06-13-2019 02:02 PM
I know it's a very trite subject but I'm already going crazy with this issue
I am configuring a port mapping 53429 --->https, but this does not work.
https
topology: User browser PC port 53429 --->Outside ASA ---> inside ASA ---- Device DVR-app https service
I has configured the following
object network DVR-web
nat (int_video,outside) static interface service tcp https 53429
with the acl
access-list outside_access_in extended permit ip any object DVR-app
but it is not working, any help I will thank you
06-13-2019 04:43 PM
try this
!
object network DVR-TEST
host x.x.x.x
nat (int_video,outside) static interface service tcp 443 53429
!
access-list outside_access_in exten permit tcp any host x.x.x.x eq 443
access-group outside_access_in in interfacec outside
!
packet-tracer input outside tcp 8.8.8.8 12345 1.2.3.4.5 53429
where 1.2.3.4.5 is our ASA outside ip address.
06-13-2019 04:53 PM
When I applyed cli command this show next message:
ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded
06-13-2019 05:07 PM
ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 IP_outside_ASA 53429
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop IP_outside_ASA using egress ifc identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
06-13-2019 05:02 PM
Oops, I omitted a line and that's why I showed the error,
I already applied the suggested lines but the problem continues
06-14-2019 01:44 AM
share your firewall config in order to fix the issue.
06-14-2019 07:56 AM
06-14-2019 12:46 PM
put these command and display it output of packet tracer.
no nat (int_video,outside) source dynamic LAN_Video interface
!
object network LAN_Video
subnet 192.168.79.0 255.255.255.0
nat (int_video,outside) dynamic interface
!
object network DVR-web
host 192.168.79.10
nat (int_video,outside) static interface service tcp https 53429
!
access-list outside_access_in extended permit tcp any host 192.168.79.10 eq https
!
access-group outside_access_in in interface outside
!
packet-tracer input outside tcp 8.8.8.8 12345 X.X.X.X 53429
!
NOTE: X.X.X.X put your firewall outside ip address.
06-14-2019 03:15 PM
06-14-2019 04:44 PM
hm.. can you try this please.
object network DVR-web
host 192.168.185.11
!
object service 53429
service tcp source eq 53429
!
object service HTTP
service tcp source eq https
!
nat (wireless-house,outside) source static DVR-web interface service HTTP 53429
!
packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429
!
if the above even does not work.share the output command "show nat detail"
06-17-2019 10:00 AM
06-18-2019 08:18 AM
I applied the lines on ASA
I am assuming that the values of DVR-web and in the nat wireles-house are for simulaicon since these
values are not what I have in the configuration.
This is my packet-tracert output:
ASA-QTRO#
ASA-QTRO# packet-tracer input outside tcp 8.8.8.8 12345 189.213.236.130 53429 $
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 189.213.236.130 using egress ifc identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc55ccc6390, priority=0, domain=nat-per-session, deny=false
hits=188011, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc55d8f73a0, priority=0, domain=permit, deny=true
hits=27329, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
06-18-2019 08:57 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide