topic Re: Issue with PAT Setup ASA 5508 9.16(1) in Network Security

Issue with PAT Setup ASA 5508 9.16(1)

vdzpro — Wed, 25 Jun 2025 15:56:09 GMT

Trying to get a port forward setup for a server behind the firewall and having an issue getting it to work. The traffic appears to be dropping after touching the outside interface, even though an outside ACL is created for this traffic.

Here are the configuration line items:

interface GigabitEthernet1/8
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.252

interface GigabitEthernet1/4
nameif DMZ3
security-level 40
ip address 10.12.13.190 255.255.255.0

object network server-1

host 10.12.13.200
nat (DMZ3,outside) static interface service tcp 51210 51210

access-list outside_access_in extended permit tcp any host 10.12.13.200 eq 51210

access-group outside_access_in in interface outside

Am I missing something? All the docs I find on ASA 9 setup this appears to be all you need.

Re: Issue with PAT Setup ASA 5508 9.16(1)

MHM Cisco World — Wed, 25 Jun 2025 15:41:59 GMT

10.12.13.190 <<- this IP is IP of interface not real IP of Server

MHM

Re: Issue with PAT Setup ASA 5508 9.16(1)

vdzpro — Wed, 25 Jun 2025 15:58:25 GMT

Sorry, I was trying to obfuscate the IPs and messed up the addresses for the host and access-list. I fixed the config line items above. It should be 10.12.13.200. Even with this config it was not working.

Re: Issue with PAT Setup ASA 5508 9.16(1)

MHM Cisco World — Wed, 25 Jun 2025 16:01:09 GMT

Can I see

Show run nat

MHM

Re: Issue with PAT Setup ASA 5508 9.16(1)

vdzpro — Thu, 26 Jun 2025 15:11:52 GMT

Yes, here it is.

nat (DMZ2,outside) source dynamic WSUS interface
nat (DMZ2,outside) source dynamic AV_SVR interface
nat (InternetAccess,outside) source dynamic any interface
nat (DMZ1,outside) source static WebProxy WebProxy destination static NETWORK_OBJ_10.12.19.240_28 NETWORK_OBJ_10.12.19.240_28 no-proxy-arp route-lookup
nat (DMZ1,outside) source static NETWORK_OBJ_10.12.19.0_24 NETWORK_OBJ_10.12.19.0_24 destination static NETWORK_OBJ_10.12.19.240_28 NETWORK_OBJ_10.12.19.240_28 no-proxy-arp route-lookup
nat (DMZ1,outside) source dynamic WebProxy interface
!
object network NAT_Mob
nat (DMZ2,outside) dynamic interface
object network server-1
nat (DMZ3,outside) static interface service tcp 51210 51210

Re: Issue with PAT Setup ASA 5508 9.16(1)

MHM Cisco World — Thu, 26 Jun 2025 15:27:29 GMT

I need to see

Show nat

Not show run (appear NAT config)

What I think is that the NAT order is issue here

There is NAT above your request NAT which make traffic drop

MHM

Re: Issue with PAT Setup ASA 5508 9.16(1)

ahollifield — Thu, 26 Jun 2025 16:51:24 GMT

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744798.html

https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/asa-9-16-asav-asdm-release-7-16-eol.html#:~:text=Cisco%20announces%20the%20end%2Dof,)%20is%20November%2018%2C%202025.

Re: Issue with PAT Setup ASA 5508 9.16(1)

swj — Fri, 27 Jun 2025 00:36:36 GMT

Run packet tracer and share the output where it is dropping.

packet-tracer input outside tcp <Source-ip from external> 1234 <Interface-IP-of-Firewall> 51210 share the output to understand what NAT is hitting.

Show log | inc 10.12.13.200/<Source-ip from external>

This too helps understand what is happening.

Re: Issue with PAT Setup ASA 5508 9.16(1)

vdzpro — Fri, 27 Jun 2025 20:08:05 GMT

Thank you for all the responses. I have to schedule the time with the on-site contact, so it takes a little more time to gather the requested information.

