cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1935
Views
10
Helpful
47
Replies
Attila Erdos
Beginner

ASA 9.2 Port Forward

Hello,

i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:

 

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
access-list DMZ_in extended permit ip any any
 

nat (DMZ,outside) source dynamic obj_any interface
nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP

object network Public_Server
 nat (DMZ,outside) static interface service tcp www www

access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ

 

When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?

 

Thank You!

47 REPLIES 47

Can you do a "show nat" again please? 

Of course.

 

sh nat
Manual NAT Policies (Section 1)
1 (Guest) to (outside) source dynamic obj_any interface
    translate_hits = 45, untranslate_hits = 0
2 (inside) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static Public_Server interface   service tcp www www
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
    translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (DMZ) to (outside) source dynamic obj_any interface
    translate_hits = 765, untranslate_hits = 1
2 (DMZ) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 8, untranslate_hits = 0

The "Public_Server" object is still 10.168.50.5. I don't see it in your amended rule order above. It's strange that you're getting lots of hits on the "after-auto" rule. But not on the Object rule....... which should apply first.

 

Just to test, can you try this?

Make sure the object Public_Server is set as host 10.168.50.5, then the NAT rule as you have it in the post above. Then remove the 2 DMZ "after-auto" rules. Then test again.

 

That section 3 number1 rule is bothering me a bit. What is the purpose of that rule? To provide internet access for traffic sourced from the DMZ? 

View solution in original post

Hi Andre

It's confusing isn't it because I can't see anything wrong with it now.

The section 3 dynamic PAT is only there because it was originally in section 1 so I assumed it must be needed in terms of DMZ machines sourcing traffic to the internet.

So I just moved it past section 2 to make sure the statics were used but the ASA seems to be completely ignoring them for some reason.

Which would suggest something was matching in section 1 or in section 2 before the static PAT but none of the NAT statements in those sections would match as a far as I can see.

Jon

Hi All,

thanks for the suggestions but i cant report positive :). I changed the www to http, but after I checked the running config, i realised that the ASA rewrite it back to www. I also tried with tcp 80 80, but i experienced the same.

 

Oh, i tried to remove all rule from section 1, and it's working now!. So one rule from the section 1 is match. Should i insert that rules to section 3?

Currently it's working, and it looks like.:

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static Public_Server interface   service tcp www www
    translate_hits = 0, untranslate_hits = 7
2 (inside) to (outside) source dynamic obj_any interface
    translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (DMZ) to (outside) source dynamic obj_any interface
    translate_hits = 445, untranslate_hits = 1
2 (DMZ) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 1, untranslate_hits = 0
3 (inside) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0
4 (Guest) to (outside) source dynamic obj_any interface
    translate_hits = 0, untranslate_hits = 0


I moved the Guest and VPN NAT rules to section 3. Is it the best practice? :)

When did you move the VPN rule to section 1? I thought the VPN nat rule would clash because it had a match any rule on the DMZ interface. That waswhy I asked to remove it :-)

Glad you got it working.

Andre

Confusion reigns :-)

Why would the VPN rule be matched even if it was in section 1. I know it has any any but it is tied to the a destination network ie. it is policy NAT so it shouldn't have matched the web server traffic.

This post 8.3 NAT is tricky :-)

Jon

I'm confused which answer should I mark as a correct, you posted them in the same time.

You can mark both as correct and rate both.

Andre

I'm not sure you can mark both as correct but you're right that you can rate both.

Personally I'd be happy for no ratings if I could just work out what was happening :-)

Jon

You can see above what i found out. But summarizing the story I have to say thank you both!

I don't mind, give it to Andre by all means as he deserves it as much if not more than me.

I just wish we knew exactly what was happening.

Have you tried VPN access because if it is in section 3 and you have a dynamic PAT for the same interface in section 2 it might not work.

But then nothing is certain with this thread :-)

Jon

I think it was a joint effort Jon. It wouldn't matter either way.

Content for Community-Ad