Solved: Port forward still not work

Houari DALI YOUCEF · ‎10-05-2013

Hi!

I want to access to an inside machine: 192.168.67.245 on tcp port 80, from the outside using my plublic IP: 1.1.1.1 (example)

Here is what i did:

access-list outisde_access_in permit tcp any host 192.168.67.245 eq 80

access-list outisde_access_in permit tcp any host 1.1.1.1 eq 80

object network My_inside_machine

host 192.168.67.245

nat (inside,outside) static interface service tcp 80 80

When i try to browse: http://1.1.1.1 from outside (My home), i have something like:

3

Oct 06 2013

00:02:50

my_home_ip

18159

1.1.1.1

80

TCP access denied by ACL from my_home_ip/18159 to outside:1.1.1.1/80

What is wrong whith my config ?

ASA 5505

ASDM 7.1

ASA 9.1

Jouni Forss · ‎10-05-2013

Hi,

Well the configurations looks otherwise good but I have a doubt about your ACL

The name is "outisde_access_in" though I would imagine that it should usually be "outside_access_in". Now that the ACL name matters but just thinking if the ACL is at all attached to an interface.

I would check the output of the following command

show run access-group

This will tell what ACLs (name) are attached to which interface and in which direction.

I am wondering if the ACL is attached to the interface?

You can also use "packet-tracer" commands to test the ASA rules

packet-tracer input outside tcp 12345 80

This commands output should tell if there is some problem with the ASA configurations.

- Jouni

View solution in original post

Jouni Forss · ‎10-05-2013

Hi,

As you can see you have not attached the ACL you mention in the original post to any interface.

You have only configure an ACL named "global_access" and it applies to all interfaces on the ASA.

However I think you should see an UN-NAT phase in the "packet-tracer" but that is not true in the above. So I think there might be a problem with some other NAT configurations

Would need to see the output of

show run nat

- Jouni

View solution in original post

Jouni Forss · ‎10-05-2013

Hi,

This NAT rule if overriding the Static PAT you have configured for the port TCP/80

nat (inside,outside) source dynamic any interface

You will have to remove it and add it in another format

no nat (inside,outside) source dynamic any interface

nat (inside,outside) after-auto source dynamic any interface

You will also have to make the ACL rule to allow the traffic since as I mentioned above you have another ACL attached on the device compared to the one you have mentioned in the original post

- Jouni

View solution in original post

Jouni Forss · ‎10-05-2013

Hi,

Well the configurations looks otherwise good but I have a doubt about your ACL

The name is "outisde_access_in" though I would imagine that it should usually be "outside_access_in". Now that the ACL name matters but just thinking if the ACL is at all attached to an interface.

I would check the output of the following command

show run access-group

This will tell what ACLs (name) are attached to which interface and in which direction.

I am wondering if the ACL is attached to the interface?

You can also use "packet-tracer" commands to test the ASA rules

packet-tracer input outside tcp 12345 80

This commands output should tell if there is some problem with the ASA configurations.

- Jouni

Houari DALI YOUCEF · ‎10-05-2013

Result of the command: "show run access-group"

access-group global_access global

Result of the command: "packet-tracer input outside tcp my_home_ip 12345 Public_IP 80"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in Public_IP 255.255.255.255 identity

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Which rule is configured to deny the traffic ??!

Jouni Forss · ‎10-05-2013

Hi,

As you can see you have not attached the ACL you mention in the original post to any interface.

You have only configure an ACL named "global_access" and it applies to all interfaces on the ASA.

However I think you should see an UN-NAT phase in the "packet-tracer" but that is not true in the above. So I think there might be a problem with some other NAT configurations

Would need to see the output of

show run nat

- Jouni

Houari DALI YOUCEF · ‎10-05-2013

Result of the command: "show run nat"

nat (any,any) source static NETWORK_OBJ_172.19.16.0_20 NETWORK_OBJ_172.19.16.0_20

nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.16.0_20 NETWORK_OBJ_172.19.16.0_20 no-proxy-arp route-lookup

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.67.248_29 NETWORK_OBJ_192.168.67.248_29 no-proxy-arp route-lookup

!

object network My_inside_machine

nat (inside,outside) static interface service tcp www www

Jouni Forss · ‎10-05-2013

Hi,

This NAT rule if overriding the Static PAT you have configured for the port TCP/80

nat (inside,outside) source dynamic any interface

You will have to remove it and add it in another format

no nat (inside,outside) source dynamic any interface

nat (inside,outside) after-auto source dynamic any interface

You will also have to make the ACL rule to allow the traffic since as I mentioned above you have another ACL attached on the device compared to the one you have mentioned in the original post

- Jouni

Houari DALI YOUCEF · ‎10-05-2013

Everything seems to be okey

Thank you very much JouniForss.