cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6911
Views
8
Helpful
5
Replies
Ondaje0x0
Beginner

ASA 5510 8.4 Nat & Portforwarding

So I'm trying to forward an internal service on a internal  server to the external interface on the same port on the outside  interface of our ASA.

I been searching for a solution for days and found nothing.

Here are the relevant parts of my config:



: Saved : ASA Version 8.4(2) ! object service TCP-WebServer-8080 service tcp source eq 8080 object network WebServer_Object_10.1.10.7 host 10.1.10.7 object network obj-10.1.100.0 subnet 10.1.10.0 255.255.255.0 ! access-list outsidein extended permit ip object-group OUTSIDE object-group INSIDE access-list insideout extended permit ip object-group INSIDE object-group OUTSIDE access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080 ! nat (inside,outside) source dynamic obj-10.1.10.0 interface ! access-group webserveraccess in interface outside access-group insideout in interface inside ! object network WebServer_Object_10.1.10.7 nat (inside,outside) static interface service tcp 8080 8080

Here's the packet tracer output:



Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in   1.2.3.4   255.255.255.255 identity Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: NP Identity Ifc output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule

So it looks like it's being dropped by an ACL, but it looks right to me. Can I have some guidance as to what I am doing wrong?

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

The configuration you have above (Dynamic PAT) overrides your Static PAT (Port Forward) configuration

nat (inside,outside) source dynamic obj-10.1.10.0 interface

Remove it with

no nat (inside,outside) source dynamic obj-10.1.10.0 interface

And then add it as

nat (inside,outside) after-auto source dynamic obj-10.1.10.0 interface

And then try again. It should work.

- Jouni

View solution in original post

5 REPLIES 5
Julio Carvajal
Advisor

Please paste the entire packet-tracer output showing the packet-tracer you are using (syntax)

Config looks good, I would say the problem is the packet-tracer

DO it like this

packet-tracer input outside tcp 4.2.2.2 1025 outside_interface_ip eq 8080

Regards

Rate all of the helpful posts, that motivate us to keep replying and helping

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

wall-001(config)# packet-tracer input outside tcp 4.2.2.2 1025 MYWANIP 8080

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   MY_WAN_IP   255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

The configuration you have above (Dynamic PAT) overrides your Static PAT (Port Forward) configuration

nat (inside,outside) source dynamic obj-10.1.10.0 interface

Remove it with

no nat (inside,outside) source dynamic obj-10.1.10.0 interface

And then add it as

nat (inside,outside) after-auto source dynamic obj-10.1.10.0 interface

And then try again. It should work.

- Jouni

View solution in original post

Alright! That fixed!

Here is the packet tracer output

wall-001(config)# packet-tracer input outside tcp 4.2.2.2 1025 MYWANIP 8080

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network WebServer_object_10.1.10.7

nat (inside,outside) static interface service tcp 8080 8080

Additional Information:

NAT divert to egress interface inside

Untranslate MYWANIP/8080 to 10.1.10.7/8080

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group webserveraccess in interface outside

access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network WebServer_Object_10.1.10.7

nat (inside,outside) static interface service tcp 8080 8080

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1375902, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Finally I found this post!

This resolved my issue as well.

Thank you Jouni Forss!
Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (37%)

Content for Community-Ad