cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4365
Views
10
Helpful
47
Replies

ASA 9.2 Port Forward

Attila Erdos
Level 1
Level 1

Hello,

i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:

 

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
access-list DMZ_in extended permit ip any any
 

nat (DMZ,outside) source dynamic obj_any interface
nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP

object network Public_Server
 nat (DMZ,outside) static interface service tcp www www

access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ

 

When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?

 

Thank You!

2 Accepted Solutions

Accepted Solutions

The "Public_Server" object is still 10.168.50.5. I don't see it in your amended rule order above. It's strange that you're getting lots of hits on the "after-auto" rule. But not on the Object rule....... which should apply first.

 

Just to test, can you try this?

Make sure the object Public_Server is set as host 10.168.50.5, then the NAT rule as you have it in the post above. Then remove the 2 DMZ "after-auto" rules. Then test again.

 

That section 3 number1 rule is bothering me a bit. What is the purpose of that rule? To provide internet access for traffic sourced from the DMZ? 

View solution in original post

Okay try using a section 1 rule for your web server eg.

nat (DMZ,outside) source static Public_Server interface service http http

and retest.

Jon

View solution in original post

47 Replies 47

Jon Marshall
Hall of Fame
Hall of Fame

It is probably the order of your NAT.

Can you post a "sh nat" from the ASA ?

And what is the object Public_Server, is it 10.168.50.5 ?

Jon

Hello, of course.

sh nat

Manual NAT Policies (Section 1)
1 (Guest) to (outside) source dynamic obj_any interface
    translate_hits = 91968, untranslate_hits = 61972
2 (DMZ) to (outside) source dynamic obj_any interface
    translate_hits = 1734, untranslate_hits = 0
3 (inside) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 7, untranslate_hits = 7
4 (DMZ) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 1, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static Public_Server interface   service tcp www www
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
    translate_hits = 42230, untranslate_hits = 20999

 

Yes, here is the public server object.:

object network Public_Server
 host 10.168.50.5

And here is the HTTP service object.:

object service HTTP
 service tcp destination eq www

 

 

The problem is NAT and the sections ie. you have section 1 and 2 NAT. The ASA with 8.3 or later uses the sections in order so it is using the dynamic NAT statement you have for your DMZ in section 1 for the translation and never gets to the section 2 static statement.

There are two solutions -

1) move your dynamic NAT to section 2 where your static should take precedence

or

2) move your dynamic NAT to section 3 so the static is matched first.

The recommendation is to use section 3 for dynamic NAT so you need to replace -

nat (DMZ,outside) source dynamic obj_any interface

with this -

nat (DMZ,outside) after-auto source dynamic obj_any interface

the "after-auto" keyword moves it to section 3.

For full details of how it all works see this document by Jouni Forss -

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Jon

 

Hello,

now the sh nat looks like.:

sh nat
Manual NAT Policies (Section 1)
1 (Guest) to (outside) source dynamic obj_any interface
    translate_hits = 92926, untranslate_hits = 62078
2 (inside) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 18, untranslate_hits = 14
3 (DMZ) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 12, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static Public_Server interface   service tcp www www
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
    translate_hits = 47339, untranslate_hits = 21519

Manual NAT Policies (Section 3)
1 (DMZ) to (outside) source dynamic obj_any interface
    translate_hits = 11, untranslate_hits = 0

 

But it dont work :(. The packet-tracer said the the implicit deny catch it, but as you can see also there isnt hit on the NAT rule.

 

Can you post the packet-tracer output ?

Are you accessing the server from the outside of the ASA ?

What is the IP address you are coming from ?

What is this meant to be doing -

nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP

Jon

Here it is.:

packet-tracer input outside tcp 1.1.1.1 http OUTSIDEINTERFACEIP http det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   <OUTSIDE IF>  255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad070ce8, priority=1, domain=nat-per-session, deny=true
        hits=250632, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad2a1370, priority=0, domain=permit, deny=true
        hits=116843, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Uh, that's interesting. That was a nat rule which with I made debug, but currently that rule is not in the running config.

 

I coming from a random public IP, in the packet racer i tried the 1.1.1.1.

Okay can you run -

"packet-tracer input outside 8.8.8.8 12345 <outside interface IP> http"

and post results.

Jon

I had to define also the tcp.

packet-tracer input outside tcp 8.8.8.8 12345 OUTIP http

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   OUTIP  255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Can you post full ASA config and -

nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP

what is the above for ?

Jon

Thats an old nat rule, but currently that's not in the running config. I dont understand why is that in the nat table.

I attached the config, i deleted the sensitive and VPN parts.

 

Can't see anything wrong with your configuration now.

This NAT rule -

3 (DMZ) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 12, untranslate_hits = 0

have you actually generated traffic that would hit that rule ?

It should have no effect on what you are trying to do but just wondering as it would be checked before your static.

Other than that perhaps a reload if you can.

Like I say I can't see anything wrong with it now.

Jon

Good day. Just a thought here. You have sorted your NAT issue as per Jon. I assume your webserver is in your DMZ. However, is your ACL entry allowing traffic from the Outside to the DMZ? It seems the "permit www" traffic statement is on the " outside access in" access rule. Can you try to add a permit access rule from outside to dmz?

As you can see on the outside interface there are many ACLs whichs permit the traffic (more then one because of test), and currently on the DMZ interface there is a permit any any rule.

I reloaded it, and re-ordered the NAT rules like.:

nat (Guest,outside) source dynamic obj_any interface
nat (inside,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
object network Public_Server
 nat (DMZ,outside) static interface service tcp www www
!
nat (DMZ,outside) after-auto source dynamic obj_any interface
nat (DMZ,outside) after-auto source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup

 

But it still dont works.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: