cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1065
Views
0
Helpful
13
Replies

ASA 5520 Port Forward Redirection Question

Hello,

 

I understand this topic has been discussed before but after reading a lot of material I am still stuck.  I have a IPfire Linux OpenVPN server running behind my ASA 5520.  Essentially what I have done already to try to redirect or forward the client connections to my OpenVPN server is:

# static (inside, outside) udp interface 1194 10.10.0.2 1194 netmask 255.255.255.255

# access-list from outside extended permit udp any any eq 1194

 

I know my OpenVPN server works because I connected it directly to my client bypassing the firewall.  I can ping my OpenVPN server across the internet but for some reason I am unable to connect to it and I have tried creating a couple other access-list commands to further open the firewall but at this point I am still lost.  Perhaps someone out there has some other ideas or things I can try?

 

Thanks in advance,

Joe

2 Accepted Solutions

Accepted Solutions

Hi,

ACL is misconfigured:-

Try to put this line at line 1:-

access-list from outside line 1 extended permit udp any any eq 1194

Thanks and Regards,

Vibhor Amrodia

access-list from outside extended permit udp any any eq 1194 - See more at: https://supportforums.cisco.com/discussion/12530506/asa-5520-port-forward-redirection-question#sthash.IfGAkU5H.dpuf

View solution in original post

Hi,

Yes , that is the issue. You have not applied the access group on the Outside interface.

Access-group <acl name> in interface outside.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

13 Replies 13

Akshay Rastogi
Cisco Employee
Cisco Employee

Hi Daniel,

Can you please try with packet-tracer.

'packet-tracer input outside udp 4.2.2.2 12345 10.10.0.2 1194 detail'. Does it show any drop in output?

With this, you can try troubleshooting.  Please share the above output if possible.

 

Let me know if you have any query.

Regards,

Akshay Rastogi

Hello Akshay,

 

Thanks for your interest in this problem.  So I just did what you ask and below displays the output

 

packet-tracer input outside udp 4.2.2.2 12345 10.10.0.2 1194$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x71402d48, priority=1, domain=permit, deny=false
        hits=348428, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.0.0       255.255.0.0     inside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x71403088, priority=0, domain=permit, deny=true
        hits=335870, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

I am not familiar with using this tool although it seems powerful but it would appear that the firewall is preventing me access to my VPN server since the last "Action: drop" displays drop, perhaps someone can confirm this?  

 

Thanks again for your help,

 

Joe

Hi,

Actually you needed to run this tracer:-

packet-tracer input outside udp 4.2.2.2 12345 <Interface IP of Outside interface> 1194 det

Thanks and Regards,

Vibhor Amrodia

packet-tracer input outside udp 4.2.2.2 12345

Hey Vibhor,

 

So I performed the new trace the result is below:

packet-tracer input outside udp 4.2.2.2 12345 "Outside IP Address" 1194 det

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) udp interface 1194 10.10.0.2 1194 netmask 255.255.255.255
  match udp inside host 10.10.0.2 eq 1194 outside any
    static translation to "Outside IP address"/1194
    translate_hits = 0, untranslate_hits = 15
Additional Information:
NAT divert to egress interface inside
Untranslate "Outside IP address"/1194 to 10.10.0.2/1194 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x71403088, priority=0, domain=permit, deny=true
        hits=375304, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

Hi,

ACL is misconfigured:-

Try to put this line at line 1:-

access-list from outside line 1 extended permit udp any any eq 1194

Thanks and Regards,

Vibhor Amrodia

access-list from outside extended permit udp any any eq 1194 - See more at: https://supportforums.cisco.com/discussion/12530506/asa-5520-port-forward-redirection-question#sthash.IfGAkU5H.dpuf

Thanks vibhor for correcting me on this. I mistakenly typed real IP instead of interface IP.

 

Regards,

Akshay Rastogi

Hey Vibhor,

 

Unfortunately I am still having some acl issues.  I applied the exact rule you mentioned which was pretty close to what I already had and I still do not have connectivity 

 

packet-tracer 

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) udp interface 1194 10.10.0.2 1194 netmask 255.255.255.255
  match udp inside host 10.10.0.2 eq 1194 outside any
    static translation to "Outside IP"/1194
    translate_hits = 0, untranslate_hits = 20
Additional Information:
NAT divert to egress interface inside
Untranslate "Outside IP"/1194 to 10.10.0.2/1194 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x71403088, priority=0, domain=permit, deny=true
        hits=401974, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

I think the packet trace which you ran might be incorrect and this should be like this:-

packet-tracer input outside udp 4.2.2.2 12345 "Outside IP Address" 1194 det

Also , can you paste these outputs from the ASA:-

show run access-group

sh run access-list <outside>

Thanks and Regards,

VIbhor Amrodia

Vibhor,

 

I did not get any other new or relevant information from the other commands you suggested.  The packet-trace fails and the connection fails.  My current rules are:

ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
access-list from_outside extended permit udp any any eq 1194
access-list from_outside extended permit icmp any any echo
access-list 101 extended permit udp any interface outside eq 1194
access-list to_inside extended permit udp any host 10.10.0.2 eq 1194
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400global (outside) 1 interface
nat (inside) 1 10.10.0.0 255.255.0.0
static (inside,outside) udp interface 1194 10.10.0.2 1194 netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
policy-map global_policy
 class inspection_default
  inspect tftp
  inspect netbios
  inspect sip
  inspect xdmcp
  inspect sunrpc
  inspect skinny
  inspect sqlnet
  inspect esmtp
  inspect rtsp
  inspect rsh
  inspect h323 ras
  inspect ftp
  inspect h323 h225
  inspect dns preset_dns_map
  inspect icmp
!
service-policy global_policy global

Hi,

Yes , that is the issue. You have not applied the access group on the Outside interface.

Access-group <acl name> in interface outside.

Thanks and Regards,

Vibhor Amrodia

Just to fallow up that was the trick that worked for packet-trace.  Unfortunately, it looks like I have something else not working but I will investigate.  Thanks for your help Vibhor!

Hi,

That's great that it fixed this issue. I would request you to select the appropriate response as the solution for this thread.

Thanks and Regards,

Vibhor Amrodia

I will select appropriate response now since I just verified everything works from my home network.  For some reason it was being blocked by my work network.

 

Thanks again for your help!

 

Joe

Review Cisco Networking for a $25 gift card