topic Hi Walter,The problem seems in Network Security

Port forwarding ASA 9.1(2)

walters199 — Tue, 12 Mar 2019 05:25:48 GMT

Hi guys.

I am completely lost with my asa 5505.
No props forwarding ports on other cisco routers but this device is driving me nuts.

I have tried countless setups and followed so many examples. I have seriously no clue anymore.

I just want my 25 be forwarded to my mail server on the dmz interface.

I put my config in the attachements ( incl sh nat, sh acl)
What I already tried was nat on the objects itself.
acl with and without objects

The strange thing is that no counters of the nat or acl are running up if I telnet on port 25 from an outside machine.
Also the syslog server doesn't show anything blocking on port 25.

My packet trace.

RTR01# packet-tracer input outside tcp 4.4.4.2 smtp 192.168.101.10 25

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.101.0 255.255.255.0 DMZ

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_acl in interface outside

access-list outside_acl extended permit tcp any object srv-192.168.101.10 eq smtp log debugging

Additional Information:

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (DMZ,outside) source dynamic any interface

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

sh nat

Hi Walter,The problem seems

Poonam Garg — Sun, 01 Feb 2015 18:08:31 GMT

Hi Walter,

The problem seems to be related to order of operation of NAT statements.

nat (DMZ,outside) source dynamic any interface

nat (DMZ,outside) source static srv-192.168.101.10 interface service tcp-25 tcp-25

Check "Show Nat", your SMTP NAT statement must come before your dynamic NAT statement.

Twice NAT statements are executed in the order they are configured.

Poonam, Thank you for your

walters199 — Mon, 02 Feb 2015 07:28:09 GMT

Poonam,

Thank you for your reply.
I have changed a few things after this and it works now after weeks of trial and error.

What I changed

I removed the NAT rule on object network srv-192.168.101.10

I created an object service MAIL
service tcp source eq smtp

I removed the object service TCP-25 because that would constantly giving me an error that it was not mapped ?

I created a manual NAT rule

nat (DMZ,outside) 1 source static srv-192.168.101.10 interface service MAIL MAIL

My acl was already in place. A telnet from a remote machine on port 25 works perfectly.

sh nat

Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source static srv-192.168.101.10 interface   service MAIL MAIL
    translate_hits = 1, untranslate_hits = 1
2 (DMZ) to (outside) source dynamic DMZ interface
    translate_hits = 87, untranslate_hits = 0
3 (inside) to (outside) source dynamic inside interface
    translate_hits = 32, untranslate_hits = 0

So probably the auto nat function didn t work. For me I need to find out why the first time the rule under the object came under the auto nat functions.

Learned a lot this time.

SO problem solved

Hi Walter,I am happy to hear

Poonam Garg — Mon, 02 Feb 2015 07:37:07 GMT

Hi Walter,

I am happy to hear that your problem resolved.

Kindly rate the solution, if it helped you so that it will also be helpful to others.