https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087311#M133499 <P><G class="gr_ gr_100 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="100" data-gr-id="100">ttpHi</G>,</P> <P></P> <P>Can you add this NAT and test :</P> <P></P> <P>object network obj_192.168.0.3</P> <P>host 1<SPAN>92.168.0.3</SPAN></P> <P>nat (inside,outside) static interface service <G class="gr_ gr_85 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" id="85" data-gr-id="85">tcp</G> <G class="gr_ gr_83 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="83" data-gr-id="83">http</G>&nbsp;<G class="gr_ gr_108 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="108" data-gr-id="108">http</G></P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Sat, 05 Aug 2017 08:01:47 GMT Aditya Ganjoo 2017-08-05T08:01:47Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087306#M133494 <P>Hi,</P> <P>I'm configuring an Asa5506 and i have a problem with port forwarding.</P> <P>My configuration is:</P> <UL> <LI>2 internet access &gt; Peplink Balance 20 <EM>(load balancer) &gt;</EM> Asa5506 &gt; lan networks</LI> <LI>In the peplink, i have setup a dmz for the Asa <EM>(working because i can use ASDM remotely)</EM></LI> <LI>Asa Outside: 192.168.2.2 / 29</LI> <LI>Asa Inside: 192.168.0.0 /24</LI> </UL> <P>I want to redirect port 80 to the host 192.168.0.3, so i have used these commands:</P> <BLOCKQUOTE> <P>access-list outside extended permit tcp any host 192.168.0.3 eq www&nbsp;</P> <P>access-group outside in interface outside</P> </BLOCKQUOTE> <P>When i try to connect from outside, i got this error in the ASA log:</P> <BLOCKQUOTE> <TABLE> <TBODY> <TR> <TD>3</TD> <TD>Aug 05 2017</TD> <TD>08:55:22</TD> <TD></TD> <TD>my remote ip&nbsp;</TD> <TD>56141</TD> <TD>192.168.12.2</TD> <TD>80</TD> <TD>TCP access denied by ACL from my remote ip/56141 to outside:192.168.12.2/80</TD> </TR> </TBODY> </TABLE> </BLOCKQUOTE> <P>Can you help me to solve it?</P> <P>Regards</P> <P></P> Tue, 12 Mar 2019 09:46:52 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087306#M133494 Julien Paleni 2019-03-12T09:46:52Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087307#M133495 <P>Hi,</P> <P></P> <P>Please share the packet tracer output</P> <P></P> <P>packet-tracer input outside <G class="gr_ gr_52 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="52" data-gr-id="52">tcp</G>&nbsp;4.2.2.2 7676 &lt;mapped ip&gt; 80 det</P> <P></P> <P>What is the IP&nbsp;<SPAN>192.168.12.2/80?</SPAN></P> <P><SPAN></SPAN></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Sat, 05 Aug 2017 07:27:23 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087307#M133495 Aditya Ganjoo 2017-08-05T07:27:23Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087308#M133496 <P>Hi Aditya,&nbsp;</P> <P>This is the result of:&nbsp;packet-tracer input outside tcp 4.2.2.2 7676 my_remote_ip&nbsp;80 det</P> <BLOCKQUOTE> <P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype: <BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR /> Forward Flow based lookup yields rule:<BR /> in id=0x7f2cb8d17950, priority=1, domain=permit, deny=false<BR /> hits=19263822, user_data=0x0, cs_id=0x0, l3_type=0x8<BR /> src mac=0000.0000.0000, mask=0000.0000.0000<BR /> dst mac=0000.0000.0000, mask=0100.0000.0000<BR /> input_ifc=outside, output_ifc=any</P> <P></P> <P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 192.168.12.1 using egress ifc outside</P> <P></P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: <BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR /> Forward Flow based lookup yields rule:<BR /> in id=0x7f2cba69d620, priority=11, domain=permit, deny=true<BR /> hits=0, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0<BR /> src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR /> dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR /> input_ifc=outside, output_ifc=any</P> <P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> </BLOCKQUOTE> <P>192.168.12.2 is the ip of the ASA outside interface.</P> <P>I have attached to this post a schematic of the network.