Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2029
Views
0
Helpful
4
Replies

ASA 5506 TCP Port Forward not working

Go to solution
Todd Lewis
Level 1
Level 1

‎05-19-2017 12:31 PM - edited ‎03-12-2019 02:23 AM

Hello all,

I have an ASA on 9.6 that I cannot get to forward tcp ports.  I am using NAT and ACL to control traffic for these ports.  If I put an IP any any statement in the ACL everything works fine, but when I remove the IP any any and rely on the tcp port entry only the traffic is denied.  Its like the ASA doesn't even recognize there are other ACEs in that ACL.  Current config is below - Any help is greatly appreciated.

ASA Version 9.6(1)
!
hostname ASA5506
enable password Rap0g0v8IG0YsVoG encrypted
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 70.10.15.253 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 10.1.10.0
subnet 10.1.10.0 255.255.255.0
object network AngiePC_3387
host 10.1.10.100
object network KristyPC_3384
host 10.1.10.106
object network KalenPC_4010
host 10.1.10.104
object network LisaNPC_3380
host 10.1.10.105
object network GregNPC_4012
host 10.1.10.103
object network TerriPC_3382
host 10.1.10.101
object network ProccessingPC_3383
host 10.1.10.108
object network PaigePC_3381
host 10.1.10.107
object network RyanPC_3394
host 10.1.10.109
object network DC01_3389
host 10.1.10.10
access-list outside-in extended permit ip 24.17.136.10 255.255.255.252 any
access-list outside-in extended permit tcp any host 70.10.15.253 eq 3383

access-list outside-in extended permit ip any any

pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network 10.1.10.0
nat (inside,outside) dynamic interface
object network AngiePC_3387
nat (inside,outside) static interface service tcp 3387 3387
object network KristyPC_3384
nat (inside,outside) static interface service tcp 3384 3384
object network KalenPC_4010
nat (inside,outside) static interface service tcp 4010 4010
object network LisaNPC_3380
nat (inside,outside) static interface service tcp 3380 3380
object network GregNPC_4012
nat (inside,outside) static interface service tcp 4012 4012
object network TerriPC_3382
nat (inside,outside) static interface service tcp 3382 3382
object network ProccessingPC_3383
nat (inside,outside) static interface service tcp 3383 3383
object network PaigePC_3381
nat (inside,outside) static interface service tcp 3381 3381
object network RyanPC_3394
nat (inside,outside) static interface service tcp 3394 3394
object network DC01_3389
nat (inside,outside) static interface service tcp 3389 3389
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 70.10.15.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 10.1.10.0 255.255.255.0 inside
http 24.17.136.10 255.255.255.252 outside
snmp-server host inside 10.1.10.10 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 24.17.136.10 255.255.255.252 outside
ssh 10.1.10.0 255.255.255.0 inside
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 10
management-access inside

dhcpd auto_config outside
!
dynamic-access-policy-record DfltAccessPolicy
username jennifer password qLww7R8op0pTZTz encrypted privilege 15
username tammy password gDV6XGE932d/fpBF encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
singhkulbir29881
Level 1
Level 1

‎05-19-2017 12:39 PM

Hi todd,

Your following Access-list entries are wrong:-

"access-list outside-in extended permit tcp any host 70.10.15.253 eq 3383"

Use private IP's instead of Public IP's like the following,


no access-list outside-in extended permit tcp any host 70.10.15.253 eq 3383

access-list outside-in extended permit tcp any host 10.1.10.108 eq 3383

View solution in original post

0 Helpful
4 Replies 4

Go to solution
singhkulbir29881
Level 1
Level 1

‎05-19-2017 12:39 PM

Hi todd,

Your following Access-list entries are wrong:-

"access-list outside-in extended permit tcp any host 70.10.15.253 eq 3383"

Use private IP's instead of Public IP's like the following,


no access-list outside-in extended permit tcp any host 70.10.15.253 eq 3383

access-list outside-in extended permit tcp any host 10.1.10.108 eq 3383

0 Helpful

Go to solution
Todd Lewis
Level 1
Level 1
In response to singhkulbir29881

‎05-19-2017 12:42 PM

singh,

This worked.  Thank you for the information.  I have always used the public IP in my ACLs and have never had a problem.  Any idea why I need to use the private IP this time?  Thanks again for the help.

0 Helpful

Go to solution
singhkulbir29881
Level 1
Level 1
In response to Todd Lewis

‎05-19-2017 12:54 PM

Prior 8.3 code you need to define public IP's in ACL but after 8.3 you need to define private IP instead of public IP.

0 Helpful

Go to solution
Todd Lewis
Level 1
Level 1
In response to singhkulbir29881

‎05-19-2017 12:56 PM

Thank you!  I appreciate the quick replies and the information.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card