Question : configuring asa to PAT port 9191 to 9100

I have a Cisco ASA 5505 that I want to forward raw printer traffic through using different ports on the outside interface and translating to port 9100 internally. I'm just testing with port 9100 using PAT to forward to 9100, but I can't seem to get it to work. I'll eventually want to use ports 9191 and 9192 if I can get at least something forwarded through. I don't have access to the firewall config of where the traffic is coming from, as it's a hosted server, but I think it's supposed to be open.

Here is the config for the device.

 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:

: Saved
:
ASA Version 7.2(3) 
!

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.193.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.139.245 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport monitor Ethernet0/3 
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ********** encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xx.xx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list NONAT extended permit ip 192.168.193.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list NONAT extended permit ip 192.168.193.0 255.255.255.0 host 10.100.5.230 
access-list L2L extended permit ip 192.168.193.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list outside_2_cryptomap extended permit ip 192.168.193.0 255.255.255.0 host 10.100.5.230 
access-list outside_access_in extended permit tcp any eq 9100 host x.x.139.245 eq 9100 
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.193.0 255.255.255.0
static (inside,outside) tcp x.x.139.245 9100 192.168.193.75 9100 netmask 255.255.255.255  norandomseq
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 208.180.139.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
aaa authentication serial console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 outside
http w.w.42.106 255.255.255.255 outside
http 192.168.1.33 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community Exxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address L2L
crypto map outside_map 1 set peer u.u.154.7 
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer z.z.58.3 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 30
management-access inside

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy motovpn internal
username atsnetworking password ***** encrypted privilege 15
username emsadmin password ****** encrypted privilege 15
tunnel-group w.w.42.106 type ipsec-l2l
tunnel-group w.w.42.106 ipsec-attributes
 pre-shared-key *
tunnel-group y.y.206.158 type ipsec-l2l
tunnel-group y.y.206.158 ipsec-attributes
 pre-shared-key *
tunnel-group u.u.154.7 type ipsec-l2l
tunnel-group u.u.154.7 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.139.245 type ipsec-l2l
tunnel-group x.x.139.245 ipsec-attributes
 pre-shared-key *
tunnel-group z.z.58.3 type ipsec-l2l
tunnel-group z.z.58.3 ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:*********
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

Answer : configuring asa to PAT port 9191 to 9100

you can at least find out if the traffic is coming in by doing a capture

access-list caplist outside_access_in extended permit tcp any host x.x.139.245 eq 9100
cap cap1 int outside access-list caplist

then after the test:
sh cap cap1

or even before that you can check the hitcount of the access-list with
sh access-list outside_access_in
Random Solutions  
 
programming4us programming4us