Port Forwarding on Cisco ASA problem

nEkToSAN — Mon, 11 Sep 2023 19:00:56 GMT

Hi all!

I have two Cisco ASA 5585 in failover, Software Version 9.8(3)18.
I need to make Port Forwarding with NAT for access from outside host through ASA's interface to inside host. I made settings as always, but the access doesn't work.
There are parts of configuration for this access:

interface GigabitEthernet0/0.50
vlan 50
nameif outside
security-level 0
ip address 50.50.50.50 255.255.255.0
...
interface GigabitEthernet0/2.20
vlan 20
nameif inside
security-level 100
ip address 10.10.20.80 255.255.255.0
...
interface GigabitEthernet0/2.30
vlan 30
nameif inside2
security-level 100
ip address 10.10.30.80 255.255.255.0
...
object network H_10.10.20.116
host 10.10.10.116
...
object network H_10.10.30.59
host 10.10.30.59
...
object network H_77.77.77.77
host 77.77.77.77
...
object service tcp-8553-port
service tcp destination eq 8553
...
object service outside-40389-port
service tcp destination eq 40389
...
object service inside-3389-port
service tcp destination eq 3389
...
access-list from-outside extended permit tcp any object H_10.10.10.116 eq 8553
access-list from-outside extended permit tcp host 77.77.77.77 object H_10.10.30.59 eq 3389
...
nat (outside,inside) source static any interface destination static interface H_10.10.10.116 service tcp-8553-port tcp-8553-port
nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port

There is packet-tracer output for faulty access:

asa-5585/sec/act(config)# packet-tracer input outside tcp 66.66.66.66 12345 50.50.50.50 8553

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 50.50.50.50 using egress ifc identity

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from-outside in interface outside control-plane
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4191741927, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow

There is packet-tracer output for working access:

asa-5585/sec/act(config)# packet-tracer input outside tcp 77.77.77.77 12345 50.50.50.50 40389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port
Additional Information:
NAT divert to egress interface inside2
Untranslate 50.50.50.50/40389 to 10.10.30.59/3389

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from-outside in interface outside control-plane
access-list from-outside extended permit tcp host 77.77.77.77 object H_10.10.30.59 eq 3389
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port
Additional Information:
Static translate 77.77.77.77/12345 to 10.10.30.80/12345

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group to-inside2 out interface inside2
access-list to-inside2 extended permit ip any any
Additional Information:

Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port
Additional Information:

Phase: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4168707154, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside2
output-status: up
output-line-status: up
Action: allow

What did I make wrong? How can I check the issue and renew normal work?

Re: Port Forwarding on Cisco ASA problem

Rob Ingram — Mon, 11 Sep 2023 19:37:12 GMT

@nEkToSAN remove your existing rule and add the following:

object network H_10.10.10.116
 host 10.10.10.116
 nat (inside,outside) static interface service tcp-8553-port tcp-8553-port

then try again and provide packet-tracer if it does not work.

Re: Port Forwarding on Cisco ASA problem

nEkToSAN — Tue, 12 Sep 2023 12:56:00 GMT

I tried that. And the result is:

asa-5585/sec/act# packet-tracer input outside tcp 66.66.66.66 12345 50.50.50.50 8553