</P> <P>Regards</P> Sat, 05 Aug 2017 07:43:49 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087308#M133496 Julien Paleni 2017-08-05T07:43:49Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087309#M133497 <P>Hi,</P> <P></P> <P>I checked this:</P> <P></P> <P><SPAN>i<STRONG>nput-interface: outside</STRONG></SPAN><BR /><SPAN>input-status: up</SPAN><BR /><SPAN>input-line-status: up</SPAN><BR /><STRONG>output-interface: outside</STRONG></P> <P><SPAN></SPAN></P> <P><SPAN>Why is it taking this path?</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Can you share the NAT statement for this traffic?</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Sat, 05 Aug 2017 07:46:21 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087309#M133497 Aditya Ganjoo 2017-08-05T07:46:21Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087310#M133498 <P>This is the NAT Statement which DROP the packet.</P> <P>obj_any1 is 0.0.0.0/0.0.0.0</P> <BLOCKQUOTE> <P>object network obj_any1<BR /> nat (any,outside) dynamic interface</P> </BLOCKQUOTE> <P>Show nat results</P> <BLOCKQUOTE> <P>Auto NAT Policies (Section 2)<BR />1 (any) to (outside) source dynamic obj_any1 interface <BR /> translate_hits = 30140, untranslate_hits = 692<BR />2 (inside_3) to (outside) source dynamic obj_any3 interface <BR /> translate_hits = 0, untranslate_hits = 0<BR />3 (inside_4) to (outside) source dynamic obj_any4 interface <BR /> translate_hits = 0, untranslate_hits = 0<BR />4 (inside_5) to (outside) source dynamic obj_any5 interface <BR /> translate_hits = 0, untranslate_hits = 0<BR />5 (inside_6) to (outside) source dynamic obj_any6 interface <BR /> translate_hits = 0, untranslate_hits = 0<BR />6 (inside_7) to (outside) source dynamic obj_any7 interface <BR /> translate_hits = 5958, untranslate_hits = 1</P> </BLOCKQUOTE> <P></P> Sat, 05 Aug 2017 08:00:29 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087310#M133498 Julien Paleni 2017-08-05T08:00:29Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087311#M133499 <P><G class="gr_ gr_100 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="100" data-gr-id="100">ttpHi</G>,</P> <P></P> <P>Can you add this NAT and test :</P> <P></P> <P>object network obj_192.168.0.3</P> <P>host 1<SPAN>92.168.0.3</SPAN></P> <P>nat (inside,outside) static interface service <G class="gr_ gr_85 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" id="85" data-gr-id="85">tcp</G> <G class="gr_ gr_83 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="83" data-gr-id="83">http</G>&nbsp;<G class="gr_ gr_108 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="108" data-gr-id="108">http</G></P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Sat, 05 Aug 2017 08:01:47 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087311#M133499 Aditya Ganjoo 2017-08-05T08:01:47Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087312#M133500 <P>I got an error with:</P> <BLOCKQUOTE> <P>nat (inside,outside) static interface service tcp http http<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ^<BR />ERROR: % Invalid input detected at '^' marker.</P> </BLOCKQUOTE> <P>In attachment a view of the interfaces.</P> <P></P> Sat, 05 Aug 2017 08:09:28 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087312#M133500 Julien Paleni 2017-08-05T08:09:28Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087313#M133501 <P>Thanks to you Aditya, i solve the problem.</P> <P>I have to use:</P> <BLOCKQUOTE> <P>object network obj_192.168.0.3</P> <P>host 1<SPAN>92.168.0.3</SPAN></P> <P>nat (<STRONG>inside_1</STRONG>,outside) static interface service tcp http&nbsp;http</P> </BLOCKQUOTE> <P>Regards</P> Sat, 05 Aug 2017 08:26:40 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087313#M133501 Julien Paleni 2017-08-05T08:26:40Z https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087314#M133502 <P>Happy to help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P></P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Sat, 05 Aug 2017 08:32:29 GMT https://community.cisco.com/t5/network-security/port-forwarding-asa5506/m-p/3087314#M133502 Aditya Ganjoo 2017-08-05T08:32:29Z