Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
0
Helpful
4
Replies

PAT PortForward ASA 5515x Version 9.9(1)

Go to solution
erickhormazabals
Level 1
Level 1

‎06-28-2018 05:10 PM - edited ‎02-21-2020 07:55 AM

Hello, i have a problem and don't know how to solve it

 

Need: Publish a port on the firewall to forwarding it to a known port on a  private server.

 

          Public IP:8080   ->  Private IP:80

 

 

I already have some configuration that works but on DMZ interface:

if i make:

        packet-tracer input outside tcp somepublicIP 23442 MypublicIP 2222

 

It work perfectly, but if i do:

        packet-tracer input outside tcp somepublicIP 23442 MypublicIP 8080

Does not work, so i am thinking that the problem is the NAT(PAT) that is not doing it right..

 

nat (inside,outside) source static OBJ-192.168.24.106 interface service OBJ-TCP-www OBJ-TCP-8080

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
erickhormazabals
Level 1
Level 1
In response to Francesco Molino

‎07-11-2018 07:39 AM

Well.. sorry for take so long.. I moved the NAT rule a few positions up and the problem gone away.. So i really don't understand why.. but the problem is solved.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-28-2018 09:12 PM

Hi

It could be the acl on the outside but allowing this traffic.
Can you share the result of your non working packet-tracer please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
erickhormazabals
Level 1
Level 1
In response to Francesco Molino

‎06-29-2018 05:49 AM

Hello, ok

 

Phase: 1
Type: CAPTURE
Subtype:  
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:  
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop external_ip using egress ifc  identity
              
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:  
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to erickhormazabals

‎06-30-2018 09:54 AM

You see there's a DROP on ACL at phase 5. If you run again the command with detail keyword at the end, you'll see the acl dropping this traffic.
Can you eventually share your acl outside?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
erickhormazabals
Level 1
Level 1
In response to Francesco Molino

‎07-11-2018 07:39 AM

Well.. sorry for take so long.. I moved the NAT rule a few positions up and the problem gone away.. So i really don't understand why.. but the problem is solved.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card