Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
7369
Views
8
Helpful
5
Replies

ASA 5510 8.4 Nat & Portforwarding

Go to solution
Ondaje0x0
Level 1
Level 1

ā€Ž06-07-2013 12:49 PM - edited ā€Ž03-11-2019 06:54 PM

So I'm trying to forward an internal service on a internal  server to the external interface on the same port on the outside  interface of our ASA.

I been searching for a solution for days and found nothing.

Here are the relevant parts of my config:



: Saved
:
ASA Version 8.4(2)
!
object service TCP-WebServer-8080
 service tcp source eq 8080
object network WebServer_Object_10.1.10.7
 host 10.1.10.7
object network obj-10.1.100.0
 subnet 10.1.10.0 255.255.255.0
!
access-list outsidein extended permit ip object-group OUTSIDE object-group INSIDE
access-list insideout extended permit ip object-group INSIDE object-group OUTSIDE
access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080
!
nat (inside,outside) source dynamic obj-10.1.10.0 interface
!
access-group webserveraccess in interface outside
access-group insideout in interface inside
!
object network WebServer_Object_10.1.10.7
 nat (inside,outside) static interface service tcp 8080 8080

Here's the packet tracer output:



Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.3.4   255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

So it looks like it's being dropped by an ACL, but it looks right to me. Can I have some guidance as to what I am doing wrong?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Ondaje0x0

ā€Ž06-10-2013 07:06 AM

Hi,

The configuration you have above (Dynamic PAT) overrides your Static PAT (Port Forward) configuration

nat (inside,outside) source dynamic obj-10.1.10.0 interface

Remove it with

no nat (inside,outside) source dynamic obj-10.1.10.0 interface

And then add it as

nat (inside,outside) after-auto source dynamic obj-10.1.10.0 interface

And then try again. It should work.

- Jouni

View solution in original post

5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

ā€Ž06-07-2013 02:47 PM

Please paste the entire packet-tracer output showing the packet-tracer you are using (syntax)

Config looks good, I would say the problem is the packet-tracer

DO it like this

packet-tracer input outside tcp 4.2.2.2 1025 outside_interface_ip eq 8080

Regards

Rate all of the helpful posts, that motivate us to keep replying and helping

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Ondaje0x0
Level 1
Level 1
In response to Julio Carvajal

ā€Ž06-10-2013 06:58 AM

wall-001(config)# packet-tracer input outside tcp 4.2.2.2 1025 MYWANIP 8080

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   MY_WAN_IP   255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Ondaje0x0

ā€Ž06-10-2013 07:06 AM

Hi,

The configuration you have above (Dynamic PAT) overrides your Static PAT (Port Forward) configuration

nat (inside,outside) source dynamic obj-10.1.10.0 interface

Remove it with

no nat (inside,outside) source dynamic obj-10.1.10.0 interface

And then add it as

nat (inside,outside) after-auto source dynamic obj-10.1.10.0 interface

And then try again. It should work.

- Jouni

Go to solution
Ondaje0x0
Level 1
Level 1
In response to Jouni Forss

ā€Ž06-10-2013 07:20 AM

Alright! That fixed!

Here is the packet tracer output

wall-001(config)# packet-tracer input outside tcp 4.2.2.2 1025 MYWANIP 8080

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network WebServer_object_10.1.10.7

nat (inside,outside) static interface service tcp 8080 8080

Additional Information:

NAT divert to egress interface inside

Untranslate MYWANIP/8080 to 10.1.10.7/8080

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group webserveraccess in interface outside

access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network WebServer_Object_10.1.10.7

nat (inside,outside) static interface service tcp 8080 8080

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1375902, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

0 Helpful

Go to solution
yunyav12CCna
Level 1
Level 1
In response to Jouni Forss

ā€Ž10-21-2018 07:37 AM

Finally I found this post!

This resolved my issue as well.

Thank you Jouni Forss!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card