topic Re: ASA UDP Port Forwarding in Network Security https://community.cisco.com/t5/network-security/asa-udp-port-forwarding/m-p/4406559#M1080935 <P>As an addition, I can telnet to the echo port from vIOS 3 to itself and that works fine.</P> Fri, 21 May 2021 12:03:56 GMT leighharrison 2021-05-21T12:03:56Z ASA UDP Port Forwarding https://community.cisco.com/t5/network-security/asa-udp-port-forwarding/m-p/4406557#M1080934 <P>Hello all,</P><P>&nbsp;</P><P>I'm having some trouble with an ASA not port forwarding correctly.&nbsp; I've no doubt I'm missing something, but can't see it.</P><P>&nbsp;</P><P>Set up is simple:-</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="port forwarding.PNG" style="width: 512px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/120904i802AD79F8373A226/image-size/large?v=v2&amp;px=999" role="button" title="port forwarding.PNG" alt="port forwarding.PNG" /></span></P><P>vIOS 3 is the "inside" - 10.0.0.10</P><P>vIOS 2 is the "outside" - 20.0.0.10</P><P>ASAv is 10.0.0.1 (inside) and 20.0.0.1 (outside)</P><P>&nbsp;</P><P>I've got the tcp and udp small servers running on vIOS 3 on the inside and some port-forwarding set up on the ASAv for:-</P><P>TCP 13 (daytime)</P><P>UDP 7 (echo)</P><P>&nbsp;</P><P>ASA config is:-</P><PRE>ciscoasa# sh run object object network r1-daytime host 10.0.0.10 object network r1-echo host 10.0.0.10 ciscoasa# sh run nat object network r1-daytime nat (any,outside) static interface service tcp daytime daytime object network r1-echo nat (any,outside) static interface service udp echo echo ciscoasa# sh run access-list access-list outside_access_in extended permit tcp any object r1-daytime eq daytime access-list outside_access_in extended permit udp any object r1-echo eq echo</PRE><P>I run both through packet tracer and both come out as allowed.</P><P>&nbsp;</P><P>I run a packet capture on the outside and I can see Echo (7) come in to the ASA and daytime (13):-</P><PRE> 15: 11:28:58.121865 10.0.0.10 &gt; 20.0.0.10: icmp: echo request 16: 11:29:00.131401 10.0.0.10 &gt; 20.0.0.10: icmp: echo request 17: 11:29:02.131920 10.0.0.10 &gt; 20.0.0.10: icmp: echo request 18: 11:29:04.133461 10.0.0.10 &gt; 20.0.0.10: icmp: echo request 19: 11:29:06.132866 10.0.0.10 &gt; 20.0.0.10: icmp: echo request 20: 11:29:09.274369 20.0.0.10.49194 &gt; 20.0.0.1.7: S 665420328:665420328(0) win 4128 &lt;mss 1460&gt; 21: 11:29:11.276032 20.0.0.10.49194 &gt; 20.0.0.1.7: S 665420328:665420328(0) win 4128 &lt;mss 1460&gt; 22: 11:29:15.405328 20.0.0.10.49194 &gt; 20.0.0.1.7: S 665420328:665420328(0) win 4128 &lt;mss 1460&gt; 23: 11:29:24.947323 20.0.0.10.38899 &gt; 20.0.0.1.13: S 2964825655:2964825655(0) win 4128 &lt;mss 1460&gt; 24: 11:29:24.954128 20.0.0.1.13 &gt; 20.0.0.10.38899: S 2542277600:2542277600(0) ack 2964825656 win 4128 &lt;mss 536&gt; 25: 11:29:24.958156 20.0.0.10.38899 &gt; 20.0.0.1.13: . ack 2542277601 win 4128 26: 11:29:24.961177 20.0.0.10.38899 &gt; 20.0.0.1.13: . ack 2542277601 win 4128 27: 11:29:24.965495 20.0.0.1.13 &gt; 20.0.0.10.38899: . 2542277601:2542277636(35) ack 2964825656 win 4128 28: 11:29:24.967174 20.0.0.1.13 &gt; 20.0.0.10.38899: FP 2542277636:2542277636(0) ack 2964825656 win 4128 29: 11:29:24.974253 20.0.0.10.38899 &gt; 20.0.0.1.13: . ack 2542277637 win 4093 30: 11:29:24.977869 20.0.0.10.38899 &gt; 20.0.0.1.13: FP 2964825656:2964825656(0) ack 2542277637 win 4093 31: 11:29:24.979868 20.0.0.1.13 &gt; 20.0.0.10.38899: . ack 2964825657 win 4128 </PRE><P>On the inside I see only daytime going out (13):-</P><PRE> 1: 11:28:58.121407 10.0.0.10 &gt; 20.0.0.10: icmp: echo request 2: 11:29:00.131371 10.0.0.10 &gt; 20.0.0.10: icmp: echo request 3: 11:29:02.131905 10.0.0.10 &gt; 20.0.0.10: icmp: echo request 4: 11:29:04.133309 10.0.0.10 &gt; 20.0.0.10: icmp: echo request 5: 11:29:06.132851 10.0.0.10 &gt; 20.0.0.10: icmp: echo request 6: 11:29:24.947582 20.0.0.10.38899 &gt; 10.0.0.10.13: S 85698377:85698377(0) win 4128 &lt;mss 1380&gt; 7: 11:29:24.954113 10.0.0.10.13 &gt; 20.0.0.10.38899: S 1253307133:1253307133(0) ack 85698378 win 4128 &lt;mss 536&gt; 8: 11:29:24.958202 20.0.0.10.38899 &gt; 10.0.0.10.13: . ack 1253307134 win 4128 9: 11:29:24.961177 20.0.0.10.38899 &gt; 10.0.0.10.13: . ack 1253307134 win 4128 10: 11:29:24.965465 10.0.0.10.13 &gt; 20.0.0.10.38899: . 1253307134:1253307169(35) ack 85698378 win 4128 11: 11:29:24.967143 10.0.0.10.13 &gt; 20.0.0.10.38899: FP 1253307169:1253307169(0) ack 85698378 win 4128 12: 11:29:24.974284 20.0.0.10.38899 &gt; 10.0.0.10.13: . ack 1253307170 win 4093 13: 11:29:24.977869 20.0.0.10.38899 &gt; 10.0.0.10.13: FP 85698378:85698378(0) ack 1253307170 win 4093 14: 11:29:24.979838 10.0.0.10.13 &gt; 20.0.0.10.38899: . ack 85698379 win 4128 </PRE><P>There are no hits on the ASAv for the incoming echo rule, but when I run packet tracer it clocks up the hits.</P><P>&nbsp;</P><P>What am I missing to make the UDP port forwarding work?!?</P><P>&nbsp;</P><P>Best, Leigh</P> Fri, 21 May 2021 12:02:37 GMT https://community.cisco.com/t5/network-security/asa-udp-port-forwarding/m-p/4406557#M1080934 leighharrison 2021-05-21T12:02:37Z Re: ASA UDP Port Forwarding https://community.cisco.com/t5/network-security/asa-udp-port-forwarding/m-p/4406559#M1080935 <P>As an addition, I can telnet to the echo port from vIOS 3 to itself and that works fine.</P> Fri, 21 May 2021 12:03:56 GMT https://community.cisco.com/t5/network-security/asa-udp-port-forwarding/m-p/4406559#M1080935 leighharrison 2021-05-21T12:03:56Z