The ASA firewall is used to protect the internal network from outside threats. It scans all the traffics that is traversing through the firewall. By default, the firewall blocks all the traffic that ate intended to reach the internal network from the outside network. If we need to enable access to specific network resources from the outside network then we have to allow that traffic. And we can allow any traffic through the firewall using some features. One of them is called "Port Forwarding".
In this tutorial, we are going to learn how to configure the port forwarding feature in the ASA firewall. Using the port forwarding feature we can forward specific traffic to another IP address as well as another port number. Sometimes port forwarding is called PAT (Port Address Translation).
In this tutorial, we are going to forward the "FTP" port to my local FTP server using the ASDM tool. This will allow access to our local FTP server from the outside network. We will go through the step-by-step process.
After login into the firewall using ASDM, we will go to the "Configuration" tab and then we will click on the "Firewall" button from the left panel. After click on the "Firewall" button, we will select "NAT Rules" from the "Firewall Configuration Page".
Now click on the "Add" drop-down menu button and select "Add Network Object NAT Rule".
Now write a name for this entry into the "Name" field. We named it "FTP_Traffic_Forward". Please note that we can't use space in the name field. Now select the "Host" value from the "Type" parameter. Write the local FTP server IP address in the "IP Address" field. We assume that our FTP server IP address is 192.168.1.10.
Now we have to be sure that the "Add Automatic Address Translation Rules" button is ticked. Select the "Static" value from the drop-down menu in the "Type" field. Select your "Outside" interface in the "Translated Addr" field. Here, the outside interface is representing your WAN interface. In this example, our outside interface name is "outside".
Now click on the "Advanced" button.
In the "Advanced" settings, select your inside interface in the "Source Interface" field. Here, the inside interface is representing your LAN interface and we assume that our inside interface name is "inside". Now select your outside interface in the "Destination Interface" field. Here, the outside interface is representing your WAN interface. Make sure the "TCP" value is selected in the "Protocol" field. Now write your FTP service port number in the "Real Port" as well as in the "Mapped Port". We know that the default FTP service port number is 21.
That's it. All the work is done. After click on the "OK" button and "Apply" the configuration, the new rule will ready to be worked. To apply this setting in the "Running-Config" just click on the "Apply" button.
One more thing we have to do. The traffic has to be allowed by ACL also. By default firewall drop all the traffic that is coming through the Outside interface. That's why we have to create an access control list in the "Outside" interface so that the traffic is not going to block by the firewall.
To add an ACL in the "Outside" interface click on the "Access Rules" button from the firewall configuration page.
To add an access rule click on the add button.
After opening the "Add Access Rule" window, select your outside interface from the "Interface" parameter. According to our scenario, our outside interface will be "Outside". Select the "Permit" radio button as we are going to allow the traffic through this ACL. For the "Source Criteria" and the "Destination Criteria" section, leave the default settings in the "Source" and "Destination" parameter boxes. As the default, the "Source" and "Destination" parameter values will be "any". After then click on the "Service" parameter box. Now write your service name that is "FTP" according to our scenario. During you enter the service name, you will be noticed that the list of the possible services is shown based on your keyword. Just select your desire one from that list.
After that click on the "More Options" drop-down button. Now click on the "In" radio button in the "Traffic Direction" parameter, since we are configuring the ACL to allow the traffic from outside networks that are intended to access our local network using the internet. Finally, click on "OK" to close this window.
From now on our local FTP server will be accessible from the internet. The firewall will allow all the traffic that is intended to go to the FTP server. This process also called the "Destination NAT".
