Solved: Try Aditya's suggestion of

raidokuvarnet · ‎04-13-2016

Hello,

My device Cisco ASA 5510, ASA 8.4(2), ASDM 6.4(5)206

What I try to achieve.

1) Host 10.10.11.108 listening port 8080

2) Trying to access it from WAN e.g port 8090

I tried following commands:

object network 10.10.11.108_8080
host 10.10.11.108
nat (LAN1,WAN) static interface service tcp 8080 8090

access-list WAN_access_in line 11 extended permit tcp any object 10.10.11.108_8080 eq 8080
access-group WAN_access_in in interface WAN

But I don't gett access. Can someone help me to solve this case?

Marius Gunnerud · ‎04-22-2016

I think I know what the problem is:

object service tcp-8080
 service tcp destination eq 8080 
object service tcp-8090
 service tcp destination eq 8090

change it to source instead of destination:

object service tcp-8080
 service tcp source eq 8080 
object service tcp-8090
 service tcp source eq 8090

no access-list WAN_access_in extended permit object tcp-8080 any object 10.10.11.108_8080

access-list WAN_access_in extended permit tcp any object 10.10.11.108_8080 eq 8080

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Aditya Ganjoo · ‎04-13-2016

Hi,

Can you share the packet tracer output for the concerned traffic ?

packet-tracer input WAN tcp 4.2.2.2 6767 <interface> 8090 det

Regards,

Aditya

Please rate helpful posts and mark correct answers.

raidokuvarnet · ‎04-14-2016

Hello,

I don't know how to save packet tracer output, but here is a screenshot of it.

Aditya Ganjoo · ‎04-14-2016

Hi,

Packet-tracer is showing a NAT RPF drop.

So the return traffic is taking a different NAT.

Could you remove the existing NAT and create a manual NAT ?

nat (inside,outside) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090

This should work !!!

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Marius Gunnerud · ‎04-14-2016

Actually you have used the wrong IP in the destination of the packet-tracer. it should not be 10.10.11.108, so replace it with the WAN interface IP and then run the packet tracer again.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

raidokuvarnet · ‎04-14-2016

Okay, lets give it another try:

Marius Gunnerud · ‎04-14-2016

Try Aditya's suggestion of removing the object NAT statement and configuring the NAT in manual NAT.

nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090

If that still does not work, please post a full running config of the ASA (remove any usernames, passwords and public IPs)

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

raidokuvarnet · ‎04-15-2016

Result of the command:

"nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp 8080 tcp 8090"

nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp 8080 tcp ^8090

ERROR: % Invalid input detected at '^' marker.

Marius Gunnerud · ‎04-15-2016

You are missing the - tcp-8080 and tcp-8090

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

raidokuvarnet · ‎04-15-2016

Result of the command: "nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090"

ERROR: tcp-8080 is not a valid service object name

Marius Gunnerud · ‎04-15-2016

ah ok...you have probably configure the service object incorrectly by using the destination keyword.

You need to configure it as follows:

object-group service tcp-8080 tcp
port-object eq 8080

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

raidokuvarnet · ‎04-17-2016

Ran these commands, but error is the same:

Result of the command: "nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090"

ERROR: tcp-8080 is not a valid service object name

Should it be?:

object-group service tcp-8080 tcp
service-object eq 8080

raidokuvarnet · ‎04-19-2016

is this the correct command to run?

object-group service tcp-8080 tcp
service-object eq 8080

Marius Gunnerud · ‎04-19-2016

Try using an underscore instead of hyphen. Also it is port-object not service-object.

object-group service tcp_8080 tcp
port-object eq 8080

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

raidokuvarnet · ‎04-19-2016

Result of the command: "object-group service tcp_8080 tcp"

The command has been sent to the device

Result of the command: "port-object eq 8080"

The command has been sent to the device

--------------------

Result of the command: "nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp_8080 tcp-8090"

ERROR: tcp_8080 is not a valid service object name

Result of the command: "nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp_8080 tcp_8090"

ERROR: tcp_8080 is not a valid service object name

Problem with cisco 5510 port mapping