Solved: ASA 8.4 Port Forwarding

soldnermichael · ‎06-14-2013

I'm not sure what the deal is, but I just cannot get port forwarding to work. I've never had an issue before in 8.4 (after going to 9.x I've downgraded thinking that was it).

I've followed the steps noted here: https://supportforums.cisco.com/thread/2107586

But even with the interface in the NAT rule and not the IP, it still will not allow a connection and just discards the TCP request.

Any thoughts?

Jouni Forss · ‎06-14-2013

Hi,

As I expexted,

Your Dynamic PAT rule is overriding the Static PAT configuration (Port Forward)

If you can afford the small cut in connectivity for the clients behind the Internal interfaces (only as long as it takes to modify the configurations) then you could do these changes

no nat (Internal-1,TheInternet) source dynamic Internal-1 interface

no nat (Internal-2,TheInternet) source dynamic Internal-2 interface

no nat (Internal-3,TheInternet) source dynamic Internal-3 interface

nat (Internal-1,TheInternet) after-auto source dynamic Internal-1 interface

nat (Internal-2,TheInternet) after-auto source dynamic Internal-2 interface

nat (Internal-3,TheInternet) after-auto source dynamic Internal-3 interface

This will essentially change your Dynamic PAT configurations so that they are moved to the bottom Section 3 which are the last NAT configurations matched against traffic (Inserting "after-auto" accomplishes this, without the rule is in Section 1). The Static PAT is configured with Network Object NAT which is Section 2 and the current Dynamic PAT configurations are Section 1. That is why they are causing problems for your Static PAT

After this your Static PAT (Port Forward) should work just fine.

If you want to take a look a document I wrote about the 8.3+ NAT format and operation you can read it here

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed naturally.

- Jouni

View solution in original post

Jouni Forss · ‎06-14-2013

Hi,

Can you provide us with the "packet-tracer" output testing that NAT rule and ACL statements?

The general command format is

packet-tracer intput

- Jouni

soldnermichael · ‎06-14-2013

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in my.public.ip 255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: TheInternet

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The kicker is I have...

access-list global_access extended permit tcp any any eq port.i'm.forwarding

Jouni Forss · ‎06-14-2013

Hi,

Something makes me think that you might probably have an overlapping NAT configuration

Would be it be possible to share the NAT configurations?

There should be UN-NAT Phase but there isnt in your output so it seems that its not hitting the correct rule.

This can happen if you for example have a Dynamic PAT configured on the following way

nat (inside,TheInternet) source dynamic any interface

- Jouni

soldnermichael · ‎06-14-2013

Sure...

UberASA# sh run nat

nat (Internal-1,TheInternet) source dynamic Internal-1 interface

nat (Internal-2,TheInternet) source dynamic Internal-2 interface

nat (Internal-3,TheInternet) source dynamic Internal-3 interface

object network external-device

nat (Internal-2,TheInternet) static interface service tcp port.i'm.forwarding port.i'm.forwarding

Jouni Forss · ‎06-14-2013