Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1160
Views
0
Helpful
7
Replies

asa 5506-x port forward

carmonj
Level 1
Level 1

‎09-02-2018 10:22 PM - edited ‎02-21-2020 08:11 AM

I am having issues with a port forward for an ASA 5506-x. All of the packet traces run fine, but with I attempt a connection the firewall logs show the following error.

 

3    Sep 03 2018    00:59:12        174.230.134.101    9631    <<outside IP>>    80    TCP access denied by ACL from 174.230.134.101/9631 to outside:24.247.15.10/80

Here is my running config.

 

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NX01
 host 192.168.1.8
 description Web Services
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in_2 extended permit ip any object NX01 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (outside,inside) source static any any destination static NX01 NX01 net-to-net
!
object network obj_any
 nat (any,outside) dynamic interface
access-group outside_access_in_2 in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 keypair ASDM_LAUNCHER
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
    308204d3 308203bb a0030201 02021018 dad19e26 7de8bb4a 2158cdcc 6b3b4a30 
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117 
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504 
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d30 
    36313130 38303030 3030305a 170d3336 30373136 32333539 35395a30 81ca310b 
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20 
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65 
    74776f72 6b313a30 38060355 040b1331 28632920 32303036 20566572 69536967 
    6e2c2049 6e632e20 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c 
    79314530 43060355 0403133c 56657269 5369676e 20436c61 73732033 20507562 
    6c696320 5072696d 61727920 43657274 69666963 6174696f 6e204175 74686f72 
    69747920 2d204735 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 
    3082010a 02820101 00af2408 08297a35 9e600caa e74b3b4e dc7cbc3c 451cbb2b 
    e0fe2902 f95708a3 64851527 f5f1adc8 31895d22 e82aaaa6 42b38ff8 b955b7b1 
    b74bb3fe 8f7e0757 ecef43db 66621561 cf600da4 d8def8e0 c362083d 5413eb49 
    ca595485 26e52b8f 1b9febf5 a191c233 49d84363 6a524bd2 8fe87051 4dd18969 
    7bc770f6 b3dc1274 db7b5d4b 56d396bf 1577a1b0 f4a225f2 af1c9267 18e5f406 
    04ef90b9 e400e4dd 3ab519ff 02baf43c eee08beb 378becf4 d7acf2f6 f03dafdd 
    75913319 1d1c40cb 74241921 93d914fe ac2a52c7 8fd50449 e48d6347 883c6983 
    cbfe47bd 2b7e4fc5 95ae0e9d d4d143c0 6773e314 087ee53f 9f73b833 0acf5d3f 
    3487968a ee53e825 15020301 0001a381 b23081af 300f0603 551d1301 01ff0405 
    30030101 ff300e06 03551d0f 0101ff04 04030201 06306d06 082b0601 05050701 
    0c046130 5fa15da0 5b305930 57305516 09696d61 67652f67 69663021 301f3007 
    06052b0e 03021a04 148fe5d3 1a86ac8d 8e6bc3cf 806ad448 182c7b19 2e302516 
    23687474 703a2f2f 6c6f676f 2e766572 69736967 6e2e636f 6d2f7673 6c6f676f 
    2e676966 301d0603 551d0e04 1604147f d365a7c2 ddecbbf0 3009f343 39fa02af 
    33313330 0d06092a 864886f7 0d010105 05000382 01010093 244a305f 62cfd81a 
    982f3dea dc992dbd 77f6a579 2238ecc4 a7a07812 ad620e45 7064c5e7 97662d98 
    097e5faf d6cc2865 f201aa08 1a47def9 f97c925a 0869200d d93e6d6e 3c0d6ed8 
    e6069140 18b9f8c1 eddfdb41 aae09620 c9cd6415 3881c994 eea28429 0b136f8e 
    db0cdd25 02dba48b 1944d241 7a05694a 584f60ca 7e826a0b 02aa2517 39b5db7f 
    e784652a 958abd86 de5e8116 832d10cc defda882 2a6d281f 0d0bc4e5 e71a2619 
    e1f4116f 10b595fc e7420532 dbce9d51 5e28b69e 85d35bef a57d4540 728eb70e 
    6b0e06fb 33354871 b89d278b c4655f0d 86769c44 7af6955c f65d3208 33a454b6 
    183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a
  quit
crypto ca certificate chain ASDM_TrustPoint0
 certificate 8f99505b
    30820339 30820221 a0030201 0202048f 99505b30 0d06092a 864886f7 0d01010b 
    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 
    86f70d01 09021608 63697363 6f617361 301e170d 31383039 30333030 31343530 
    5a170d32 38303833 31303031 3435305a 302c3111 300f0603 55040313 08636973 
    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082 
    0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100b9 
    95afdc86 405a7202 ef9baa58 bf47cf82 f8948e45 f793667c 0a5204ac eae2fbd7 
    06f6fc73 cd718103 bf6ccafc d8f2378b 7c8eb50e bf7b1509 5d9d0779 22f0ecda 
    c538f7e8 a615deef de8e6584 686a4fcd 0cbb1f07 5df98c5d 561baef7 bf283425 
    aee8abc1 bff4f804 47d6042c a727cfce 198caffa 1497f9ab a5a274a1 4afff82e 
    7580c736 9ca519f9 146d6c28 8964eafb 66aa7a42 3272334f ac936e14 cd22d3fe 
    00ed52e2 5093b2f9 c671e2c5 9b1ee396 2e389200 15cd6569 27ccf413 fbdf33c5 
    3279fc2a 2aa3602c 6b9e4e17 0edbfaa6 3b8abebd 15807af5 ecd06dad 1dc034c1 
    e902bd21 75feb706 ef261936 2b4cc241 05ac74d2 ef496900 3074624d f2b77b02 
    03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 
    0101ff04 04030201 86301f06 03551d23 04183016 8014f931 50970aa2 6bb0e292 
    c6fda871 613b1c12 fab7301d 0603551d 0e041604 14f93150 970aa26b b0e292c6 
    fda87161 3b1c12fa b7300d06 092a8648 86f70d01 010b0500 03820101 00a8b452 
    89646ebe d84a7e10 b0bed8c2 8d5186c6 cc9c1081 b2e7e5b6 4faf9dc3 b4de8b0e 
    3f0fc1ca b200f4e7 c595ec75 27eca63f 57125dbf b07ec1b5 b046dd93 f35f651f 
    a57c6ef9 161894e3 93e5d93e 808b79f4 5ea1bd93 473a3a1d 180765df 83900698 
    42ead9e8 b06d2293 5d759e45 0011f3d4 c12d3aeb 0569ce04 efca3174 5714158c 
    79a6b166 caee9527 6b9c2684 a175d662 6dbef7a9 23a857d0 58b1a456 b29b0893 
    984741cb 01e5ec53 41980139 22d8bcfb d33ce6a1 8453ea25 0b632afe 1a2974f1 
    3b7a0c8a 7fbf5dff 8e2506e4 25258763 e32578a0 db8b146e 52403959 2cba4f7f 
    90559545 8cf219f2 92a64a8e 41dc4b1b 2afddd17 9c43b872 8308c97b 2f
  quit
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:4ceaee7f008b0a4090b60a0fe82e77ca
: end

