01-10-2012 08:02 PM - edited 03-11-2019 03:12 PM
I am attempting to port-forward on an ASA 5500 to internal host .100. The outside interface recieves its IP via DHCP. Packets are being denied so I ran packet-tracer and get the following error from outside to ssh port on internal host.
Any tips on why this might be occuring?
#packet-tracer input outside tcp 79.x.x.x 1025 71.x.x.x ssh
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 71.x.x.x 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
# sh run nat
nat (inside,outside) source static any any destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup
nat (outside,outside) source dynamic VPN_NETWORK interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network VM
nat (inside,outside) static interface service tcp ssh ssh
# sh running-config object
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VPN_NETWORK
subnet 192.168.1.0 255.255.255.192
object network VM
host 172.16.0.100
# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
2 (outside) to (outside) source dynamic VPN_NETWORK interface
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static VM interface service tcp ssh ssh
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 61918, untranslate_hits = 8178
# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list dynamic-filter_acl; 1 elements; name hash: 0xdb693454
access-list dynamic-filter_acl line 1 extended permit ip any any (hitcnt=77285) 0xe1bfda1d
access-list VM-IN; 1 elements; name hash: 0x57079372
access-list VM-IN line 1 extended permit tcp any host 172.16.1.100 eq ssh (hitcnt=5) 0x5dc27602
01-10-2012 08:14 PM
Can you post the full packet tracer output ?
You should been doing it to the outside interface of your ASA Ip address, can you confirm it ?
Julio
01-10-2012 08:32 PM
Updated the orginal question with the full packet-trace.
01-10-2012 10:16 PM
Hello Vindemiatrix,
As I said on the previous post, the packet-tracer is wrong.
The packet created from host 74.207.x.x will need to go on port 22 to the outside interface of the ASA witch I think is not
172.16.1.100.
Please do the packet tracer like this and everything should work as you have this properly configured.
packet-tracer input outside tcp 74.207.x.x 1025 x.x.x.x(Outside interface) 22
If this post helps you, do rate it!!!
Julio
01-11-2012 07:09 PM
Updated question for claified response.
01-12-2012 09:02 PM
Hello,
Can you share the show run access-group?
Also just to confirm 71.x.x.x is the outside interface ip address right?
Julio
01-13-2012 04:06 AM
The problem was with:
(outside) to (outside) source dynamic VPN_NETWORK interface
per:
https://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html
(outside) to (outside) after-auto source dynamic VPN_NETWORK interface
01-13-2012 10:21 AM
Hello,
So now everything is working.
Good to hear that,
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: