https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314120#M345666 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I used TCP/8080 in the packet-tracer as the destination port.</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/8/2/2/148228-packetTrace.PNG" class="jive-image" /></P><P>This is the global rule I was refering to.</P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/7/2/2/148227-globalRule.PNG" class="jive-image" /></P><P>Thank you for your help so far!</P></BODY></HTML> Mon, 29 Jul 2013 14:24:14 GMT mike.higginson 2013-07-29T14:24:14Z https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314115#M345661 <P>Hello everyone. I'm having difficulty getting an abnormal port (TCP/8080) forwarded to an internal web server(TCP/80) on a test firewall. I tried using the steps listed in a blog post I found, but haven't been able to actually get to the web server from the outside.</P><P></P><P>My rules look like this.</P><P></P><P></P><P>object network WebServer</P><P>host 192.168.35.150<BR />description Web Server</P><P></P><P>object network WebServer</P><P>nat (inside,outside) static interface service tcp www 8080</P><P>access-group outside_access_in in interface outside</P><P></P><P>access-list outside_access_in extended permit tcp any interface outside eq 8080</P><P></P><P>I'm also attaching a redacted version of my running config. I have the firewall setup to do VPN hairpinning as well.</P><P></P><P>Thank you for your help in advance!</P> Tue, 12 Mar 2019 02:18:18 GMT https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314115#M345661 mike.higginson 2019-03-12T02:18:18Z https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314116#M345662 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The problem is in the interface ACL.</P><P></P><P>In the new software 8.3 and forward the NAT is processed before the ACLs.</P><P></P><P>So this both means that you have to allow the traffic to the real IP address and the real port.</P><P></P><P>So if you change the ACL to</P><P></P><P></P><P><STRONG>access-list outside_access_in extended permit tcp any interface outside eq 80</STRONG></P><P></P><P>Then it should be fine</P><P></P><P>You can test it also with the <STRONG>"packet-tracer"</STRONG> command</P><P></P><P><STRONG>packet-tracer input outside tcp 1.1.1.1 12345 <INTERFACE ip=""> 80</INTERFACE></STRONG></P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please do remember to mark the reply as the correct answer if it answered your question.</P><P></P><P>- Jouni</P></BODY></HTML> Sun, 28 Jul 2013 19:36:08 GMT https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314116#M345662 Jouni Forss 2013-07-28T19:36:08Z https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314117#M345663 <HTML><HEAD></HEAD><BODY><P> Thank you for the responce Jouni! I'll test this out and let you know.</P></BODY></HTML> Sun, 28 Jul 2013 21:48:14 GMT https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314117#M345663 mike.higginson 2013-07-28T21:48:14Z https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314118#M345664 <HTML><HEAD></HEAD><BODY><P>I changed the access rule to </P><P></P><P><STRONG style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">access-list outside_access_in extended permit tcp any interface outside eq 80</STRONG></P><P></P><P>but the traffic is still being blocked. From the packet-tracer it looks like it is being blocked by an implicit rule. I see one global ACL in ASDM that looks like this. <SPAN style="font-size: 10pt;"> </SPAN></P><P></P><TABLE border="1" cellspacing="0"><TBODY><TR><TD>1</TD><TD> </TD><TD>any</TD><TD> </TD><TD> </TD><TD>any</TD><TD> </TD><TD>ip</TD><TD>Deny</TD><TD> </TD><TD>Default</TD><TD> </TD><TD>[Implicit rule]</TD></TR></TBODY></TABLE><P></P><P></P><P>Do I need to remove the global deny rule and change it to a deny rule on the outside interface underneth my allow tcp/80 rule? 8.3 and above are a lot different than 8.2</P><P></P><P>Here are the packet tracer results</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P></P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: NP Identity Ifc</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P></BODY></HTML> Mon, 29 Jul 2013 03:20:18 GMT https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314118#M345664 mike.higginson 2013-07-29T03:20:18Z https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314119#M345665 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Did you use the port TCP/8080 in the <STRONG>"packet-tracer"</STRONG> as the destination port?