cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6342
Views
0
Helpful
29
Replies

Allowing External Traffic on Cisco ASA

jweier_elys
Beginner
Beginner

Hi - I have a Cisco ASA and I'm really struggling with something very simple. I have an outside interface and I would like to allow traffic to hit the outside interface on TCP Port 81 and get NAT'd to a private IP on a webserver. I believe I have the NAT piece of the equation solved but the ACL is processed first and I can't figure out the ACL for the life of me. Here's what I have:

 

On the outside interface, I created an incoming rule with any source, any destination and a service of TCP Port 81. However, when I run a Packet Tracer from any public IP to the IP of the outside interface on Port 81 the packet is dropped via an implicit rule. 

 

I'm running ASA 9.9, thoughts?PacketTracer.png

 

Rule.pngInterfaces.pngPacketTracer.png

29 Replies 29

can you test this.

 

object network SERVER
 host 10.1.1.79
!
nat (inside,outside) 1 source static SERVER interface service Port80 Port81

!

no access-list outside_access_in extended permit tcp any host 10.1.1.79 range 81 81
no nat (inside,outside) source static any interface service Port80 Port81

!

access-list outside_access_in extended permit tcp any object SERVER eq 80

access-group outside_access_in in interface outside

!

 

(OR)

as i stated in my earlier post

object network SERVER
 host 10.1.1.79
 nat (inside,outside) static interface service tcp 80 81
!
access-list outside_in permit tcp any host 10.1.1.79 eq 80
access-group outside_in in interface outside

!

no access-list outside_access_in extended permit tcp any host 10.1.1.79 range 81 81
no nat (inside,outside) source static any interface service Port80 Port81

please do not forget to rate.

 

object network SERVER
 host 10.1.1.79
!
nat (inside,outside) 1 source static SERVER interface service Port80 Port81

!

no access-list outside_access_in extended permit tcp any host 10.1.1.79 range 81 81
no nat (inside,outside) source static any interface service Port80 Port81

 

 

Apply these config as mentioned above it will work

please do not forget to rate.

Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor

I have lab this up. your configuration were wrong. here is the right configuration.

 

object network SERVER
 host 10.1.1.79

 !

object service CUSTOM80
 service tcp source eq 80
!
object service CUSTOM81
 service tcp source eq 81
!
nat (inside,outside) source static SERVER interface service CUSTOM80 CUSTOM81
!
access-list outside_access_in extended permit tcp any object SERVER eq 80
access-group outside_access_in in interface outside

!

packet-tracer input outside tcp 8.8.8.8 1234 96.89.224.197 81

 

 

please do not forget to rate.

Hi - I appreciate the help. Unfortunately, this didn't seem to work either. Although, this time the packet-tracer hits the NAT and gets through it but is stopped by the ACL. I've also re-attached the config.

 

ciscoasa# packet-tracer input outside tcp 8.8.8.8 1234 96.89.224.197 81

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.89.224.197 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

can you try this and give us the output. the reason i said in our access-list we allow www (80) not 81

 

 

ciscoasa# packet-tracer input outside tcp 8.8.8.8 1234 96.89.224.197 80

please do not forget to rate.