cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6872
Views
8
Helpful
5
Replies
Ondaje0x0
Beginner

ASA 5510 8.4 Nat & Portforwarding

So I'm trying to forward an internal service on a internal  server to the external interface on the same port on the outside  interface of our ASA.

I been searching for a solution for days and found nothing.

Here are the relevant parts of my config:



: Saved : ASA Version 8.4(2) ! object service TCP-WebServer-8080 service tcp source eq 8080 object network WebServer_Object_10.1.10.7 host 10.1.10.7 object network obj-10.1.100.0 subnet 10.1.10.0 255.255.255.0 ! access-list outsidein extended permit ip object-group OUTSIDE object-group INSIDE access-list insideout extended permit ip object-group INSIDE object-group OUTSIDE access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080 ! nat (inside,outside) source dynamic obj-10.1.10.0 interface ! access-group webserveraccess in interface outside access-group insideout in interface inside ! object network WebServer_Object_10.1.10.7 nat (inside,outside) static interface service tcp 8080 8080

Here's the packet tracer output:



Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in   1.2.3.4   255.255.255.255 identity Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: NP Identity Ifc output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule

So it looks like it's being dropped by an ACL, but it looks right to me. Can I have some guidance as to what I am doing wrong?

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

The configuration you have above (Dynamic PAT) overrides your Static PAT (Port Forward) configuration

nat (inside,outside) source dynamic obj-10.1.10.0 interface

Remove it with

no nat (inside,outside) source dynamic obj-10.1.10.0 interface

And then add it as

nat (inside,outside) after-auto source dynamic obj-10.1.10.0 interface

And then try again. It should work.

- Jouni

View solution in original post

5 REPLIES 5
Julio Carvajal
Advisor

Please paste the entire packet-tracer output showing the packet-tracer you are using (syntax)

Config looks good, I would say the problem is the packet-tracer

DO it like this

packet-tracer input outside tcp 4.2.2.2 1025 outside_interface_ip eq 8080

Regards

Rate all of the helpful posts, that motivate us to keep replying and helping

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

wall-001(config)# packet-tracer input outside tcp 4.2.2.2 1025 MYWANIP 8080

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   MY_WAN_IP   255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

The configuration you have above (Dynamic PAT) overrides your Static PAT (Port Forward) configuration

nat (inside,outside) source dynamic obj-10.1.10.0 interface

Remove it with

no nat (inside,outside) source dynamic obj-10.1.10.0 interface

And then add it as

nat (inside,outside) after-auto source dynamic obj-10.1.10.0 interface

And then try again. It should work.

- Jouni

View solution in original post

Alright! That fixed!

Here is the packet tracer output

wall-001(config)# packet-tracer input outside tcp 4.2.2.2 1025 MYWANIP 8080

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network WebServer_object_10.1.10.7

nat (inside,outside) static interface service tcp 8080 8080

Additional Information:

NAT divert to egress interface inside

Untranslate MYWANIP/8080 to 10.1.10.7/8080

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group webserveraccess in interface outside

access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network WebServer_Object_10.1.10.7

nat (inside,outside) static interface service tcp 8080 8080

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1375902, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Finally I found this post!

This resolved my issue as well.

Thank you Jouni Forss!