05-20-2020 05:47 PM
Hi all,
I am trying to make port forwarding on ASA 5506-X 9.12.2.
ASA has one public IP address. I want to forward ports www and https to server behind inside interface (not DMZ).
Here is configuration:
interface inside 10.11.6.10
outside 44.44.44.44
server address 10.11.104.15
(access from 33.33.33.33 - home pc public ip)
sh run nat
nat (outside,outside) source dynamic USERS-VPN-Pool interface
nat (inside,outside) source static Site-USERS Site-USERS destination static USERS-VPN-Pool USERS-VPN-Pool
nat (inside,outside) source static Site-2-NS Site-2-NS destination static USERS-VPN-Pool USERS-VPN-Pool no-proxy-arp route-lookup
nat (inside,outside) source static Site-USERS Site-USERS destination static Site-BL1 Site-BL1 no-proxy-arp route-lookup
!
object network Site-USERS
nat (inside,outside) dynamic interface
object network Company-WWW-int-80
nat (inside,outside) static interface service tcp www www
object network Company-WWW-int-443
nat (inside,outside) static interface service tcp https https
object network TEST-BACKUP
nat (inside,outside) static interface service tcp 8006 8006
vpn-USERS# sh run access-list
access-list outside_out extended permit icmp object USERS-Guest any
access-list outside_out extended deny ip object Site-USERS object-group Deny-All-Traffic
access-list outside_out extended permit udp object USERS-Guest any
access-list outside_out extended permit icmp object Site-USERS any
access-list outside_out extended permit esp object Site-USERS any
access-list outside_out extended permit tcp object USERS-Guest any neq smtp
access-list outside_out extended permit tcp object Site-USERS any object-group USERS_out_standard_tcp
access-list outside_out extended permit udp object Site-USERS any object-group USERS_out_standard_udp
access-list outside_out extended permit tcp object Site-USERS any object-group USERS_out_demand_tcp
access-list outside_out extended permit udp object Site-USERS any object-group USERS_out_demand_udp
access-list outside_out extended permit ip object Site-USERS object-group Site-BL1
access-list OUTSIDE_in extended permit icmp any any
access-list OUTSIDE_in extended permit tcp any host 10.11.104.15 eq www
access-list OUTSIDE_in extended permit tcp any host 10.11.104.15 eq https
sh run access-group
access-group OUTSIDE_in in interface outside
access-group outside_out out interface outside
May 21 2020 00:07:45 vpn-bg2 : %ASA-3-710003: TCP access denied by ACL from 33.33.33.33/56059 to sbb-s:44.44.44.44/443
May 21 2020 00:07:47 vpn-bg2 : %ASA-3-710003: TCP access denied by ACL from 33.33.33.33/56059 to sbb-s:44.44.44.44/443
May 21 2020 00:07:51 vpn-bg2 : %ASA-3-710003: TCP access denied by ACL from 33.33.33.33/56059 to sbb-s:44.44.44.44/443
May 21 2020 00:07:59 vpn-bg2 : %ASA-3-710003: TCP access denied by ACL from 33.33.33.33/56059 to sbb-s:44.44.44.44/443
Also strange for me, I don't see any traffic on ACL:
access-list OUTSIDE_in line 1 extended permit icmp any any (hitcnt=0) 0x5344e208
access-list OUTSIDE_in line 2 extended permit tcp any host 10.11.104.15 eq www (hitcnt=0) 0x313ff4fc
access-list OUTSIDE_in line 3 extended permit tcp any host 10.11.104.15 eq https (hitcnt=0) 0x74f1a29b
Any advice, fix, solution?
Thank you.
05-20-2020 11:43 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide