cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


234
Views
0
Helpful
33
Replies
Highlighted
Beginner

Problem with cisco 5510 port mapping

Hello,

My device Cisco ASA 5510, ASA 8.4(2), ASDM 6.4(5)206

What I try to achieve.

1) Host 10.10.11.108 listening port 8080

2) Trying to access it from WAN e.g port 8090

I tried following commands:

object network 10.10.11.108_8080
host 10.10.11.108
nat (LAN1,WAN) static interface service tcp 8080 8090

access-list WAN_access_in line 11 extended permit tcp any object 10.10.11.108_8080 eq 8080
access-group WAN_access_in in interface WAN

But I don't gett access. Can someone help me to solve this case?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

I think I know what the

I think I know what the problem is:

object service tcp-8080
service tcp destination eq 8080
object service tcp-8090
service tcp destination eq 8090

change it to source instead of destination:

object service tcp-8080
service tcp source eq 8080
object service tcp-8090
service tcp source eq 8090

no access-list WAN_access_in extended permit object tcp-8080 any object 10.10.11.108_8080 
access-list WAN_access_in extended permit tcp any object 10.10.11.108_8080 eq 8080

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
33 REPLIES 33
Cisco Employee

Hi,

Hi,

Can you share the packet tracer output for the concerned traffic ?

packet-tracer input WAN tcp 4.2.2.2 6767 <interface> 8090 det 

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Beginner

Hello,

Hello,

I don't know how to save packet tracer output, but here is a screenshot of it.

Cisco Employee

Hi,

Hi,

Packet-tracer is showing a NAT RPF drop.

So the return traffic is taking a different NAT.

Could you remove the existing NAT and create a manual NAT ?

nat (inside,outside) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090

This should work !!!

Regards,

Aditya 

Please rate helpful posts and mark correct answers.

VIP Advocate

Actually you have used the

Actually you have used the wrong IP in the destination of the packet-tracer.  it should not be 10.10.11.108, so replace it with the WAN interface IP and then run the packet tracer again.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
Beginner

Okay, lets give it another

Okay, lets give it another try:

VIP Advocate

Try Aditya's suggestion of

Try Aditya's suggestion of removing the object NAT statement and configuring the NAT in manual NAT.

nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090

If that still does not work, please post a full running config of the ASA (remove any usernames, passwords and public IPs)

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
Beginner

Result of the command:

Result of the command:

"nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp 8080 tcp 8090"

nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp 8080 tcp ^8090

ERROR: % Invalid input detected at '^' marker.

VIP Advocate

You are missing the -   tcp

You are missing the -   tcp-8080 and tcp-8090

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
Beginner

Result of the command: "nat

Result of the command: "nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090"

ERROR: tcp-8080 is not a valid service object name

VIP Advocate

ah ok...you have probably

ah ok...you have probably configure the service object incorrectly by using the destination keyword.

You need to configure it as follows:

object-group service tcp-8080 tcp
port-object eq 8080

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
Beginner

Ran these commands, but error

Ran these commands, but error is the same:

Result of the command: "nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090"

ERROR: tcp-8080 is not a valid service object name

Should it be?:

object-group service tcp-8080 tcp
service-object eq 8080

Beginner

is this the correct command

is this the correct command to run?

object-group service tcp-8080 tcp
service-object eq 8080

VIP Advocate

Try using an underscore

Try using an underscore instead of hyphen.  Also it is port-object not service-object.

object-group service tcp_8080 tcp
port-object eq 8080

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
Beginner

Result of the command:

Result of the command: "object-group service tcp_8080 tcp"

The command has been sent to the device

Result of the command: "port-object eq 8080"

The command has been sent to the device

--------------------

Result of the command: "nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp_8080 tcp-8090"

ERROR: tcp_8080 is not a valid service object name

Result of the command: "nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp_8080 tcp_8090"

ERROR: tcp_8080 is not a valid service object name