Re: Issue with PAT Setup ASA 5508 9.16(1)

Aref Alsouqi — Wed, 02 Jul 2025 11:30:31 GMT

I can't see anything wrong with your config and based on the provided NAT rules configs there shouldn't be any other NAT rule that would match the traffic destined to host 10.12.13.200. In addtion to what @swj suggested, you could also run some packet capture on DMZ3 interface to see if there is any traffic leaving the firewall towards the host 10.12.13.200. You can also issue the command "show xlate" which should show you the NAT rules in use.

I personally suspect that the issue you are experiencing is on the server side, not on the firewall. Maybe the server has a local firewall turned on and it's not allowing the traffic destined to port 51210/tcp to pass through, or maybe the application that is using this port is down or is using a different port. If the server is running on Windows then you could use the command (netstat -an | find "51210") to check the listening ports, if Linux I think it's (netstat -lnt).

Here is an example of how to run packet capture on the ASA:

capture VDZPRO interface real-time DMZ3 match tcp any host 10.12.13.200 eq 51210

This will show you the capture in real time. Just remember please to stop and delete the capture once you finish with the command "no capture VDZPRO".

Re: Issue with PAT Setup ASA 5508 9.16(1)

vdzpro — Wed, 09 Jul 2025 18:38:01 GMT

Here is the show nat:

Manual NAT Policies Implicit (Section 0)
1 (nlp_int_tap) to (outside) source dynamic nlp_client_0_0.0.0.0_17proto53_intf6 interface destination static nlp_client_0_ipv4_2 nlp_client_0_ipv4_2 service nlp_client_0_17svc53_1 nlp_client_0_17svc53_1
translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_::_17proto53_intf6 interface ipv6 destination static nlp_client_0_ipv6_4 nlp_client_0_ipv6_4 service nlp_client_0_17svc53_3 nlp_client_0_17svc53_3
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 1)
1 (DMZ2) to (outside) source dynamic WSUS interface
translate_hits = 1489532, untranslate_hits = 2084
2 (DMZ2) to (outside) source dynamic AV_SVR interface
translate_hits = 1803818, untranslate_hits = 23136
3 (InternetAccess) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
4 (DMZ1) to (outside) source static WebProxy WebProxy destination static NETWORK_OBJ_10.12.19.240_28 NETWORK_OBJ_10.12.19.240_28 no-proxy-arp route-lookup
translate_hits = 568208, untranslate_hits = 1812856
5 (DMZ1) to (outside) source static NETWORK_OBJ_10.12.19.0_24 NETWORK_OBJ_10.12.19.0_24 destination static NETWORK_OBJ_10.12.19.240_28 NETWORK_OBJ_10.12.19.240_28 no-proxy-arp route-lookup
translate_hits = 3023, untranslate_hits = 3023
6 (DMZ1) to (outside) source dynamic WebProxy interface
translate_hits = 614090, untranslate_hits = 20

Auto NAT Policies (Section 2)
1 (DMZ3) to (outside) source static server-1 interface service tcp 51210 51210
translate_hits = 0, untranslate_hits = 0
2 (DMZ2) to (outside) source dynamic NAT_Mob interface
translate_hits = 0, untranslate_hits = 0

Re: Issue with PAT Setup ASA 5508 9.16(1)

vdzpro — Wed, 09 Jul 2025 18:38:51 GMT

We are planning a replacement, but trying to get this to work in the meantime.

Re: Issue with PAT Setup ASA 5508 9.16(1)

vdzpro — Wed, 09 Jul 2025 18:48:55 GMT

The server was placed directly on the router (bypassing the firewall) with the WAN IP assigned. We found it did respond to a net connection test (PowerShell tnc) on port 51210. The goal was to ensure the device itself was responding properly on that port from a WAN-based connection.

Here are the requested commands:

show xlate:

29 in use, 161 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
UDP PAT from outside:0.0.0.0/0 53-53 to nlp_int_tap:0.0.0.0/0 53-53
flags srIT idle 1096:02:10 timeout 0:00:00
NAT from outside:0.0.0.0/0 to DMZ2:0.0.0.0/0
flags sIT idle 1096:02:10 timeout 0:00:00
NAT from outside:0.0.0.0/0 to DMZ2:0.0.0.0/0
flags sIT idle 1096:02:10 timeout 0:00:00
NAT from outside:0.0.0.0/0 to InternetAccess:0.0.0.0/0
flags sIT idle 1096:02:10 timeout 0:00:00
NAT from DMZ1:10.12.19.10 to outside:10.12.19.10
flags sIT idle 0:00:01 timeout 0:00:00
NAT from outside:10.12.19.240/28 to DMZ1:10.12.19.240/28
flags sIT idle 0:00:01 timeout 0:00:00
NAT from DMZ1:10.12.19.0/24 to outside:10.12.19.0/24
flags sIT idle 0:06:33 timeout 0:00:00
NAT from outside:10.12.19.240/28 to DMZ1:10.12.19.240/28
flags sIT idle 0:06:33 timeout 0:00:00
NAT from outside:0.0.0.0/0 to DMZ1:0.0.0.0/0
flags sIT idle 997:43:49 timeout 0:00:00
TCP PAT from DMZ3:10.12.13.200 51210-51210 to outside:1.2.3.4 51210-51210
flags sr idle 0:01:19 timeout 0:00:00

Ran the following capture: capture cap-1 interface DMZ3 match tcp any host 10.12.13.200 eq 51210

Completed a few connection tests to generate traffic.

show capture cap-1

0 packet captured

0 packet shown

Let me know if there is anything else I sould try. I was thinking of bringing another firewall (non cisco) setting up a port foward and seeing if it works.

Re: Issue with PAT Setup ASA 5508 9.16(1)

MHM Cisco World — Wed, 09 Jul 2025 18:54:05 GMT

Run NAT disappear anyway I take look

There is 0 hits for NATing and Un-NATing meaning the traffic not hit NAT at all

1- capute traffic in outside match tcp port 51210' see if traffic reach outside

2- ping from Asa to server' if asa dont have arp or not reachable to server it not NATing traffic

MHM

Re: Issue with PAT Setup ASA 5508 9.16(1)

vdzpro — Wed, 09 Jul 2025 18:55:55 GMT

Packet-tracer output (official IPs omitted):

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 1.2.3.4 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000555813aa033f flow (NA)/NA

Not sure why the drop since there is a policy to allow the traffic:

access-list outside_access_in extended permit tcp any host 10.12.13.200 eq 51210

access-group outside_access_in in interface outside

Re: Issue with PAT Setup ASA 5508 9.16(1)

MHM Cisco World — Wed, 09 Jul 2025 18:59:07 GMT

Correct one

Packet tracer input OUTSIDE tcp 1.1.1.1 1234 <outside public IP> 51210 detail

This how you do packet-tracer run it and share result

MHM

Re: Issue with PAT Setup ASA 5508 9.16(1)

swj — Wed, 09 Jul 2025 19:23:19 GMT

Hi,

ACL drop is expected when we do it on the reverse(Lower-higher sec Lvl) direction, But I want to make sure you tried packet tracer for the Public IP address not the DMZ server IP.

Re: Issue with PAT Setup ASA 5508 9.16(1)

Aref Alsouqi — Thu, 10 Jul 2025 08:49:09 GMT

So when the server was connected directly to the router it was responding on port 51210/tcp correctly? and now that you moved it behind the firewall it's not working anymore? if that is the case then we can discard a local firewall issue on the server side.

Have you generated any traffic destined to the server when you ran the packet capture? if not, please do the capture again and while the capture is running generate some traffic from outside towards the server and see if anything gets captured.

Although it should work with the configs you already have, I would suggest to try to move the server NAT rule to section 1 which is the manual section of the NAT table and see if that makes a difference. To do so, use this example please:

object service TCP-51210
service tcp source eq 51210

nat (DMZ3,outside) 1 source static server-1 interface service TCP-51210 TCP-51210