ASA firewall not opening port when source and dest port is not the same

PlusIT-cvandewalle · ‎09-23-2013

Hi,

I have a weird problem on my asa firewall. Untill now I have some open ports like this:

object-group service TCP-18000 tcp

port-object eq 18000

access-list outside_access extended permit tcp any host 192.168.1.118 object-group TCP-18000

object network obj-192.168.1.118_1

nat (inside,outside) static interface service tcp 18000 18000

this works witouth a problem.

Now i have an internal webserver that i cannot switch it's on port 80 bound to the internal ip. When browsing locally it works. I would like to open port 18007 from the outside so i redirect to the internal port 80 to the internal ip whatever I try it does not work with these commands what am I doing wrong ?

bject-group service TCP-18007 tcp

port-object eq 18007

access-list outside_access extended permit tcp any host 192.168.1.118 object-group TCP-18007

object network obj-192.168.1.118_1

nat (inside,outside) static interface service tcp 80 18007

i also tried

nat (inside,outside) static interface service tcp 18007 80

Jouni Forss · ‎09-23-2013

Hi,

The problem is the ACL

What you have missed is that the ACL has to use the real IP address and the real port also. You do have the correct destination IP address BUT you have allowed the traffic to the mapped port instead of the local/real port.

So change the ACL to this

object-group service TCP-80 tcp

port-object eq 80

access-list outside_access extended permit tcp any host 192.168.1.118 object-group TCP-80

You should keep the NAT as it was originally

object network obj-192.168.1.118_1

nat (inside,outside) static interface service tcp 80 18007

Then it should work.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni