02-18-2015 08:00 PM - edited 03-11-2019 10:31 PM
I'm going to present this as laymen as possible in hopes the understanding doesn't get convoluted. This question is based off my previous link, which I can't see to get to work. https://supportforums.cisco.com/discussion/12419431/asa-5505-nat-and-acl-running-841 diagram also available at this link as well...
1. Whether it's webservices or other ports being used, if I want to use my single, public IP address assigned by a cable modem company, which is being assigned by DHCP, I will:
access-group *acl-name* in interface outside
2. if I want the access to go to an internal server or device, whether it's telnet, www, or generic port, would the IP I reference be:
3. If I am specificly targeting this port/public IP and I see ZERO (0) hits on my acl, could there be something else preventing it from traversing the network?
From an ASDM standpoint, (permit on outside interface) Source = any destination address = "private IP address of device" destination port = tcp/88
Why am I not seeing any hits?
Here's the copy of my cli if this is easier to digest:
access-list allowed_wan_services extended permit tcp any host 172.16.0.5 eq 88 log debugging
access-list allowed_wan_services extended permit udp any host 172.16.0.5 eq 88 log debugging
access-list allowed_wan_services extended permit udp any host 192.168.250.2 eq 88 log debugging
access-list allowed_wan_services extended permit tcp any host 192.168.250.2 eq 88 log debugging
access-list allowed_wan_services extended permit tcp any host 192.168.254.3 eq 88 log debugging
access-list allowed_wan_services extended permit udp any host 192.168.254.3 eq 88 log debugging
access-list allowed_wan_services extended permit tcp any host *publicIP* eq 88 log debugging
access-list allowed_wan_services extended permit udp any host *publicIP* eq 88 log debugging
access-group allowed_wan_services in interface outside
nat (outside,inside) after-auto source static Pub-Cam Priv-Cam service tcp-88 tcp-88
nat (outside,inside) after-auto source static Pub-Cam next-hop service tcp-88 tcp-88
nat (outside,inside) after-auto source static Pub-Cam distsw service tcp-88 tcp-88
I get 0 hits on any of the above.
I've also included a screen shot of my NAT via ASDM.... Thoughts/Suggestions?
02-19-2015 12:31 AM
Hi,
With any software 8.3 or above the ACL will always reference the local IP address and NOT the NAT IP address.
I am actually not sure if an ACL hit is registered if some part of the NAT configuration drops the connection.
Best place to start troubleshooting would be that you take a "packet-tracer" output from CLI of the ASA and we will see if the ASA drops it. If it does then we will need to determine if the problem is on the WAN or LAN side.
You could use this command format for example
packet-tracer input outside tcp 8.8.8.8 12345 <public NAT ip> <port>
The source IP address and port can be anything. I just have the habit of using the above.
- Jouni
02-21-2015 04:44 PM
Thank you for this. I will try this tonight. Been a crazy week for me.
02-22-2015 03:28 PM
packet-tracer input outside tcp 8.8.8.8 12345 xx.xxx.xxx.xx 88
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in xx.xxx.xxx.xx 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-22-2015 04:54 PM
ok -- I'm pretty sure I figured it out.
sysopt noproxyarp
access-list allowed_wan_services extended permit tcp any interface outside eq 88 log debugging
access-list allowed_wan_services extended permit udp any interface outside eq 88 log debugging
nat (outside,inside) source static any interface destination static interface Priv-Cam service tcp-88 tcp-88
access-group allowed_wan_services in interface outside
Thank you for your input and I will mark this correct answer if in fact this works. I'm now having an issue getting to my private IP or pinging it....so once I get that, I think I'll be able to test correctly and upload my findings.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide