topic Hi,This is a NAT example for in Network Security

Cisco ASA port forwarding and vpn issues

Tomas K — Tue, 12 Mar 2019 05:15:44 GMT

Hi,

I am new to cisco asa. First of all model is cisco ASA 5515. ASA is in routing mode.

There is some issues i need to make port forwarding from external network KabelBW to internal network LAN ip 192.168.1.174 for example port 8080.

I am not sure if i did all the necessary steps.

Second issue is that when i am connected from different networks through vpn, i cannot access internal LAN servers, no ping no access at all. I only can access network which connected like site to site.

The config is like this:

Result of the command: "show config" attached.

Thanks.

Need urgent help.Thanks.

Tomas K — Wed, 24 Dec 2014 08:38:34 GMT

Need urgent help.

Thanks.

Hi,This is a NAT example for

Vibhor Amrodia — Wed, 24 Dec 2014 12:10:55 GMT

Hi,

This is a NAT example for the port forwarding requirement:-

object network obj-192.168.1.174

host 192.168.1.174

nat (inside,outside) static interface service tcp 8080 8080

On the Outside interface apply this ACL:-

access-list Out-In permit tcp any obj-192.168.1.174 eq 8080

For the other issue , for the VPN access to the internal resources:-

Check if you have all these networks in Split Tunnel policy and you have NAT statement for the VPN pool and internal Subnets between the Inside and Outside interface.

Thanks and Regards,

Vibhor Amrodia

Hi, regarding port forwarding

Tomas K — Wed, 24 Dec 2014 16:10:49 GMT

Hi,

regarding port forwarding it is already done in that way You suggested.

See config file in first post.

Hi,So , is it not working ?

Vibhor Amrodia — Thu, 25 Dec 2014 09:41:07 GMT

Hi,

So , is it not working ? If no , can you send me this output:-

packet trace input outside tcp 4.2.2.2 34456 <Outside Interface IP> 8080 det

Thanks and Regards,

Vibhor Amrodia

Merry Christmas.Here's the

Tomas K — Thu, 25 Dec 2014 16:42:05 GMT

Merry Christmas.

Here's the output:

Result of the command: "packet input KabelBW tcp 4.2.2.2 34456 external_ip 8080 det"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in external_ip 255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29b7d5b0, priority=0, domain=nat-per-session, deny=false
   hits=241387, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a5f96f0, priority=0, domain=permit, deny=true
   hits=94800, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=KabelBW, output_ifc=any

Result:
input-interface: KabelBW
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Here's also acess-group and acess-list

Result of the command: "show run access-group"

access-group KabelBW_access_in_1 in interface KabelBW control-plane
access-group KabelBW_access_in in interface KabelBW
access-group LAN_access_in in interface LAN
access-group Servers_access_in in interface Servers
access-group global_access global

Result of the command: "show run access-list"

access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 any
access-list LAN_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any eq sip
access-list Split-Tunnel standard permit 192.168.1.0 255.255.255.0
access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0
access-list Split-Tunnel remark access to hidden_net
access-list Split-Tunnel standard permit 192.168.244.0 255.255.255.0
access-list KabelBW_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list KabelBW_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list KabelBW_access_in extended permit tcp any eq 8080 object STATIC-PAT eq 8080 log debugging
access-list KabelBW_access_in remark Starface Portweiterleitung extern an Starface
access-list KabelBW_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host 192.168.1.5 eq sip
access-list KabelBW_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Servers_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list KabelBW_cryptomap_3 extended permit object-group DM_INLINE_PROTOCOL_2 192.168.1.0 255.255.255.0 object hidden_net1
access-list KabelBW_access_in_1 extended permit tcp any eq 8080 object STATIC-PAT eq 8080
access-list KabelBW_access_in_1 extended permit ip object-group VPN any
access-list global_access extended permit ip any any log debugging

Thanks.

Hi,This is the issue:-nat

Vibhor Amrodia — Fri, 26 Dec 2014 03:37:07 GMT

Hi,

This is the issue:-

nat (LAN,KabelBW) source dynamic any interface

NAT Statement is not even being hit for this traffic.

I would recommend you to change this NAT to the Auto NAT section and that should resolve this issue.

Thanks and Regards,

Vibhor Amrodia

I agree with Vibhor. Your NAT

Marvin Rhoads — Fri, 26 Dec 2014 14:18:42 GMT

I agree with Vibhor. Your NAT order of operations is incorrect.

They are processed "top down" and first match will end NAT processing.

The one Vibhor cited is your second statement and will effectively catch all traffic from the LAN to KabelBW interface.

Ok. I did tried your

Tomas K — Sat, 27 Dec 2014 19:23:23 GMT

Ok. I did tried your suggested configuration, but then i added auto static nat rule instead of dynamic, vpn started not to be accessible, i mean i can't even connect to vpn. Though port forwarding was working, but i need both, port forwarding and vpn working.

Maybe you can suggest that was wrong, or i missed something.

I reverted back to original configuration.

Result of the command: "show run nat"

nat (LAN,KabelBW) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static VPN VPN
nat (LAN,KabelBW) source dynamic any interface
nat (LAN,KabelBW) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp
nat (any,KabelBW) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp
nat (KabelBW,KabelBW) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp
nat (LAN,KabelBW) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

Result of the command: "show run access-list"

access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 any
access-list LAN_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any eq sip
access-list Split-Tunnel standard permit 192.168.1.0 255.255.255.0
access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0
access-list Split-Tunnel remark access to hidden_net
access-list Split-Tunnel standard permit 192.168.244.0 255.255.255.0
access-list KabelBW_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list KabelBW_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list KabelBW_access_in
access-list KabelBW_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host 192.168.1.5 eq sip
access-list KabelBW_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Servers_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list KabelBW_cryptomap_3 extended permit object-group DM_INLINE_PROTOCOL_2 192.168.1.0 255.255.255.0 object hidden_network
access-list KabelBW_access_in_1 extended permit ip object-group VPN any

Hi,Did you add something like

Vibhor Amrodia — Sun, 28 Dec 2014 11:29:34 GMT

Hi,

Did you add something like this on the ASA device:-

nat (LAN,KabelBW) static any interface

If not , what is the NAT you added. I am sure that port forward with the VPN will work but we need to verify the actual configuration when you saw the issue.

Thanks and Regards,

Vibhor Amrodia