- Cisco Community
- Technology and Support
- Security
- Network Security
- Hi Ajay, Thanks again for
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2017 12:59 PM - edited 03-12-2019 02:17 AM
Please help,
For some reason I keep getting denied when configuring port forwarding on an ASA 5510. The current topology is Internet----Modem-----Router--------ASA 5510 (Active/Standby)---------Inside------PHP_TEST
If I am allowing to open a web server 192.168.2.5 to be accessed from OUTSIDE with the configuration below, I keep getting denied. Can you please advise what configuration needed. Thanks in advance.
object network PHP_TEST
host 192.168.2.5
nat (INSIDE,OUTSIDE) static interface service tcp 80 80
access-list OutsideToPHPServer permit tcp any host 192.168.2.5 eq www
access-group OutsideToPHPServer in interface OUTSIDE
---------------------------------------------------------------------------
Below is my configuration, which I omitted unnecessary config for this issue.
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
ASA Version 9.1(6)
!
hostname XXXXXXXXXXXXXXXX
domain-name XXXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXXXXXXX encrypted
names
dns-guard
ip local pool RVPN_User 10.0.0.1-10.0.0.10 mask 255.255.255.0
!
interface Ethernet0/0
description *** Connection to Router Plutus ***
nameif OUTSIDE
security-level 0
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.10
!
interface Ethernet0/1
description *** Connection to DMZ Zone ***
nameif DMZ
security-level 55
ip address 192.168.3.1 255.255.255.0 standby 192.168.3.10
!
interface Ethernet0/2
description *** Connection to LAN ***
nameif INSIDE
security-level 55
ip address 192.168.2.1 255.255.255.0 standby 192.168.2.10
!
interface Ethernet0/3
description *** Available Link ***
shutdown
nameif DMZ2
security-level 55
ip address 192.168.5.1 255.255.255.0
!
interface Management0/0
description LAN Failover Interface
management-only
!
!
boot system disk0:/asa916-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-namexxxxxxxxxxxxxxxxxxxxxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network PHP_TEST
host 192.168.2.5
object network dmz-subnet
subnet 192.168.3.0 255.255.255.0
object network inside-subnet
subnet 192.168.2.0 255.255.255.0
object network Outside_Network
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object service HTTP
service tcp source eq www
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq www
service-object tcp destination eq www
service-object udp destination eq www
object-group network DMZ-subnet
network-object 192.168.3.0 255.255.255.0
object-group network opendns-servers
network-object host 208.67.220.220
network-object host 208.67.220.222
object-group network googledns-servers
network-object host 8.8.4.4
network-object host 8.8.8.8
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq www
service-object udp destination eq www
access-list OUTSIDE_access_in extended permit ip any4 any4
access-list DMZ_access_in extended permit ip any4 any4 log disable
access-list OUTSIDE_access_in_1 extended permit ip any any log disable
access-list outside_acl extended permit ip any4 192.168.3.0 255.255.255.0 log disable
access-list outside_acl extended permit ip any4 any4
access-list inbound extended permit ip any4 any4 log disable
access-list global_mpc extended permit ip any any
access-list inside_access_in extended permit ip any4 any4 log disable
access-list inside_access_out extended permit ip any4 any4
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host INSIDE 192.168.2.12
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination INSIDE 192.168.2.12 2055
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
mtu DMZ2 1500
ip verify reverse-path interface OUTSIDE
failover
failover lan unit primary
failover lan interface FAILOVER Management0/0
failover key *****
failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.250
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any DMZ
icmp permit 192.168.3.0 255.255.255.0 DMZ
asdm image disk0:/asdm-771.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE,OUTSIDE) source static PHP_TEST PHP_TEST service HTTP HTTP
!
object network dmz-subnet
nat (DMZ,OUTSIDE) dynamic interface
object network inside-subnet
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in_1 in interface OUTSIDE
access-group DMZ_access_in in interface DMZ
access-group inside_access_out out interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=APOLLO
crl configure
crypto ca trustpool policy
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 OUTSIDE
ssh 192.168.3.0 255.255.255.0 DMZ
ssh 192.168.2.0 255.255.255.0 INSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.239.35.0 source OUTSIDE prefer
ssl trust-point ASDM_TrustPoint0 INSIDE
ssl trust-point ASDM_TrustPoint0 OUTSIDE
ssl trust-point ASDM_TrustPoint0 DMZ2
ssl trust-point ASDM_TrustPoint0 DMZ
webvpn
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class global-class
flow-export event-type all destination 192.168.2.12
class inspection_default
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class class-default
user-statistics accounting
!
service-policy global_policy global
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2017 10:51 AM
The packet-tracer is failing because there is no NAT configured for the 192.1681.2 on port 3389.
Yes, the access-list and access-group name have to be same.
-
AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2017 06:22 PM
Hello,
There is a NAT statement
nat (INSIDE,OUTSIDE) source static PHP_TEST PHP_TEST service HTTP HTTP
Please remove it as it is self NAT and not NATting on outside interface. I believe you need port translation which is what you mentioned initially:
object network PHP_TEST
host 192.168.2.5
nat (INSIDE,OUTSIDE) static interface service tcp 80 80
access-list OutsideToPHPServer permit tcp any host 192.168.2.5 eq www
access-group OutsideToPHPServer in interface OUTSIDE
Also, there is an access-group on inside interface in egress direction which seems to be redundant for the incoming traffic. Try to remove it if not needed.
If it does not work, please attach output of packet-tracer and also syslogs from time of issue.
-
AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2017 08:53 AM
Hi Ajay,
Thanks again for your time. Following your advise, when running a packet tracer coming from outside port 8080 to PHP_TEST port 80
it failed on this NAT rule "nat (INSIDE,OUTSIDE) source static PHP_TEST interface service HTTP HTTP". Please advise.
Below is the rest of the result and configuration.
ROUTERX(config)# packet-tracer input outside tcp 1.1.1.1 8080 192.168.2.12 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 INSIDE
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_access_in_1 in interface OUTSIDE
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any object PHP_TEST log
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq www
service-object tcp destination eq www
service-object udp destination eq www
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface INSIDE
access-list inside_access_out extended permit ip any4 any4
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (INSIDE,OUTSIDE) source static PHP_TEST interface service HTTP HTTP
Additional Information:
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
------------------------------------------------------------------------------
18899 bytes copied in 3.390 secs (6299 bytes/sec)
[OK]
APOLLO(config)# sh run
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(6)
hostname xxxxxxxxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxxx
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
ip local pool RVPN_User 10.0.0.1-10.0.0.10 mask 255.255.255.0
!
interface Ethernet0/0
description *** Connection to Router Plutus ***
nameif OUTSIDE
security-level 0
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.10
!
interface Ethernet0/1
description *** Connection to DMZ Zone ***
nameif DMZ
security-level 55
ip address 192.168.3.1 255.255.255.0 standby 192.168.3.10
!
interface Ethernet0/2
description *** Connection to LAN ***
nameif INSIDE
security-level 55
ip address 192.168.2.1 255.255.255.0 standby 192.168.2.10
!
interface Ethernet0/3
description *** Available Link ***
shutdown
nameif DMZ2
security-level 55
ip address 192.168.5.1 255.255.255.0
!
interface Management0/0
description LAN Failover Interface
management-only
!
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name plustusone.zapto.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network PHP_TEST
host 192.168.2.12
object network dmz-subnet
subnet 192.168.3.0 255.255.255.0
object network inside-subnet
subnet 192.168.2.0 255.255.255.0
object network Outside_Network
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object service HTTP
service tcp source eq www destination eq 8080
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq www
service-object tcp destination eq www
service-object udp destination eq www
object-group network DMZ-subnet
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq www
service-object udp destination eq www
access-list OUTSIDE_access_in extended permit ip any4 any4
access-list DMZ_access_in extended permit ip any4 any4 log disable
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any object PHP_TEST log
access-list OUTSIDE_access_in_1 extended permit ip any any log disable
access-list outside_acl extended permit ip any4 192.168.3.0 255.255.255.0 log disable
access-list outside_acl extended permit ip any4 any4
access-list inbound extended permit ip any4 any4 log disable
access-list global_mpc extended permit ip any any
access-list inside_access_in extended permit ip any4 any4 log disable
access-list inside_access_out extended permit ip any4 any4
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host INSIDE 192.168.2.12
flow-export destination INSIDE 192.168.2.12 2055
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
mtu DMZ2 1500
ip verify reverse-path interface OUTSIDE
failover
failover lan unit primary
failover lan interface FAILOVER Management0/0
failover key *****
failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.250
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any DMZ
icmp permit 192.168.3.0 255.255.255.0 DMZ
asdm image disk0:/asdm-771.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE,OUTSIDE) source static PHP_TEST interface service HTTP HTTP
!
