port forwarding not working , possible ACL issue

Alex Mendez — Mon, 11 Mar 2019 23:14:34 GMT

Greetins All - hopefullly you can help me. I'm trying to port forward some ports to my internal mail server, namely smtp , www and http/https. It looks like nat does work but its possible the firewall blocks it.

-cus-fw-01(config)# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static mailserver interface service tcp smtp smtp

translate_hits = 1, untranslate_hits = 6 <------- this happens when i try to telnet <mydomain.com> 25 , from an outside host

2 (inside) to (outside) source dynamic obj-10.10.10.0 interface

translate_hits = 8435, untranslate_hits = 673

my access list

elg-cus-fw-01(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside_access_in; 4 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit tcp any object mailserver eq smtp (hitcnt=0) 0x029b8a79

access-list outside_access_in line 1 extended permit tcp any host 10.10.10.31 eq smtp (hitcnt=0) 0x029b8a79

access-list outside_access_in line 2 extended permit tcp any object securewebmail eq https (hitcnt=0) 0xc7e21171

access-list outside_access_in line 2 extended permit tcp any host 10.10.10.31 eq https (hitcnt=0) 0xc7e21171

access-list outside_access_in line 3 extended permit tcp any object webmail eq www (hitcnt=0) 0xa3e2340f

access-list outside_access_in line 3 extended permit tcp any host 10.10.10.31 eq www (hitcnt=0) 0xa3e2340f

access-list outside_access_in line 4 extended permit tcp any object webserverpop3 eq pop3 (hitcnt=0) 0x5386a581

access-list outside_access_in line 4 extended permit tcp any host 10.10.10.31 eq pop3 (hitcnt=0) 0x5386a581

my packet tracer

lg-cus-fw-01(config)# packet-tracer input outside tcp fqdn google.com smtp 1$

Mapping FQDN google.com to IP address 74.125.225.72

(More IP addresses resolved. Please run "show dns-host" to check.)

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.10.0 255.255.255.0 inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

does anyone know where is the rule? Is this something by defautl?

port forwarding not working , possible ACL issue

Julio Carvajal — Fri, 01 Jun 2012 18:03:48 GMT

Hello Alex,

Can you provide us the following information:

Sh run object network ( Want to see the one for that host)

Sh run nat ( the one used by that host)

Sh run access-group

port forwarding not working , possible ACL issue

Alex Mendez — Fri, 01 Jun 2012 18:16:01 GMT

sh run object

object network mailserver

host 10.10.10.31

object network webmail

host 10.10.10.31

object network securewebmail

host 10.10.10.31

object network webserverpop3

host 10.10.10.31

object network mailserver

nat (inside,outside) static interface service tcp smtp smtp

i have not configured access-group... could this be it?

Alex

port forwarding not working , possible ACL issue

Julio Carvajal — Fri, 01 Jun 2012 19:02:49 GMT

Hello Alex.

Yes, that is

Access-group outside_access_in in interface outside

Regards,

Julio

topic port forwarding not working , possible ACL issue in Network Security

port forwarding not working , possible ACL issue

port forwarding not working , possible ACL issue

port forwarding not working , possible ACL issue

port forwarding not working , possible ACL issue