Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4020
Views
0
Helpful
4
Replies

ASA 8.4 port forwarding issue

Go to solution
Andrey Kornienko
Level 1
Level 1

‎05-21-2012 07:28 AM - edited ‎03-11-2019 04:09 PM

Hi all! I have ASA 5505 with 8.4(2)8 software for one of my branch offices and I can't configure port forwarding It seems to be very simple, but it's not working. I use my ASA as a gateway to the internet for users in office and for site-to-site IPSec VPN to HQ. I have pppoe-enabled outside interface, but ISP gives me static routable ip address. I have server behind my firewall and I should "publish" to the WAN some of its' tcp and udp ports, but I see that no packets forwarded through ASA. I tried to configure PAT as stated in official "Cisco Security Appliance Configuration Guide" through CLI and ASDM. I also used this video(same ASA and ASDM versions) by Cisco TAC's Mike Robertson.

While troubleshooting, I put permit-any-any rules on both interfaces and permitting rule for traffic to the outside interface.

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip any any

access-list global_access extended permit ip any any

I captured packets on ASA outside interface and I have it there.

1: 05:34:28.193578 802.1Q vlan#20 P0 46.158.x.x.59668 > 213.171.x.x.3389: S 3188198355:3188198355(0) win 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK>

Here is packet-tracer output

packet-tracer input outside tcp 46.158.x.x 3389 213.171.x.x 3389

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   213.171.x.x  255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So, here is my config(output omitted for some parts)

interface Vlan1

nameif inside

security-level 100

ip address 10.10.93.1 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

pppoe client vpdn group comlink-pppoe

ip address pppoe setroute

!

ftp mode passive

object network hq-lan-0

subnet 10.23.16.0 255.255.254.0

object network branch-lan

subnet 10.10.93.0 255.255.255.0

object network hq-lan-1

subnet 10.10.23.0 255.255.255.0

object network hq-lan-2

subnet 10.23.22.0 255.255.254.0

object network moonserver

host 10.10.93.6

!for real pat, will use after troubleshooting

object-group service DM_INLINE_SERVICE_1

service-object object RTP

service-object object SIP

service-object object STUN

service-object tcp destination eq www

!-------------------------inside_access_in---------------

access-list inside_access_in extended permit ip any any

!It's some rules for VPN users

access-list inside_access_in extended permit ip object branch-lan object hq-lan-1

access-list inside_access_in extended permit ip object branch-lan object hq-lan-2

access-list inside_access_in extended permit ip object branch-lan object hq-lan-0

!-------------------------outside_access_in---------------

!Added for troubleshooting as explicit rule for WAN access to outside interface address

access-list outside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit ip object hq-lan-1 object branch-lan

access-list outside_access_in extended permit ip object hq-lan-2 object branch-lan

access-list outside_access_in extended permit ip object hq-lan-0 object branch-lan

!-------------------------for real pat, will use after troubleshooting

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object krd-itk-vgw1

!---------------------------------------------------------------

access-list global_access extended permit ip any any

!------------------------VPN cryptomap acl for traffic encrypting purposes

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-1

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-2

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-0

!-------------------------VPN-related

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-1 hq-lan-1 no-proxy-arp route-lookup

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-2 hq-lan-2 no-proxy-arp route-lookup

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-0 hq-lan-0 no-proxy-arp route-lookup

!------------------------Let users get internet access

nat (inside,outside) source dynamic branch-lan interface

!------------------------Here is my server!!!

object network moonserver

nat (any,outside) static interface service tcp 3389 3389

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Andrey Kornienko

‎05-21-2012 09:56 AM

Hello Andrey,

Please remove the following configuration:

object network moonserver

no nat (any,outside) static interface service tcp 3389 3389

object service RDP

service tcp source eq 3389

nat (inside, outside) 1 source static moonserver interface service RDP  RDP

Also please remove the following access-list:

no access-group global_access global

Regards,

Julio


Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Andrey Kornienko

‎05-21-2012 11:05 AM

Hello Andey,

My pleasure,

I would say it was the NAT.

Regards,

Julio

Do rate all the helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Andrey Kornienko
Level 1
Level 1

‎05-21-2012 07:39 AM

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Andrey Kornienko

‎05-21-2012 09:56 AM

Hello Andrey,

Please remove the following configuration:

object network moonserver

no nat (any,outside) static interface service tcp 3389 3389

object service RDP

service tcp source eq 3389

nat (inside, outside) 1 source static moonserver interface service RDP  RDP

Also please remove the following access-list:

no access-group global_access global

Regards,

Julio


Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Andrey Kornienko
Level 1
Level 1
In response to Julio Carvajal

‎05-21-2012 10:54 AM

Thanks, jcarvaja! You are a magician!!! )))

So, was it trouble in access-list or nat rules order or I made two mistakes?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Andrey Kornienko

‎05-21-2012 11:05 AM

Hello Andey,

My pleasure,

I would say it was the NAT.

Regards,

Julio

Do rate all the helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card