</P><P></P><P>What global deny rule are you talking about?</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 29 Jul 2013 13:45:29 GMT https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314119#M345665 Jouni Forss 2013-07-29T13:45:29Z https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314120#M345666 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I used TCP/8080 in the packet-tracer as the destination port.</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/8/2/2/148228-packetTrace.PNG" class="jive-image" /></P><P>This is the global rule I was refering to.</P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/7/2/2/148227-globalRule.PNG" class="jive-image" /></P><P>Thank you for your help so far!</P></BODY></HTML> Mon, 29 Jul 2013 14:24:14 GMT https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314120#M345666 mike.higginson 2013-07-29T14:24:14Z https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314121#M345667 <HTML><HEAD></HEAD><BODY><P>Gah,</P><P></P><P>Sorry, I have been blind.</P><P></P><P>The actual ACL is wrong. You were using the <STRONG>"interface outside"</STRONG> as the destination. You need to allow the traffic to the real IP address. For some reason I completely missed that until now.</P><P></P><P>Also seems I managed to provide the "packet-tracer" command with completely wrong destination port also. <SPAN __jive_emoticon_name="silly" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/silly.gif"></SPAN> (the TCP/80 port earlier)</P><P></P><P>You need this</P><P></P><P><STRONG style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">access-list outside_access_in extended permit tcp any object Webserver eq 80</STRONG></P><P></P><P>After this it should work.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 29 Jul 2013 14:27:21 GMT https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314121#M345667 Jouni Forss 2013-07-29T14:27:21Z https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314122#M345668 <HTML><HEAD></HEAD><BODY><P>I figured out what it was causing the traffic to be dropped. I had configured the ASA for VPN hairpinning (u-turn) so I could VPN from a public network and be able to browse the internet securly. (more on that here <A href="http://nat0.net/cisco-asa-hairpinning/">http://nat0.net/cisco-asa-hairpinning/</A>) When I removed the NAT rules I created for the hairpinning the port forwarding worked sorry for the noise.</P><P></P><P>These are the rules I had for the hairpinning.</P><P>nat (inside,outside) source static any any destination static NETWORK_OBJ_VPNpool NETWORK_OBJ_VPNpool no-proxy-arp route-lookup</P><P>nat (outside,outside) source dynamic NETWORK_OBJ_VPNpool interface</P></BODY></HTML> Tue, 30 Jul 2013 04:37:57 GMT https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314122#M345668 mike.higginson 2013-07-30T04:37:57Z https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314123#M345669 <HTML><HEAD></HEAD><BODY><P>I got the VPN hairpinning and port forwading working correctly! <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN> I used this for VPN hairpinning <A _jive_internal="true" href="https://community.cisco.com/docs/DOC-11640">https://supportforums.cisco.com/docs/DOC-11640</A></P><P></P><P>Here are my NAT rules now that everything is working. # are comments I added.</P><P></P><P># this rule allows my inside network to talk to my vpn network and visa versa</P><P>nat (inside,outside) source static InsideNetwork InsideNetwork destination static VPNNetwork VPNNetwork</P><P>!</P><P></P><P>#Dynamic NAT for inside trafic going out</P><P>object network obj_any</P><P> nat (inside,outside) dynamic interface</P><P></P><P>#Dynamic NAT for VPN hairpinning</P><P>object network VPNNetwork</P><P> nat (outside,outside) dynamic interface</P><P></P><P>#Static NAT (port forward) for external 8080 to internal 80</P><P>object network FTBcloud</P><P> nat (inside,outside) static interface service tcp www 8080</P><P></P><P>Thank you for your help <SPAN style="font-size: 10pt;">Jouni!</SPAN></P><P><SPAN style="font-size: 10pt;">Mike H.</SPAN></P></BODY></HTML> Tue, 30 Jul 2013 05:22:59 GMT https://community.cisco.com/t5/network-security/port-forwarding-cisco-asa-9-1-2/m-p/2314123#M345669 mike.higginson 2013-07-30T05:22:59Z