https://community.cisco.com/t5/network-security/asa-5505-acls-code-8-4-2/m-p/2646420#M196967 <P>packet-tracer input outside tcp 8.8.8.8 12345 xx.xxx.xxx.xx 88</P><P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:&nbsp;<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in &nbsp; xx.xxx.xxx.xx &nbsp; 255.255.255.255 identity</P><P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype:&nbsp;<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<BR />Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Sun, 22 Feb 2015 23:28:15 GMT plaethos75 2015-02-22T23:28:15Z https://community.cisco.com/t5/network-security/asa-5505-acls-code-8-4-2/m-p/2646417#M196964 <P>I'm going to present this as laymen as possible in hopes the understanding doesn't get convoluted. &nbsp;This question is based off my previous link, which I can't see to get to work. &nbsp;<A href="https://supportforums.cisco.com/discussion/12419431/asa-5505-nat-and-acl-running-841" target="_blank">https://supportforums.cisco.com/discussion/12419431/asa-5505-nat-and-acl-running-841</A> &nbsp; diagram also available at this link as well...</P><P>&nbsp;</P><P>1. &nbsp; Whether it's webservices or other ports being used, if I want&nbsp;to use my single, public IP address assigned by a cable modem company, which is being assigned by DHCP, I will:</P><UL><LI>assign it on the "outside" interface,</LI><LI>The ACL I place, will always look like (in the cli)</LI></UL><P><STRONG>access-group *acl-name* in interface outside</STRONG></P><P>&nbsp;</P><P>2. &nbsp; if I want the access to go to an internal server or device, whether it's telnet, www, or generic port, would the IP I reference be:</P><UL><LI>the next hop?&nbsp;</LI><LI>The private IP of the device?</LI><LI>another IP which gets nat'd to my end device?</LI></UL><P>&nbsp;</P><P>3. &nbsp;If I am specificly targeting this port/public IP and I see&nbsp;<STRONG>ZERO (0)&nbsp;</STRONG>hits on my acl, could there be something else preventing it from traversing the network? &nbsp;</P><P>&nbsp;</P><P>From an ASDM standpoint, (permit on outside interface) &nbsp;&nbsp;Source = any &nbsp; &nbsp; destination address = "private IP address of device" &nbsp;destination port = tcp/88 &nbsp;</P><P>Why am I not seeing any hits?</P><P>&nbsp;</P><P>Here's the copy of my cli if this is easier to digest:</P><P>&nbsp;</P><P>access-list allowed_wan_services extended permit tcp any host 172.16.0.5 eq 88 log debugging&nbsp;<BR />access-list allowed_wan_services extended permit udp any host 172.16.0.5 eq 88 log debugging&nbsp;<BR />access-list allowed_wan_services extended permit udp any host 192.168.250.2 eq 88 log debugging</P><P>access-list allowed_wan_services extended permit tcp any host 192.168.250.2 eq 88 log debugging</P><P>access-list allowed_wan_services extended permit tcp any host 192.168.254.3 eq 88 log debugging&nbsp;<BR />access-list allowed_wan_services extended permit udp any host 192.168.254.3 eq 88 log debugging&nbsp;</P><P>access-list allowed_wan_services extended permit tcp any host *publicIP* eq 88 log debugging&nbsp;<BR />access-list allowed_wan_services extended permit udp any host *publicIP* eq 88 log debugging&nbsp;</P><P>&nbsp;</P><P>access-group allowed_wan_services in interface outside</P><P>&nbsp;</P><P>&nbsp;</P><P>nat (outside,inside) after-auto source static Pub-Cam Priv-Cam service tcp-88 tcp-88<BR />nat (outside,inside) after-auto source static Pub-Cam next-hop service tcp-88 tcp-88<BR />nat (outside,inside) after-auto source static Pub-Cam distsw service tcp-88 tcp-88</P><P>&nbsp;</P><P>&nbsp;</P><P>I get 0 hits on any of the above.</P><P>&nbsp;</P><P>I've also included a screen shot of my NAT via ASDM.... &nbsp;Thoughts/Suggestions?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:31:25 GMT https://community.cisco.com/t5/network-security/asa-5505-acls-code-8-4-2/m-p/2646417#M196964 plaethos75 2019-03-12T05:31:25Z https://community.cisco.com/t5/network-security/asa-5505-acls-code-8-4-2/m-p/2646418#M196965 <P>Hi,</P><P>&nbsp;</P><P>With any software 8.3 or above the ACL will always reference the local IP address and NOT the NAT IP address.</P><P>&nbsp;</P><P>I am actually not sure if an ACL hit is registered if some part of the NAT configuration drops the connection.</P><P>&nbsp;</P><P>Best place to start troubleshooting would be that you take a "packet-tracer" output from CLI of the ASA and we will see if the ASA drops it. If it does then we will need to determine if the problem is on the WAN or LAN side.</P><P>&nbsp;</P><P>You could use this command format for example</P><P>&nbsp;</P><P><STRONG>packet-tracer input outside tcp 8.8.8.8 12345 &lt;public NAT ip&gt; &lt;port&gt;</STRONG></P><P>&nbsp;</P><P>The source IP address and port can be anything. I just have the habit of using the above.</P><P>&nbsp;</P><P>- Jouni</P> Thu, 19 Feb 2015 08:31:19 GMT https://community.cisco.com/t5/network-security/asa-5505-acls-code-8-4-2/m-p/2646418#M196965 Jouni Forss 2015-02-19T08:31:19Z https://community.cisco.com/t5/network-security/asa-5505-acls-code-8-4-2/m-p/2646419#M196966 <P>Thank you for this. &nbsp;I will try this tonight. &nbsp;Been a crazy week for me.</P> Sun, 22 Feb 2015 00:44:35 GMT https://community.cisco.com/t5/network-security/asa-5505-acls-code-8-4-2/m-p/2646419#M196966 plaethos75 2015-02-22T00:44:35Z https://community.cisco.com/t5/network-security/asa-5505-acls-code-8-4-2/m-p/2646420#M196967 <P>packet-tracer input outside tcp 8.8.8.8 12345 xx.xxx.xxx.xx 88</P><P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:&nbsp;<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in &nbsp; xx.xxx.xxx.xx &nbsp; 255.255.255.255 identity</P><P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype:&nbsp;<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<BR />Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Sun, 22 Feb 2015 23:28:15 GMT https://community.cisco.com/t5/network-security/asa-5505-acls-code-8-4-2/m-p/2646420#M196967 plaethos75 2015-02-22T23:28:15Z https://community.cisco.com/t5/network-security/asa-5505-acls-code-8-4-2/m-p/2646421#M196968 <P>ok -- I'm pretty sure I figured it out.</P><P>sysopt noproxyarp</P><P>access-list allowed_wan_services extended permit tcp any interface outside eq 88 log debugging&nbsp;<BR />access-list allowed_wan_services extended permit udp any interface outside eq 88 log debugging&nbsp;</P><P>nat (outside,inside) source static any interface destination static interface Priv-Cam service tcp-88 tcp-88</P><P>access-group allowed_wan_services in interface outside</P><P>&nbsp;</P><P>Thank you for your input and I will mark this correct answer if in fact this works. &nbsp;I'm now having an issue getting to my private IP or pinging it....so once I get that, I think I'll be able to test correctly and upload my findings.</P><P>&nbsp;</P> Mon, 23 Feb 2015 00:54:35 GMT https://community.cisco.com/t5/network-security/asa-5505-acls-code-8-4-2/m-p/2646421#M196968 plaethos75 2015-02-23T00:54:35Z