Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2679
Views
0
Helpful
7
Replies

Resolving DROP during port forwarding

Vindemiatrix
Level 1
Level 1

‎01-10-2012 08:02 PM - edited ‎03-11-2019 03:12 PM

I am attempting to port-forward on an ASA 5500 to internal host .100. The outside interface recieves its IP via DHCP. Packets are being denied so I ran packet-tracer and get the following error from outside to ssh port on internal host.

Any tips on why this might be occuring?

#packet-tracer input outside tcp 79.x.x.x 1025 71.x.x.x ssh

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   71.x.x.x   255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

# sh run nat

nat (inside,outside) source static any any destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup

nat (outside,outside) source dynamic VPN_NETWORK interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network VM

nat (inside,outside) static interface service tcp ssh ssh

# sh running-config object

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network VPN_NETWORK

subnet 192.168.1.0 255.255.255.192

object network VM

host 172.16.0.100

# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static any any   destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup

    translate_hits = 0, untranslate_hits = 0

2 (outside) to (outside) source dynamic VPN_NETWORK interface

    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static VM interface   service tcp ssh ssh

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source dynamic obj_any interface

    translate_hits = 61918, untranslate_hits = 8178

# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list dynamic-filter_acl; 1 elements; name hash: 0xdb693454

access-list dynamic-filter_acl line 1 extended permit ip any any (hitcnt=77285) 0xe1bfda1d

access-list VM-IN; 1 elements; name hash: 0x57079372

access-list VM-IN line 1 extended permit tcp any host 172.16.1.100 eq ssh (hitcnt=5) 0x5dc27602

Labels:
0 Helpful
7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-10-2012 08:14 PM

Can you post the full packet tracer output ?

You should been doing it to the outside interface of your ASA Ip address, can you confirm it ?

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Vindemiatrix
Level 1
Level 1
In response to Julio Carvajal

‎01-10-2012 08:32 PM

Updated the orginal question with the full packet-trace.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Vindemiatrix

‎01-10-2012 10:16 PM

Hello Vindemiatrix,

As I said on the previous post, the packet-tracer is wrong.

The packet created from host  74.207.x.x will need to go on port 22 to the outside interface of the ASA witch I think is not

172.16.1.100.

Please do the packet tracer like this and everything should work as you have  this properly configured.

packet-tracer input outside tcp 74.207.x.x 1025 x.x.x.x(Outside interface) 22

If this post helps you, do rate it!!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Vindemiatrix
Level 1
Level 1
In response to Julio Carvajal

‎01-11-2012 07:09 PM

Updated question for claified response.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Vindemiatrix

‎01-12-2012 09:02 PM

Hello,

Can you share the show run access-group?

Also just to confirm  71.x.x.x is the outside interface ip address right?

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Vindemiatrix
Level 1
Level 1

‎01-13-2012 04:06 AM

The problem was with:

(outside) to (outside) source dynamic VPN_NETWORK interface

per:

https://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html

(outside) to (outside) after-auto source dynamic VPN_NETWORK interface

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Vindemiatrix

‎01-13-2012 10:21 AM

Hello,

So now everything is working.

Good to hear that,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card