Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
0
Helpful
1
Replies

ASA 5506-X 9.12.2 - port forwarding - nat

jovan.cegar
Level 1
Level 1

‎05-20-2020 05:47 PM

Hi all,

 

I am trying to make port forwarding on ASA 5506-X 9.12.2.

ASA has one public IP address. I want to forward ports www and https to server behind inside interface (not DMZ).

 

Here is configuration:

 

interface inside 10.11.6.10
outside 44.44.44.44

server address 10.11.104.15

(access from 33.33.33.33 - home pc public ip)

 

sh run nat
nat (outside,outside) source dynamic USERS-VPN-Pool interface
nat (inside,outside) source static Site-USERS Site-USERS destination static USERS-VPN-Pool USERS-VPN-Pool
nat (inside,outside) source static Site-2-NS Site-2-NS destination static USERS-VPN-Pool USERS-VPN-Pool no-proxy-arp route-lookup
nat (inside,outside) source static Site-USERS Site-USERS destination static Site-BL1 Site-BL1 no-proxy-arp route-lookup
!
object network Site-USERS
nat (inside,outside) dynamic interface
object network Company-WWW-int-80
nat (inside,outside) static interface service tcp www www
object network Company-WWW-int-443
nat (inside,outside) static interface service tcp https https
object network TEST-BACKUP
nat (inside,outside) static interface service tcp 8006 8006

 

vpn-USERS# sh run access-list
access-list outside_out extended permit icmp object USERS-Guest any
access-list outside_out extended deny ip object Site-USERS object-group Deny-All-Traffic
access-list outside_out extended permit udp object USERS-Guest any
access-list outside_out extended permit icmp object Site-USERS any
access-list outside_out extended permit esp object Site-USERS any
access-list outside_out extended permit tcp object USERS-Guest any neq smtp
access-list outside_out extended permit tcp object Site-USERS any object-group USERS_out_standard_tcp
access-list outside_out extended permit udp object Site-USERS any object-group USERS_out_standard_udp
access-list outside_out extended permit tcp object Site-USERS any object-group USERS_out_demand_tcp
access-list outside_out extended permit udp object Site-USERS any object-group USERS_out_demand_udp
access-list outside_out extended permit ip object Site-USERS object-group Site-BL1

access-list OUTSIDE_in extended permit icmp any any
access-list OUTSIDE_in extended permit tcp any host 10.11.104.15 eq www
access-list OUTSIDE_in extended permit tcp any host 10.11.104.15 eq https

sh run access-group
access-group OUTSIDE_in in interface outside
access-group outside_out out interface outside


May 21 2020 00:07:45 vpn-bg2 : %ASA-3-710003: TCP access denied by ACL from 33.33.33.33/56059 to sbb-s:44.44.44.44/443
May 21 2020 00:07:47 vpn-bg2 : %ASA-3-710003: TCP access denied by ACL from 33.33.33.33/56059 to sbb-s:44.44.44.44/443
May 21 2020 00:07:51 vpn-bg2 : %ASA-3-710003: TCP access denied by ACL from 33.33.33.33/56059 to sbb-s:44.44.44.44/443
May 21 2020 00:07:59 vpn-bg2 : %ASA-3-710003: TCP access denied by ACL from 33.33.33.33/56059 to sbb-s:44.44.44.44/443

 

Also strange for me, I don't see any traffic on ACL:

access-list OUTSIDE_in line 1 extended permit icmp any any (hitcnt=0) 0x5344e208
access-list OUTSIDE_in line 2 extended permit tcp any host 10.11.104.15 eq www (hitcnt=0) 0x313ff4fc
access-list OUTSIDE_in line 3 extended permit tcp any host 10.11.104.15 eq https (hitcnt=0) 0x74f1a29b

 

Any advice, fix, solution?

 

Thank you.

0 Helpful
1 Reply 1

jovan.cegar
Level 1
Level 1

‎05-20-2020 11:43 PM

Just to add,

Default http port on asa changed:
http server enable 2456
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card