cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1218
Views
10
Helpful
3
Replies

ASA Port Forwarding - 8.3

martynch1
Level 1
Level 1

Good morning all, I'm trying to create a rule on my ASA that will allow the outside to a www on the inside of my network but not having much luck

 

4Dec 15 201811:06:15106023213.205.192.2133112192.168.6.24580Deny tcp src outside:213.205.192.xx/33112 dst inside:192.168.6.245/80 by access-group "global_access" [0x0, 0x0]

 

I have created the following:

 

object network AD-Conrtoller
 host 192.168.6.245
 description AD-Conrtoller

 

object service www-80
 service tcp source eq www
 description www-80

 

access-list inside_access_in extended permit tcp any object AD-Controller eq www

 

show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static AD-Controller interface service any www-80
    translate_hits = 2, untranslate_hits = 225

 

What is the issue with the above?

 

Thank you

1 Accepted Solution

Accepted Solutions

Hi,
Your nat configuration appears incorrect. In your object "www-80" you are specifying the source port is tcp/80, but as your logs indicate the traffic source port is 33112.

You would be sending traffic to destination of tcp/80, the tcp source port would be random. This example configuration should help:-

object network AD-Conrtoller
host 192.168.6.245
nat (INSIDE,OUTSIDE) static interface service tcp www www

HTH

View solution in original post

3 Replies 3

put this command and try and let us know

 

 

access-group inside_access_in in interface outside

 

you can also do a command

packet-tracer input outside tcp 8.8.8.8 1234 192.168.6.245 80 detail

 

than please share the output. this command will tell you where the problem is.

please do not forget to rate.

Hi,
Your nat configuration appears incorrect. In your object "www-80" you are specifying the source port is tcp/80, but as your logs indicate the traffic source port is 33112.

You would be sending traffic to destination of tcp/80, the tcp source port would be random. This example configuration should help:-

object network AD-Conrtoller
host 192.168.6.245
nat (INSIDE,OUTSIDE) static interface service tcp www www

HTH

Hi RJI

 

there is still need for access-group command according to the given config

 

access-group inside_access_in in interface outside

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: