10-22-2013 07:38 AM - edited 03-11-2019 07:54 PM
I am trying to do some port forwarding on a ASA 5505. It seems pretty straight forward, but somehow it's not working. I am not too familiar with Cisco devices. This is an old firewall which I am trying to configure without clearing the old configuration. Here are some info about the network and from the ASA. Any Help would be greatly appreciated.
Network
24.xx.xx.xx:ASA:192.168.1.1--------------192.168.1.2:RT-N66U:192.168.3.1--------------192.168.3.0
RT-N66U is not doing any NAT.
Result of the command: "sh nat"
NAT policies on Interface inside:
match ip inside 192.168.3.0 255.255.255.0 inside 192.168.16.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.3.0 255.255.255.0 inside 192.168.202.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.3.0 255.255.255.0 outside 192.168.16.0 255.255.255.0
NAT exempt
translate_hits = 21, untranslate_hits = 447
match ip inside 192.168.3.0 255.255.255.0 outside 192.168.202.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.3.0 255.255.255.0 _internal_loopback 192.168.16.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.3.0 255.255.255.0 _internal_loopback 192.168.202.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match tcp inside host 192.168.3.1 eq 3389 outside any
static translation to 24.xx.xx.xx/3389
translate_hits = 0, untranslate_hits = 43
match tcp inside host 192.168.3.1 eq 8080 outside any
static translation to 24.xx.xx.xx/8080
translate_hits = 0, untranslate_hits = 47
match ip inside any inside any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
dynamic translation to pool 10 (24.xx.xx.xx [Interface PAT])
translate_hits = 338409, untranslate_hits = 1047890
match ip inside any _internal_loopback any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
Result of the command: "sh access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 100; 1 elements
access-list 100 line 1 extended permit ip 192.168.3.0 255.255.255.0 192.168.16.0 255.255.255.0 (hitcnt=122) 0xc73bcc27
access-list inside_nat0_outbound; 2 elements
access-list inside_nat0_outbound line 1 extended permit ip 192.168.3.0 255.255.255.0 192.168.16.0 255.255.255.0 (hitcnt=0) 0x388c6023
access-list inside_nat0_outbound line 2 extended permit ip 192.168.3.0 255.255.255.0 192.168.202.0 255.255.255.0 (hitcnt=0) 0x70a9d5e2
access-list outside_access_in; 6 elements
access-list outside_access_in line 1 extended permit tcp any eq 81 host 24.xx.xx.xx eq 81 (hitcnt=0) 0xc1148a97
access-list outside_access_in line 2 extended permit icmp any interface outside (hitcnt=0) 0xbdd73ad6
access-list outside_access_in line 3 extended permit tcp any interface outside eq 8080 (hitcnt=0) 0xdd94b34c
access-list outside_access_in line 4 extended permit tcp any host 24.xx.xx.xx eq 3389 (hitcnt=0) 0xf7d1bca
access-list outside_access_in line 5 extended permit tcp any eq 37777 host 24.xx.xx.xx eq 37777 (hitcnt=0) 0xa563723
access-list outside_access_in line 6 extended permit udp any eq 37778 host 24.xx.xx.xx eq 37778 (hitcnt=0) 0xae9a25bb
access-list outside_cryptomap; 1 elements
access-list outside_cryptomap line 1 extended permit ip any 192.168.202.0 255.255.255.0 (hitcnt=0) 0x66ad24cd
Result of the command: "packet-trace input outside tcp 1.1.1.1 1234 24.xx.xx.xx 8080 det"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp 24.xx.xx.xx 8080 192.168.3.1 8080 netmask 255.255.255.255
match tcp inside host 192.168.3.1 eq 8080 outside any
static translation to 24.xx.xx.xx/8080
translate_hits = 0, untranslate_hits = 47
Additional Information:
NAT divert to egress interface inside
Untranslate 24.xx.xx.xx/8080 to 192.168.3.1/8080 using netmask 255.255.255.255
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 24.xx.xx.xx 255.255.255.255 identity
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3498270, priority=0, domain=permit, deny=true
hits=1251390, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
10-22-2013 09:13 AM
Hi,
Is the public IP address used in the Static PAT (Port Forward) supposed to be the public IP address configured on the interface "outside" of the ASA?
If that is the case then a Static PAT configuration would usually look like this
static (inside,outside) tcp interface 3389 192.168.3.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.3.1 8080 netmask 255.255.255.255
The parameter "interface" specifies that the "outside" interface IP address will be used.
If you have a spare public IP address for this Static PAT configuration then you naturally specify that public IP address in the actual "static" command.
Seems your ACL is attached correctly but I wonder why the ACL doesnt see any hitcount. Its hitcount should increase with the use of "packet-tracer" command even.
I guess there must be somekind of missmatch between the Static PAT and the ACL rules. Even though they have the rule for the TCP/8080 to "interface outside"
I guess you can try it with this too
access-list outside_access_in permit tcp any host 24.x.x.x eq 8080
- Jouni
10-22-2013 09:01 AM
Hi,
It matches the NAT rule as we can see from the UN-NAT Phase, yet it drops at the ACL Phase.
Can you provide the output of
show run access-group
I cant see any hitcount in the above ACL so it seems to me that either no traffic has come or the ACL has not been attached to the interface with the command
access-group outside_access_in in interface outside
Also, a better view (for me personally atleast) of the NAT configuration could be provided with the output of the following commands
show run global
show run nat
show run static
- Jouni
10-22-2013 09:06 AM
Thanks for the quick reply. Here are the results:
Result of the command: "show run access-group"
access-group outside_access_in in interface outside
Result of the command: "show run global"
global (outside) 10 interface
Result of the command: "show run nat"
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
Result of the command: "show run static"
static (inside,outside) tcp 24.xx.xx.xx 3389 192.168.3.1 3389 netmask 255.255.255.255
static (inside,outside) tcp 24.xx.xx.xx 8080 192.168.3.1 8080 netmask 255.255.255.255
10-22-2013 09:13 AM
Hi,
Is the public IP address used in the Static PAT (Port Forward) supposed to be the public IP address configured on the interface "outside" of the ASA?
If that is the case then a Static PAT configuration would usually look like this
static (inside,outside) tcp interface 3389 192.168.3.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.3.1 8080 netmask 255.255.255.255
The parameter "interface" specifies that the "outside" interface IP address will be used.
If you have a spare public IP address for this Static PAT configuration then you naturally specify that public IP address in the actual "static" command.
Seems your ACL is attached correctly but I wonder why the ACL doesnt see any hitcount. Its hitcount should increase with the use of "packet-tracer" command even.
I guess there must be somekind of missmatch between the Static PAT and the ACL rules. Even though they have the rule for the TCP/8080 to "interface outside"
I guess you can try it with this too
access-list outside_access_in permit tcp any host 24.x.x.x eq 8080
- Jouni
10-22-2013 09:37 AM
I was using ASDM to configure and was not able to select "interface" through the GUI for some reason. I removed the rules and entered them through Command line interface. It seems to be working now. Thanks a lot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: