Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
887
Views
0
Helpful
21
Replies

ASA 5580 port forwarding new problem

Go to solution
gasparmenendez
Level 3
Level 3

‎06-08-2017 08:36 AM - edited ‎03-12-2019 02:28 AM

Hi friends,

I'm trying to reach ports 1930 and 1946 on a PC on my LAN from the internet. PC is accessing internet through outside interface. I'm mapping port 1930 to 11930 and 1946 to 11946. The problem is that this is not workig...Here's my NAT and Packet Tracer:

ASA5580# sh nat
Manual NAT Policies (Section 1)
1 (INSIDE_Prueba) to (OUTSIDE) source dynamic 172.X.X.0 interface  
    translate_hits = 17722513, untranslate_hits = 3825414
2 (INSIDE_Prueba) to (OUTSIDE) source dynamic any interface  
    translate_hits = 2862, untranslate_hits = 0
3 (CMTS) to (OUTSIDE) source dynamic 10.19.0.0 170.X.X.16  
    translate_hits = 4766354, untranslate_hits = 1770891
4 (CMTS) to (OUTSIDE) source dynamic 10.27.0.0 170.X.X.17  
    translate_hits = 29690167, untranslate_hits = 8198483
5 (CMTS) to (OUTSIDE) source dynamic 10.25.0.0 170.X.X.18  
    translate_hits = 918075, untranslate_hits = 242734
6 (CMTS) to (OUTSIDE) source dynamic 10.9.0.0 170.X.X.9  
    translate_hits = 28978302, untranslate_hits = 10294354
7 (CMTS) to (OUTSIDE) source dynamic 10.39.0.0 170.X.X.20  
    translate_hits = 29606416, untranslate_hits = 9081192
8 (CMTS) to (OUTSIDE) source dynamic 10.11.0.0 170.X.X.11  
    translate_hits = 53391770, untranslate_hits = 17761505
9 (CMTS) to (OUTSIDE) source dynamic 10.35.0.0 170.X.X.22  
    translate_hits = 20305477, untranslate_hits = 6105534
10 (CMTS) to (OUTSIDE) source dynamic 10.33.0.0 170.X.X.23  
    translate_hits = 6802561, untranslate_hits = 2604976
11 (CMTS) to (OUTSIDE) source dynamic 10.13.0.0 170.X.X.13  
    translate_hits = 6120965, untranslate_hits = 2759715
12 (CMTS) to (OUTSIDE) source dynamic 10.17.0.0 170.X.X.25  
    translate_hits = 14523516, untranslate_hits = 4719833
13 (CMTS) to (OUTSIDE) source dynamic 10.37.0.0 170.X.X.26  
    translate_hits = 5232113, untranslate_hits = 2234926
14 (CMTS) to (OUTSIDE) source dynamic 10.41.0.0 170.X.X.27  
    translate_hits = 1279407, untranslate_hits = 339487
15 (CMTS) to (OUTSIDE) source dynamic 10.45.0.0 170.X.X.28  
    translate_hits = 25311146, untranslate_hits = 8981529
16 (CMTS) to (OUTSIDE) source dynamic 10.33.0.0 170.X.X.29  
    translate_hits = 0, untranslate_hits = 0
17 (CMTS) to (OUTSIDE) source dynamic 10.45.0.0 170.X.X.19  
    translate_hits = 0, untranslate_hits = 0
18 (CMTS) to (OUTSIDE) source dynamic 10.47.0.0 170.X.X.21  
    translate_hits = 27731917, untranslate_hits = 9972706
19 (CMTS) to (OUTSIDE) source dynamic 10.49.0.0 170.X.X.24  
    translate_hits = 3596176, untranslate_hits = 1267521
20 (CMTS) to (OUTSIDE) source dynamic 10.51.0.0 170.X.X.30  
    translate_hits = 3759, untranslate_hits = 403

Auto NAT Policies (Section 2)
1 (CARRIERS) to (OUTSIDE) source static CentroValle_1930 interface   service tcp 1930 11930
    translate_hits = 0, untranslate_hits = 0
2 (CARRIERS) to (OUTSIDE) source static CentroValle_1946 interface   service tcp 1946 11946
    translate_hits = 0, untranslate_hits = 0
3 (CARRIERS) to (OUTSIDE) source static Prueba-10.227.225.210 170.X.X.3   service tcp 3389 13389
    translate_hits = 0, untranslate_hits = 40
4 (INSIDE_Prueba) to (OUTSIDE) source static ALTAI 170.X.X.4  
    translate_hits = 0, untranslate_hits = 1060724
              
Manual NAT Policies (Section 3)
1 (CARRIERS) to (OUTSIDE) source dynamic any interface  
    translate_hits = 73502076, untranslate_hits = 10380482
ASA5580#


ASA5580# packet-tracer input outside tcp 3.3.3.3 12345 170.X.X.2 11930

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   170.X.X.2    255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
              
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I'm seeing "Drop-reason: (acl-drop) Flow is denied by configured rule", but what rule??? Can anybody help me please??

Thanks in advance.

BR.

Labels:
0 Helpful
21 Replies 21

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to gasparmenendez

‎06-09-2017 05:15 PM

Moving the dynamic nat will help to work with the ip 2. This is what I wanted to do some we are connected through TeamViewer. 

The ip 3 wasn't working. What did you change to make it working now? 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
gasparmenendez
Level 3
Level 3
In response to Francesco Molino

‎06-10-2017 08:10 AM

Hi,

I changed nothing, that's the weird...I just connected the PC with IP 10.227.225.210 fpr testing

About what you suggested I moved the second dynamic nat rule to the bottom (nat (INSIDE_Prueba,OUTSIDE) after-auto source dynamic any interface) but didn't work...same result, nat with ip .2 (OUTSIDE interface) refuse to work

???

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to gasparmenendez

‎06-10-2017 08:15 AM

Can you share the output of packet-tracer with detailled keyword at the end for both public ip with the right tcp port for each of them?

Maybe you should keep the reboot in mind. 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
gasparmenendez
Level 3
Level 3
In response to Francesco Molino

‎06-10-2017 08:31 AM

Update:

I just realized that when I use the ip .2 (OUTSIDE interface) all other mapped ports stop working (11930 and 11946) and therefore that's what happened yesterday, at the moment I changed .2 by .3 all began to work...

Right now I have all mappped to .3 and working fine

????

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to gasparmenendez

‎06-10-2017 01:57 PM

Hey

Can you send me by email your exact config please I'm gonna do a quick lab to reproduce your issue?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
gasparmenendez
Level 3
Level 3

‎06-12-2017 10:46 AM

Excellent my friend, now all is working fine!!!

I removed the nat (INSIDE_Prueba,OUTSIDE) source dynamic 172.16.99.0 interface like you suggested me and that was all

Thanks again!!

BR

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to gasparmenendez

‎06-12-2017 10:58 AM

Hi

Perfect, it was a duplicate then no need of it anymore. The issue was solved by moving all dynamic NAT to Phase 3 to not face overloaps and get some issues as you were getting.

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card