object network dmz-subnet
nat (DMZ,OUTSIDE) dynamic interface
object network inside-subnet
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in_1 in interface OUTSIDE
access-group DMZ_access_in in interface DMZ
access-group inside_access_out out interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
.................
http server enable
http 192.168.2.0 255.255.255.0 INSIDE
http 192.168.1.0 255.255.255.0 OUTSIDE
................
quit
..........................
webvpn
...............
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class global-class
flow-export event-type all destination 192.168.2.12
class inspection_default
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class class-default
user-statistics accounting
!
service-policy global_policy global
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2017 11:16 AM
Hello,
you should run a packet-tracer for the outside interface ip address because thats out PAT ip address. Run a command:
packet-tracer input outside tcp 1.1.1.1 8080 192.168.5.1 80
Let me know the result.
-
AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2017 11:20 AM
Hi Ajay,
Please see below,
APOLLO(config)# packet-tracer input outside tcp 1.1.1.1 8080 192.168.2.12 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 INSIDE
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_access_in_1 in interface OUTSIDE
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any object PHP_TEST log
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq www
service-object tcp destination eq www
service-object udp destination eq www
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface INSIDE
access-list inside_access_out extended permit ip any4 any4
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (INSIDE,OUTSIDE) source static PHP_TEST interface service HTTP HTTP
Additional Information:
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2017 11:23 AM
Thats again incorrect. As I stated, packet-tracer needs to be for the ip address which the mapped ip address, which in our case is 192.168.5.1 (outside interface ip address.).
Please run a packet-tracer as suggested.
-
AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2017 01:09 PM
Se below, the outside IP is in the range of 192.168.1.0/24 network.
packet-tracer input outside tcp 1.1.1.1 8080 192.168.5.1 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.5.1 255.255.255.255 identity
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.5.1 255.255.255.255 identity
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2017 06:34 PM
I apologize, I spoke too soon. The destination ip address should be 192.168.1.2 because thats the outside interface ip address. Please run a packet-tracer and let me know the result:
packet-tracer input outside tcp 1.1.1.1 8080 192.168.1.2 80
-
AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 08:22 AM
Hi Ajay,
Thanks, here's the result.
APOLLO(config)# packet-tracer input outside tcp 1.1.1.1 8080 192.168.1.2 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static PHP_TEST interface service HTTP HTTP
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 192.168.1.2/80 to 192.168.2.12/80
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_access_in_1 in interface OUTSIDE
access-list OUTSIDE_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 any object PHP_TEST log
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq www
service-object tcp destination eq www
service-object udp destination eq www
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static PHP_TEST interface service HTTP HTTP
Additional Information:
Static translate 1.1.1.1/8080 to 1.1.1.1/8080
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface INSIDE
access-list inside_access_out extended permit ip any4 any4
Additional Information:
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static PHP_TEST interface service HTTP HTTP
Additional Information:
Phase: 12
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11521694, packet dispatched to next module
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 08:25 AM
This looks good. It should work.
-AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 08:44 AM
The packet tracer test is coming from outside to outside; it should be from outside to inside. Tested it, and I am unable to reach the target.
I have a workstation on the outside interface and I am unable to reach 192.168.2.12:8080, same as the internet with my xxxxx.com:8080.
Please advise,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 10:44 AM
I redid the port forwarding with the following configuration and detailed result. Traffic keeps dropping on nat (INSIDE,OUTSIDE) dynamic interface --> Configuration to get internet access from INSIDE interface. Please see below.
object network PHP_TEST
host 192.168.2.12
nat (INSIDE,OUTSIDE) static interface service tcp 8080 80
access-list OutsideToPHPServer permit tcp any host PHP_TEST eq 8080
access-group OutsideToPHPServer in interface OUTSIDE
APOLLO(config)# packet-tracer input outside tcp 1.1.1.1 8080 192.168.2.12 80 d$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 INSIDE
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OutsideToPHPServer in interface OUTSIDE
access-list OutsideToPHPServer extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae162ad0, priority=13, domain=permit, deny=false
hits=116, user_data=0xab6b7300, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae9f3ef0, priority=1, domain=nat-per-session, deny=true
hits=1216251, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaa347f68, priority=0, domain=inspect-ip-options, deny=true
hits=11451952, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae0f0f40, priority=21, domain=lu, deny=true
hits=25, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaec98c40, priority=18, domain=flow-export, deny=false
hits=232451, user_data=0xadafa7a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf270478, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=195527, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 9
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface INSIDE
access-list inside_access_out extended permit ip any4 any4
Additional Information:
Forward Flow based lookup yields rule:
out id=0xadae3fc0, priority=13, domain=permit, deny=false
hits=396214, user_data=0xab6b7a80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=INSIDE
Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network inside-subnet
nat (INSIDE,OUTSIDE) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xae5c3a28, priority=6, domain=nat-reverse, deny=false
hits=188895, user_data=0xae020860, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=INSIDE
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 10:50 AM
The packet-tracer still needs to hit the public ip address and public facing port on outside(in your case, outside interface) as compared to access-list which requires original port and host ip.
So, the packet-tracer you need to run is:
packet-tracer input outside tcp 1.1.1.1 8080 192.168.1.2 80
-AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 11:11 AM
HI,
So it passes the test as seen below; but when testing this from internet (remote), I am unable to access it. It is fine when accessing the server inside LAN using local IP. By running what you suggested, it is able to see the configured port forward for 192.168.2.12. What am I missing here?
APOLLO(config)# packet-tracer input outside tcp 1.1.1.1 8080 192.168.1.2 80 de$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network PHP_TEST
nat (INSIDE,OUTSIDE) static interface service tcp 8080 www
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 192.168.1.2/80 to 192.168.2.12/8080
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OutsideToPHPServer in interface OUTSIDE
access-list OutsideToPHPServer extended permit object-group DM_INLINE_SERVICE_2 any object PHP_TEST
object-group service DM_INLINE_SERVICE_2
service-object object HTTP
service-object tcp destination eq 8080
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf64cef0, priority=13, domain=permit, deny=false
hits=0, user_data=0xab6b7900, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.2.12, mask=255.255.255.255, port=8080, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae9f3ef0, priority=1, domain=nat-per-session, deny=true
hits=1218053, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaa347f68, priority=0, domain=inspect-ip-options, deny=true
hits=11496332, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae0f0f40, priority=21, domain=lu, deny=true
hits=27, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaec98c40, priority=18, domain=flow-export, deny=false
hits=232839, user_data=0xadafa7a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf270478, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=195686, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 9
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface INSIDE
access-list inside_access_out extended permit ip any4 any4
Additional Information:
Forward Flow based lookup yields rule:
out id=0xadae3fc0, priority=13, domain=permit, deny=false
hits=396494, user_data=0xab6b7a80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=INSIDE
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network PHP_TEST
nat (INSIDE,OUTSIDE) static interface service tcp 8080 www
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaec90710, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xadaf1688, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.2.12, mask=255.255.255.255, port=8080, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=INSIDE
Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaeda8aa8, priority=0, domain=user-statistics, deny=false
hits=10718915, user_data=0xadaf0e90, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=INSIDE
Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xae9f3ef0, priority=1, domain=nat-per-session, deny=true
hits=1218055, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xa9881dc0, priority=0, domain=inspect-ip-options, deny=true
hits=11075773, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 14
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xaedab1c8, priority=0, domain=user-statistics, deny=false
hits=10746334, user_data=0xadaf0e90, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE
Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11763763, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 11:15 AM
Its not ASA config issue, could you please take captures:
capture capo interface outside match tcp any host 192.168.1.2 eq 80
capture capin interface inside match tcp any host 192.168.2.12 eq 8080
initiate traffic and then take output:
show cap capo
show cap capin
-
AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