 

0 Helpful
7 Replies 7

Ajay Saini
Level 7
Level 7

‎09-02-2018 11:26 PM

Hello,

 

I believe that you dont have a static IP address and you wish to use the outside interface to port forward the traffic out to in.

 

Can you please try following statement and see if it works:

 

object network obj-192.168.1.8
host 192.168.1.8

 

nat (inside,outside) source static  obj-192.168.1.8 interface service 80 80 

 

Remove the existing NAT statement.

 

Try it and hopefully it should work.

 

Regards,

 

AJ

 

0 Helpful

Martin Carr
Level 4
Level 4
In response to Ajay Saini

‎09-03-2018 04:13 AM

Agreed, NAT configuration is incorrect.

 

Martin

0 Helpful

carmonj
Level 1
Level 1
In response to Ajay Saini

‎09-03-2018 09:13 PM

My outside IP is a static IP address.

0 Helpful

carmonj
Level 1
Level 1
In response to Ajay Saini

‎09-03-2018 09:27 PM

For some reason my Telnet/SSH is not working. What should this look like via ASDM?

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎09-03-2018 12:30 AM

Run packet trace and post the output in text file.

packet trace input #inside_interface_name# tcp 174.230.134.101 9631
24.247.15.10 80 detail
0 Helpful

carmonj
Level 1
Level 1
In response to Mohammed al Baqari

‎09-03-2018 11:06 PM

Ok, I found one problem. The outside interface was set as DHCP. I got the static setup. All of the packet traces are running successfully.  But I am still getting the denied by ACL error.

0 Helpful

Martin Carr
Level 4
Level 4
In response to carmonj

‎09-04-2018 06:54 AM

Although the interface configured appears incorrect, this is an independent issue, else you would have no internet connection.

 

As one other and I have stated, the issues lies within your NAT configuration.

 

In ASDM, the easiest way is to create the network object and then edit it, you will see there is a section for NAT, which will then create the rule for you.

 

The rules can be found under Configuration > Firewall > NAT Rules.

 

Martin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card