cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1926
Views
10
Helpful
47
Replies
Attila Erdos
Beginner

ASA 9.2 Port Forward

Hello,

i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:

 

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
access-list DMZ_in extended permit ip any any
 

nat (DMZ,outside) source dynamic obj_any interface
nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP

object network Public_Server
 nat (DMZ,outside) static interface service tcp www www

access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ

 

When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?

 

Thank You!

47 REPLIES 47

It appears you can mark multiple answers as correct which now I come to think about is obvious considering I have had multiple correct answers in a thread.

You would think I would know that after posting for over 10 years now :-)

Jon

Confusion indeed Jon. At least it's working :-)

I think about the inside VPN NAT rule, the DMZ VPN rule was moved earlier to section 3. One of these rule matched before the port forward.:

nat (Guest,outside) source dynamic obj_any interface
nat (inside,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup

 

I think it was the Guest rule because of the "obj_any" object.

Hi. I don't think those rules would have matched, because it's applying to other interfaces, ie. Guest, and inside.

But it seems yes :).

I moved this back to section 1.:

nat (Guest,outside) source dynamic obj_any interface

 

The object is.:

object network obj_any
 subnet 0.0.0.0 0.0.0.0

 

I think i should specify it more.

I honestly can't see how because you have defined the specific interface for Guest.

If you had used -

"nat (any,outside) source dynamic obj_any interface"

then yes I would agree but you didn't.

Obviously there is something I am not understanding but your firewall seems to be using the NAT rules differently than I expected

Jon

Sorry, ignore my last post, I'm just catching up on all the activity.

You can't leave the VPN NAT rules in section 3 unless you move the section 2 dynamic NAT there as well otherwise you will never get to the VPN rules.

You will have to move the dynamic NAT to section 3 as well for inside to outside and make sure it is after the VPN rules.

Jon

Yes. Post it under section 3. Can you please post your object, acl and NAT configs as it is now?

Did you also try moving the NAT statement to section 1 ?

If you did and it is still like that can we have another "sh nat" and if you ran packet-tracer what did it show ?

Have you tried hitting the ASA with a very blunt object :-)

Jon

Yes, the Public_server is the 10.168.50.5.:

 

object network Public_Server
 host 10.168.50.5

 

I deleted them, currently.:

Manual NAT Policies (Section 1)
1 (Guest) to (outside) source dynamic obj_any interface
    translate_hits = 45, untranslate_hits = 0
2 (inside) to (outside) source static any any   destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static Public_Server interface   service tcp www www
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
    translate_hits = 0, untranslate_hits = 0

 

Yes, that NAT rule makes internet access for the clients in DMZ.

You can ping the web server from the ASA ?

After you deleted the section 3 NAT rules what does a packet-tracer show ?

Jon

Yes, of course, i can ping, and also from VPN. And also the web service works from VPN, local. Tha packet-tracer said the same, the implicit deny catch it.:

packet-tracer input outside tcp 8.8.8.8 http OUTIFIP http det

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad2a1718, priority=1, domain=permit, deny=false
        hits=89868, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   OUTIFIP  255.255.255.255 identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad071248, priority=1, domain=nat-per-session, deny=true
        hits=1199, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad2a23b8, priority=0, domain=permit, deny=true
        hits=883, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Okay try using a section 1 rule for your web server eg.

nat (DMZ,outside) source static Public_Server interface service http http

and retest.

Jon

View solution in original post

Hi Jon

 

I think we posted that at the same time :-)

Hi Andre

Actually I would be interested to see if the changing from www to http works.

I have just asked for the NAT rule to be moved to section 1 but I used http so if it works we won't know whether it was because we moved the rule or because of your suggestion.

Jon

Content for Community-Ad