To setup port forwarding on a Cisco ASA (5505 or 5506 on my systems but is applicable to any PIX type Cisco firewall) you need to setup a NAT translation rule and Access rules.
I mainly use ASDM for making changes as opposed to the command line. See Cisco ASA 5506 (and 5505, 5510) Basic Setup for details on setting up access.
The example given here is for port forwarding to a Minecraft server on the internal network at IP address 192.168.0.7 but is applicable to any device you want to make available on the internet.
Setting up the NAT rule:
Goto Configuration, Firewall, NAT Rules.
On the right hand side you should see a list of Network Objects – adding a network object is the easiest way to add a port forwarding NAT rule. Click Add above the list.
Enter the name of the network object – this can be anything you like but should be descriptive of the type of server and service.
Select Host for the Type.
Enter the IP address of the server – the internal IP.
Click on the NAT heading at the bottom to expand the NAT options.
Tick the Add Automatic Address Translation Rules option.
Select Static for the Type.
Select your ‘outside’ interface for the Translated Address.
Then click Advanced.
Source Interface should be set to Any.
Destination Interface should be set to your ‘outside’ interface.
At this point you can specify specific service ports to be used under the Real Port and Mapped Port options or you can leave them blank if you are happy for any service to be used.
You may want to allow any service if you have a range of external IP numbers that you can use. You can assign a single external static IP for your internal server and set the NAT rule to Any service. This does not mean that you are allowing access on any port to the server as you still have to setup Access rules to allow traffic through – you are just allowing access on any port from the ASA to the internal server.
In my case I only have one external IP address so I need specify specific ports as I also want to run a web server from a different internal machine and I may add other devices in future.
In the example above I have a Minecraft server which needs to allow access on port 25565 so that’s what I enter for the Real and Mapped ports (real port is the one being hit on the outside interface. You can map to a different port on the internal server if you wish).
I also need to setup port forwarding for UDP port 25565 – Minecraft server requires both TCP and UDP protocols on port 25565.
So I setup a separate network object for the UDP port forwarding:
Unfortunately you cannot choose tcp/udp when setting up NAT rules so you have to create two rules in this example – as mentioned earlier if you have a number of external IP addresses available then you could set service to Any and control ports using Access rules. You would then have just one NAT rule and 1 Access Rule (access rules allow you to specify tcp/udp).
You should now see something like this in your NAT rules list (note I also have my web server rule on port 80 (http) listed here as well):
Also note the general NAT rule at the bottom for translating internal addresses to external addresses for general browsing etc. See: Cisco ASA 5506 (and 5505, 5510) Basic Setup
Setting up Access Rules:
Goto Configuration, Firewall, Access Rules.
Select the ‘outside’ interface and select Add.
The interface should be set to ‘outside’.
The Action should be set to Permit.
The Source should be set to Any – you want everyone to be able to access your server.
Set the Destination to the Network Object you created under the NAT rules.
Under Service click the …elipse.
In this example we need to create a new Service Object corresponding to the port required (25565)
Under the Add option select Service Object.
Enter a Name of your choice.
Select the Service type
The destination port should be set to the Real port you are forwarding.
Leave the source port as the default – machines connecting may use any port in the allowable range to connect to a service on the internet so you have to cater for any port.
Click OK, make sure the Service Object you just create is selected and click OK.
Click OK and Apply to set your new Access Rule.
We also need to setup a separate rule for the UDP port 25565 that we also need to forward:
As mentioned before in the case of using a NAT rule covering any service you can add just one Access Rule that covers both tcp and udp.
You should now have an Access Rules screen that looks something like this:
Make sure you click Apply and you are all done.
Remember that any firewall on your servers also has to be set to allow traffic on the port you have forwarded.