topic Resolving DROP during port forwarding in Network Security

Resolving DROP during port forwarding

Vindemiatrix — Mon, 11 Mar 2019 22:12:33 GMT

I am attempting to port-forward on an ASA 5500 to internal host .100. The outside interface recieves its IP via DHCP. Packets are being denied so I ran packet-tracer and get the following error from outside to ssh port on internal host.

Any tips on why this might be occuring?

#packet-tracer input outside tcp 79.x.x.x 1025 71.x.x.x ssh

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 71.x.x.x 255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

# sh run nat

nat (inside,outside) source static any any destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup

nat (outside,outside) source dynamic VPN_NETWORK interface

object network obj_any

nat (inside,outside) dynamic interface

object network VM

nat (inside,outside) static interface service tcp ssh ssh

# sh running-config object

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network VPN_NETWORK

subnet 192.168.1.0 255.255.255.192

object network VM

host 172.16.0.100

# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static any any destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup

translate_hits = 0, untranslate_hits = 0

2 (outside) to (outside) source dynamic VPN_NETWORK interface

translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static VM interface service tcp ssh ssh

translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source dynamic obj_any interface

translate_hits = 61918, untranslate_hits = 8178

# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list dynamic-filter_acl; 1 elements; name hash: 0xdb693454

access-list dynamic-filter_acl line 1 extended permit ip any any (hitcnt=77285) 0xe1bfda1d

access-list VM-IN; 1 elements; name hash: 0x57079372

access-list VM-IN line 1 extended permit tcp any host 172.16.1.100 eq ssh (hitcnt=5) 0x5dc27602

Re: rfp-check results in DROP during port forwarding

Julio Carvajal — Wed, 11 Jan 2012 04:14:53 GMT

Can you post the full packet tracer output ?

You should been doing it to the outside interface of your ASA Ip address, can you confirm it ?

Julio

rfp-check results in DROP during port forwarding

Vindemiatrix — Wed, 11 Jan 2012 04:32:45 GMT

Updated the orginal question with the full packet-trace.

rfp-check results in DROP during port forwarding

Julio Carvajal — Wed, 11 Jan 2012 06:16:25 GMT

Hello Vindemiatrix,

As I said on the previous post, the packet-tracer is wrong.

The packet created from host 74.207.x.x will need to go on port 22 to the outside interface of the ASA witch I think is not

172.16.1.100.

Please do the packet tracer like this and everything should work as you have this properly configured.

packet-tracer input outside tcp 74.207.x.x 1025 x.x.x.x(Outside interface) 22

If this post helps you, do rate it!!!

Julio

Resolving DROP during port forwarding

Vindemiatrix — Thu, 12 Jan 2012 03:09:51 GMT

Updated question for claified response.

Resolving DROP during port forwarding

Julio Carvajal — Fri, 13 Jan 2012 05:02:56 GMT

Hello,

Can you share the show run access-group?

Also just to confirm 71.x.x.x is the outside interface ip address right?

Julio

Resolving DROP during port forwarding

Vindemiatrix — Fri, 13 Jan 2012 12:06:48 GMT

The problem was with:

(outside) to (outside) source dynamic VPN_NETWORK interface

per:

https://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html

(outside) to (outside) after-auto source dynamic VPN_NETWORK interface

Resolving DROP during port forwarding

Julio Carvajal — Fri, 13 Jan 2012 18:21:48 GMT

Hello,

So now everything is working.

Good to hear that,

Julio