https://community.cisco.com/t5/network-security/port-forward-issue-asa-5508-version-9-8-1/m-p/3832556#M925524 <P>So I've figured it out myself but I'm not completely certain why it fixed it.&nbsp;</P><P>&nbsp;</P><P>I removed&nbsp; all of the NAT statements from the top section here</P><P>&nbsp;</P><P>$hostname# sh run nat<BR />nat (Production,Outside) source dynamic any interface<BR />nat (any,Camera_Management) source dynamic VPN_Clients interface<BR />nat (any,Production) source dynamic VPN_Clients interface<BR />nat (Cameras,Outside) source dynamic any interface<BR />nat (any,Cameras) source dynamic VPN_Clients interface<BR />!<BR />object network VMS_TCP8081<BR />nat (Cameras,Outside) static interface no-proxy-arp service tcp 8081 8081<BR />object network VMS_UDP8081<BR />nat (Cameras,Outside) static interface no-proxy-arp service udp 8081 8081<BR />object network VMS_TCP8082<BR />nat (Cameras,Outside) static interface no-proxy-arp service tcp 8082 8082<BR />object network VMS_UDP8082<BR />nat (Cameras,Outside) static interface no-proxy-arp service udp 8082 8082<BR />object network Cameras_network<BR />nat (Cameras,Outside) dynamic interface<BR />object network VPN_Cameras<BR />nat (any,Camera_Management) dynamic interface<BR />object network Management_Internet<BR />nat (Camera_Management,Outside) dynamic interface</P><P>&nbsp;</P><P>I then re-input them with the "after-auto" command input in the middle - for example:&nbsp;</P><P>&nbsp;</P><P>nat (Production,Outside) after-auto source dynamic any interface<BR />nat (any,Production) after-auto source dynamic VPN_Clients interface</P><P>&nbsp;</P><P>My thought had been that the port forward wasn't working because the traffic was somehow hitting something beforehand, which has proven to be true. What I do not understand is why a NAT for a different network (Production vs Cameras) would have caught this. Any insight would be appreciated.&nbsp;</P> Thu, 04 Apr 2019 19:42:24 GMT bmatson37 2019-04-04T19:42:24Z https://community.cisco.com/t5/network-security/port-forward-issue-asa-5508-version-9-8-1/m-p/3831825#M925522 <P>Hello all-</P><P>I am attempting to forward both TCP and UDP 5081 and 5082 traffic hitting the outside interface on my ASA to an internal server at 172.16.200.10. behind the "camera" interface I've done a fair amount of reading on the topic and believe I have it configured properly but for the part where I don't actually see NAT hits. I'll provide all the information I think is relevant below and am happy to provide more should any be required. My best guess is that I have another NAT somehow interfering but I've tried disabling any that I would think may affect this traffic.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>hostname # sh run nat<BR />nat (Production,Outside) source dynamic any interface<BR />nat (any,Camera_Management) source dynamic VPN_Clients interface<BR />nat (any,Production) source dynamic VPN_Clients interface<BR />nat (Cameras,Outside) source dynamic any interface<BR />nat (any,Cameras) source dynamic VPN_Clients interface<BR />!<BR />object network VMS_TCP8081<BR />nat (Cameras,Outside) static interface no-proxy-arp service tcp 8081 8081<BR />object network VMS_UDP8081<BR />nat (Cameras,Outside) static interface no-proxy-arp service udp 8081 8081<BR />object network VMS_TCP8082<BR />nat (Cameras,Outside) static interface no-proxy-arp service tcp 8082 8082<BR />object network VMS_UDP8082<BR />nat (Cameras,Outside) static interface no-proxy-arp service udp 8082 8082<BR />object network Cameras_network<BR />nat (Cameras,Outside) dynamic interface<BR />object network VPN_Cameras<BR />nat (any,Camera_Management) dynamic interface<BR />object network Management_Internet<BR />nat (Camera_Management,Outside) dynamic interface</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>hostname# sh run access-list<BR />access-list Management standard permit 172.16.200.0 255.255.252.0<BR />access-list Management standard permit 172.16.75.0 255.255.255.0<BR />access-list Management standard permit 10.45.0.0 255.255.0.0<BR />access-list AnyConnect_Client_Local_Print extended deny ip any4 any4<BR />access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd<BR />access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol<BR />access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631<BR />access-list AnyConnect_Client_Local_Print remark Windows' printing port<BR />access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100<BR />access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol<BR />access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353<BR />access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol<BR />access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355<BR />access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol<BR />access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137<BR />access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns<BR />access-list Production_access_in extended permit ip object VPN_Clients any<BR />access-list Production_access_in extended permit ip object Production any<BR />access-list Cameras_access_in extended permit ip object VPN_Clients any<BR />access-list Cameras_access_in extended permit ip 172.16.200.0 255.255.252.0 any<BR />access-list Camera_Management_access_in extended permit ip object VPN_Clients interface Camera_Management<BR />access-list Camera_Management_access_in extended permit ip 172.16.75.0 255.255.255.0 any<BR />access-list Outside_access_in extended permit tcp any object XSMEDIA_Comcast eq ssh<BR />access-list Outside_access_in extended permit tcp any object XSMEDIA_Comcast eq www<BR />access-list Outside_access_in extended permit tcp any object VMS_TCP8081 eq 8081<BR />access-list Outside_access_in extended permit tcp any object VMS_TCP8082 eq 8082<BR />access-list Outside_access_in extended permit udp any object VMS_UDP8081 eq 8081<BR />access-list Outside_access_in extended permit udp any object VMS_UDP8082 eq 8082<BR />access-list Outside_access_in extended permit tcp any interface Outside eq 8082<BR />access-list outside-inbound extended permit tcp any object VMS_TCP8081 eq 8081<BR />access-list outside-inbound extended permit udp any object VMS_UDP8081 eq 8081<BR />access-list outside-inbound extended permit tcp any object VMS_TCP8082 eq 8082<BR />access-list outside-inbound extended permit udp any object VMS_UDP8082 eq 8082<BR />access-list Local_Lan_Access standard permit host 0.0.0.0</P><P>&nbsp;</P><P>&nbsp;</P><P>hostname# sh nat<BR />Manual NAT Policies (Section 1)<BR />1 (Production) to (Outside) source dynamic any interface<BR />translate_hits = 98291, untranslate_hits = 561<BR />2 (any) to (Camera_Management) source dynamic VPN_Clients interface<BR />translate_hits = 19, untranslate_hits = 1<BR />3 (any) to (Production) source dynamic VPN_Clients interface<BR />translate_hits = 195, untranslate_hits = 6<BR />4 (Cameras) to (Outside) source dynamic any interface<BR />translate_hits = 216, untranslate_hits = 19<BR />5 (any) to (Cameras) source dynamic VPN_Clients interface<BR />translate_hits = 185, untranslate_hits = 0</P><P>Auto NAT Policies (Section 2)<BR />1 (Cameras) to (Outside) source static VMS_TCP8081 interface service tcp 8081 8081 no-proxy-arp<BR />translate_hits = 0, untranslate_hits = 0<BR />2 (Cameras) to (Outside) source static VMS_TCP8082 interface service tcp 8082 8082 no-proxy-arp<BR />translate_hits = 0, untranslate_hits = 0<BR />3 (Cameras) to (Outside) source static VMS_UDP8081 interface service udp 8081 8081 no-proxy-arp<BR />translate_hits = 0, untranslate_hits = 0<BR />4 (Cameras) to (Outside) source static VMS_UDP8082 interface service udp 8082 8082 no-proxy-arp<BR />translate_hits = 0, untranslate_hits = 0<BR />5 (Outside) to (Camera_Management) source static _vpn_nat_172.16.249.2 71.236.243.113<BR />translate_hits = 0, untranslate_hits = 0<BR />6 (Outside) to (Camera_Management) source static _vpn_nat_172.16.249.5 71.236.243.113<BR />translate_hits = 0, untranslate_hits = 0<BR />7 (Outside) to (Camera_Management) source static _vpn_nat_172.16.249.7 140.211.82.4<BR />translate_hits = 0, untranslate_hits = 0<BR />8 (Camera_Management) to (Outside) source dynamic Management_Internet interface<BR />translate_hits = 7127, untranslate_hits = 52<BR />9 (any) to (Camera_Management) source dynamic VPN_Cameras interface<BR />translate_hits = 0, untranslate_hits = 0<BR />10 (Cameras) to (Outside) source dynamic Cameras_network interface<BR />translate_hits = 842, untranslate_hits = 23</P><P>&nbsp;</P><P>&nbsp;</P><P>hostname# packet-tracer input outside tcp 1.2.3.4 12345 X.X.X.X (public IP) 8082 detailed&nbsp;</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 199.66.196.254 using egress ifc identity</P><P>Phase: 2<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac927e600, priority=1, domain=nat-per-session, deny=true<BR />hits=715215, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaad9015390, priority=0, domain=permit, deny=true<BR />hits=579864, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=Outside, output_ifc=any</P><P>Result:<BR />input-interface: Outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: NP Identity Ifc<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>&nbsp;</P><P>&nbsp;</P><P>Any assistance is very much appreciated. It's clear that I'm overlooking something obvious but I'm sort of stuck.&nbsp;</P> Fri, 21 Feb 2020 17:00:37 GMT https://community.cisco.com/t5/network-security/port-forward-issue-asa-5508-version-9-8-1/m-p/3831825#M925522 bmatson37 2020-02-21T17:00:37Z https://community.cisco.com/t5/network-security/port-forward-issue-asa-5508-version-9-8-1/m-p/3832556#M925524 <P>So I've figured it out myself but I'm not completely certain why it fixed it.&nbsp;</P><P>&nbsp;</P><P>I removed&nbsp; all of the NAT statements from the top section here</P><P>&nbsp;</P><P>$hostname# sh run nat<BR />nat (Production,Outside) source dynamic any interface<BR />nat (any,Camera_Management) source dynamic VPN_Clients interface<BR />nat (any,Production) source dynamic VPN_Clients interface<BR />nat (Cameras,Outside) source dynamic any interface<BR />nat (any,Cameras) source dynamic VPN_Clients interface<BR />!<BR />object network VMS_TCP8081<BR />nat (Cameras,Outside) static interface no-proxy-arp service tcp 8081 8081<BR />object network VMS_UDP8081<BR />nat (Cameras,Outside) static interface no-proxy-arp service udp 8081 8081<BR />object network VMS_TCP8082<BR />nat (Cameras,Outside) static interface no-proxy-arp service tcp 8082 8082<BR />object network VMS_UDP8082<BR />nat (Cameras,Outside) static interface no-proxy-arp service udp 8082 8082<BR />object network Cameras_network<BR />nat (Cameras,Outside) dynamic interface<BR />object network VPN_Cameras<BR />nat (any,Camera_Management) dynamic interface<BR />object network Management_Internet<BR />nat (Camera_Management,Outside) dynamic interface</P><P>&nbsp;</P><P>I then re-input them with the "after-auto" command input in the middle - for example:&nbsp;</P><P>&nbsp;</P><P>nat (Production,Outside) after-auto source dynamic any interface<BR />nat (any,Production) after-auto source dynamic VPN_Clients interface</P><P>&nbsp;</P><P>My thought had been that the port forward wasn't working because the traffic was somehow hitting something beforehand, which has proven to be true. What I do not understand is why a NAT for a different network (Production vs Cameras) would have caught this. Any insight would be appreciated.&nbsp;</P> Thu, 04 Apr 2019 19:42:24 GMT https://community.cisco.com/t5/network-security/port-forward-issue-asa-5508-version-9-8-1/m-p/3832556#M925524 bmatson37 2019-04-04T19:42:24Z