ā06-07-2013 12:49 PM - edited ā03-11-2019 06:54 PM
So I'm trying to forward an internal service on a internal server to the external interface on the same port on the outside interface of our ASA.
I been searching for a solution for days and found nothing.
Here are the relevant parts of my config:
: Saved
:
ASA Version 8.4(2)
!
object service TCP-WebServer-8080
service tcp source eq 8080
object network WebServer_Object_10.1.10.7
host 10.1.10.7
object network obj-10.1.100.0
subnet 10.1.10.0 255.255.255.0
!
access-list outsidein extended permit ip object-group OUTSIDE object-group INSIDE
access-list insideout extended permit ip object-group INSIDE object-group OUTSIDE
access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080
!
nat (inside,outside) source dynamic obj-10.1.10.0 interface
!
access-group webserveraccess in interface outside
access-group insideout in interface inside
!
object network WebServer_Object_10.1.10.7
nat (inside,outside) static interface service tcp 8080 8080
Here's the packet tracer output:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 1.2.3.4 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So it looks like it's being dropped by an ACL, but it looks right to me. Can I have some guidance as to what I am doing wrong?
Solved! Go to Solution.
ā06-10-2013 07:06 AM
Hi,
The configuration you have above (Dynamic PAT) overrides your Static PAT (Port Forward) configuration
nat (inside,outside) source dynamic obj-10.1.10.0 interface
Remove it with
no nat (inside,outside) source dynamic obj-10.1.10.0 interface
And then add it as
nat (inside,outside) after-auto source dynamic obj-10.1.10.0 interface
And then try again. It should work.
- Jouni
ā06-07-2013 02:47 PM
Please paste the entire packet-tracer output showing the packet-tracer you are using (syntax)
Config looks good, I would say the problem is the packet-tracer
DO it like this
packet-tracer input outside tcp 4.2.2.2 1025 outside_interface_ip eq 8080
Regards
Rate all of the helpful posts, that motivate us to keep replying and helping
ā06-10-2013 06:58 AM
wall-001(config)# packet-tracer input outside tcp 4.2.2.2 1025 MYWANIP 8080
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in MY_WAN_IP 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ā06-10-2013 07:06 AM
Hi,
The configuration you have above (Dynamic PAT) overrides your Static PAT (Port Forward) configuration
nat (inside,outside) source dynamic obj-10.1.10.0 interface
Remove it with
no nat (inside,outside) source dynamic obj-10.1.10.0 interface
And then add it as
nat (inside,outside) after-auto source dynamic obj-10.1.10.0 interface
And then try again. It should work.
- Jouni
ā06-10-2013 07:20 AM
Alright! That fixed!
Here is the packet tracer output
wall-001(config)# packet-tracer input outside tcp 4.2.2.2 1025 MYWANIP 8080
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network WebServer_object_10.1.10.7
nat (inside,outside) static interface service tcp 8080 8080
Additional Information:
NAT divert to egress interface inside
Untranslate MYWANIP/8080 to 10.1.10.7/8080
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group webserveraccess in interface outside
access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network WebServer_Object_10.1.10.7
nat (inside,outside) static interface service tcp 8080 8080
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1375902, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
ā10-21-2018 07:37 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide