topic ASA 5505 7.2 Port Forwarding Question? in Network Security

ASA 5505 7.2 Port Forwarding Question?

sjoshi321 — Tue, 12 Mar 2019 02:54:42 GMT

I am trying to do some port forwarding on a ASA 5505. It seems pretty straight forward, but somehow it's not working. I am not too familiar with Cisco devices. This is an old firewall which I am trying to configure without clearing the old configuration. Here are some info about the network and from the ASA. Any Help would be greatly appreciated.

Network

24.xx.xx.xx:ASA:192.168.1.1--------------192.168.1.2:RT-N66U:192.168.3.1--------------192.168.3.0

RT-N66U is not doing any NAT.

Result of the command: "sh nat"

NAT policies on Interface inside:

match ip inside 192.168.3.0 255.255.255.0 inside 192.168.16.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.3.0 255.255.255.0 inside 192.168.202.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.3.0 255.255.255.0 outside 192.168.16.0 255.255.255.0

NAT exempt

translate_hits = 21, untranslate_hits = 447

match ip inside 192.168.3.0 255.255.255.0 outside 192.168.202.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.3.0 255.255.255.0 _internal_loopback 192.168.16.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.3.0 255.255.255.0 _internal_loopback 192.168.202.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match tcp inside host 192.168.3.1 eq 3389 outside any

static translation to 24.xx.xx.xx/3389

translate_hits = 0, untranslate_hits = 43

match tcp inside host 192.168.3.1 eq 8080 outside any

static translation to 24.xx.xx.xx/8080

translate_hits = 0, untranslate_hits = 47

match ip inside any inside any

dynamic translation to pool 10 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip inside any outside any

dynamic translation to pool 10 (24.xx.xx.xx [Interface PAT])

translate_hits = 338409, untranslate_hits = 1047890

match ip inside any _internal_loopback any

dynamic translation to pool 10 (No matching global)

translate_hits = 0, untranslate_hits = 0

Result of the command: "sh access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list 100; 1 elements

access-list 100 line 1 extended permit ip 192.168.3.0 255.255.255.0 192.168.16.0 255.255.255.0 (hitcnt=122) 0xc73bcc27

access-list inside_nat0_outbound; 2 elements

access-list inside_nat0_outbound line 1 extended permit ip 192.168.3.0 255.255.255.0 192.168.16.0 255.255.255.0 (hitcnt=0) 0x388c6023

access-list inside_nat0_outbound line 2 extended permit ip 192.168.3.0 255.255.255.0 192.168.202.0 255.255.255.0 (hitcnt=0) 0x70a9d5e2

access-list outside_access_in; 6 elements

access-list outside_access_in line 1 extended permit tcp any eq 81 host 24.xx.xx.xx eq 81 (hitcnt=0) 0xc1148a97

access-list outside_access_in line 2 extended permit icmp any interface outside (hitcnt=0) 0xbdd73ad6

access-list outside_access_in line 3 extended permit tcp any interface outside eq 8080 (hitcnt=0) 0xdd94b34c

access-list outside_access_in line 4 extended permit tcp any host 24.xx.xx.xx eq 3389 (hitcnt=0) 0xf7d1bca

access-list outside_access_in line 5 extended permit tcp any eq 37777 host 24.xx.xx.xx eq 37777 (hitcnt=0) 0xa563723

access-list outside_access_in line 6 extended permit udp any eq 37778 host 24.xx.xx.xx eq 37778 (hitcnt=0) 0xae9a25bb

access-list outside_cryptomap; 1 elements

access-list outside_cryptomap line 1 extended permit ip any 192.168.202.0 255.255.255.0 (hitcnt=0) 0x66ad24cd

Result of the command: "packet-trace input outside tcp 1.1.1.1 1234 24.xx.xx.xx 8080 det"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp 24.xx.xx.xx 8080 192.168.3.1 8080 netmask 255.255.255.255

match tcp inside host 192.168.3.1 eq 8080 outside any

static translation to 24.xx.xx.xx/8080

translate_hits = 0, untranslate_hits = 47

Additional Information:

NAT divert to egress interface inside

Untranslate 24.xx.xx.xx/8080 to 192.168.3.1/8080 using netmask 255.255.255.255

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 24.xx.xx.xx 255.255.255.255 identity

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3498270, priority=0, domain=permit, deny=true

hits=1251390, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ASA 5505 7.2 Port Forwarding Question?

Jouni Forss — Tue, 22 Oct 2013 16:01:42 GMT

Hi,

It matches the NAT rule as we can see from the UN-NAT Phase, yet it drops at the ACL Phase.

Can you provide the output of

show run access-group

I cant see any hitcount in the above ACL so it seems to me that either no traffic has come or the ACL has not been attached to the interface with the command

access-group outside_access_in in interface outside

Also, a better view (for me personally atleast) of the NAT configuration could be provided with the output of the following commands

show run global

show run nat

show run static

- Jouni

ASA 5505 7.2 Port Forwarding Question?

sjoshi321 — Tue, 22 Oct 2013 16:06:29 GMT

Thanks for the quick reply. Here are the results:

Result of the command: "show run access-group"

access-group outside_access_in in interface outside

Result of the command: "show run global"

global (outside) 10 interface

Result of the command: "show run nat"

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

Result of the command: "show run static"

static (inside,outside) tcp 24.xx.xx.xx 3389 192.168.3.1 3389 netmask 255.255.255.255

static (inside,outside) tcp 24.xx.xx.xx 8080 192.168.3.1 8080 netmask 255.255.255.255

ASA 5505 7.2 Port Forwarding Question?

Jouni Forss — Tue, 22 Oct 2013 16:13:28 GMT

Hi,

Is the public IP address used in the Static PAT (Port Forward) supposed to be the public IP address configured on the interface "outside" of the ASA?

If that is the case then a Static PAT configuration would usually look like this

static (inside,outside) tcp interface 3389 192.168.3.1 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 8080 192.168.3.1 8080 netmask 255.255.255.255

The parameter "interface" specifies that the "outside" interface IP address will be used.

If you have a spare public IP address for this Static PAT configuration then you naturally specify that public IP address in the actual "static" command.

Seems your ACL is attached correctly but I wonder why the ACL doesnt see any hitcount. Its hitcount should increase with the use of "packet-tracer" command even.

I guess there must be somekind of missmatch between the Static PAT and the ACL rules. Even though they have the rule for the TCP/8080 to "interface outside"

I guess you can try it with this too

access-list outside_access_in permit tcp any host 24.x.x.x eq 8080

- Jouni

ASA 5505 7.2 Port Forwarding Question?

sjoshi321 — Tue, 22 Oct 2013 16:37:27 GMT

I was using ASDM to configure and was not able to select "interface" through the GUI for some reason. I removed the rules and entered them through Command line interface. It seems to be working now. Thanks a lot.