Solved: ASA 9.2 Port Forward - Page 4

Attila Erdos · ‎03-06-2015

Hello,

i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
access-list DMZ_in extended permit ip any any

nat (DMZ,outside) source dynamic obj_any interface
nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP

object network Public_Server
nat (DMZ,outside) static interface service tcp www www

access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ

When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?

Thank You!

Andre Neethling · ‎03-08-2015

I noticed that you also changed the syntax from "www" to "http" in your recommendation. So let's call it OUR suggestion. I think that may be why there were no hits on the object NAT rule. Maybe if the test is successful the rule can be moved back to section 2 under the Public_Server object just to see if the ASA recognizes protocol "www"

Jon Marshall · ‎03-08-2015

I think that's worth doing if only so we at least know for sure because this has been quite a confusing thread :-)

Jon

Andre Neethling · ‎03-08-2015

Something else I find a bit strange is the protocol in the NAT rule. My ASA running 9.x code does not hae a tcp service "www" it only has "http". I know in the Cisco IOS http is referred to as "www".

Can you try to change your tcp protocol statement to "http" instead of "www"?

Just a thought. It could be that is why there are no hits on the Object NAT rule.