Solved: Allowing External Traffic on Cisco ASA

jweier_elys · ‎01-17-2019

Hi - I have a Cisco ASA and I'm really struggling with something very simple. I have an outside interface and I would like to allow traffic to hit the outside interface on TCP Port 81 and get NAT'd to a private IP on a webserver. I believe I have the NAT piece of the equation solved but the ACL is processed first and I can't figure out the ACL for the life of me. Here's what I have:

On the outside interface, I created an incoming rule with any source, any destination and a service of TCP Port 81. However, when I run a Packet Tracer from any public IP to the IP of the outside interface on Port 81 the packet is dropped via an implicit rule.

I'm running ASA 9.9, thoughts?

Sheraz.Salim · ‎01-22-2019

you have not change the nat rules put in this order

no nat (inside,outside) source static SERVER interface service CUSTOM80 CUSTOM81
nat (inside,outside) source static SERVER interface service CUSTOM81 CUSTOM80
!

no access-list outside_access_in extended permit tcp any object SERVER eq 80
access-list outside_access_in extended permit tcp any object SERVER eq 81
access-group outside_access_in in interface outside

!

packet-tracer input outside tcp 8.8.8.8 81 96.89.224.197 80

====================================================================

This is the config you just put them earlier change them as describe above. I test them in lab enviroment you should be ok now.

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static Utility1 interface service CUSTOM80 CUSTOM81

please do not forget to rate.

View solution in original post

Rob Ingram · ‎01-17-2019

Hi,
Not 100% sure of your exact configuration, but you would specify the real IP address and port in the ACL. See example:-

object nat SRV1
host 10.2.2.5
nat (inside,outside) static 96.89.224.197 service tcp 80 81
access-list OUTSIDE_IN permit tcp any host 10.2.2.5 eq 80

HTH

Sheraz.Salim · ‎01-17-2019

You need this.

object network SERVER
host 10.2.2.5
nat (inside,outside) static interface service tcp 80 81
!
access-list outside_in permit tcp any host 10.2.2.5 eq 80
access-group outside_in in interface outside
!
packet tracer input outside tcp 8.8.8.8 1234 10.2.2.5 eq 81
!

please do not forget to rate.

jweier_elys · ‎01-17-2019

So, unfortunately I'm having trouble with the NAT statement you suggested. I think via my Googling I've found that 8.3+ requires a new NAT format and syntax. Here is what I typed to try to get it as close to yours as possible:

nat (inside,outside) source static any interface service Port80 Port81

I had to create Service Objects as it wouldn't let me specify the port explicitly. I also had to add the source parameter before the word static.

Unfortunately, even with this command and the the access-list/access-group commands I still get dropped packets via an implicit rule.

Config snippets:

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.1.2.0_26 NETWORK_OBJ_10.1.2.0_26 no-proxy-arp route-lookup
nat (inside,outside) source dynamic obj_any interface
nat (wlan,outside) source dynamic obj_any interface
nat (inside,outside) source static any interface service Port80 Port81

object service Port80
service tcp source eq www destination eq www

object service Port81
service tcp destination eq 81

access-list outside_in extended permit tcp any host 10.1.1.79 eq www

access-group outside_access_out out interface outside
access-group inside_access_in_1 in interface inside
access-group inside_access_out_1 out interface inside
access-group wlan_access_in_1 in interface wlan
access-group wlan_access_out out interface wlan

I've attached the entire config file if that would be more helpful.

Thanks!