  5. Under Add a new Identity certificate click New in order to add a default key pair if one does not exists. Then, click Generate Now.ssh-inside-out-pix7x-12.gif
  6. Choose Configuration > Device Management > Management Access > Command Line (CLI) > Secure Shell (SSH) in order to use ASDM to specify hosts allowed to connect with SSH and to specify the version and timeout options.ssh-inside-out-pix7x-13.gif
  7. Click Save on top of the window in order to save the configuration.ssh-inside-out-pix7x-14.gif
  8. When prompted to save the configuration on flash, choose Apply in order to save the configuration.

How to port forward with a Cisco ASA via ASDM

Create NAT Rule

  • Click Configuration (top)
  • Click Firewall (bottom-left)
  • Click NAT Rules (middle-left)
  • Select Add->Static NAT Rule
  • Original
    • Interface: inside
    • Source:
  • Translated
    • Interface: Outside
    • Select Use Interface IP Address
  • Port Address Translation (PAT)
    • Check Enable Port Address Translation (PAT)
    • Protocol: TCP
    • Original Port: 3389
    • Translated Port: 3389
  • Click OK


Create Access Rule

  • Click Access Rules
  • Select Add->Add Access Rule
    • Interface: outside
    • Action: Permit
    • Source: any
    • Destination: or the object you created
    • Service: tcp/3389
    • Enable Logging: unchecked