05-21-2021 05:02 AM
Hello all,
I'm having some trouble with an ASA not port forwarding correctly. I've no doubt I'm missing something, but can't see it.
Set up is simple:-
vIOS 3 is the "inside" - 10.0.0.10
vIOS 2 is the "outside" - 20.0.0.10
ASAv is 10.0.0.1 (inside) and 20.0.0.1 (outside)
I've got the tcp and udp small servers running on vIOS 3 on the inside and some port-forwarding set up on the ASAv for:-
TCP 13 (daytime)
UDP 7 (echo)
ASA config is:-
ciscoasa# sh run object object network r1-daytime host 10.0.0.10 object network r1-echo host 10.0.0.10 ciscoasa# sh run nat object network r1-daytime nat (any,outside) static interface service tcp daytime daytime object network r1-echo nat (any,outside) static interface service udp echo echo ciscoasa# sh run access-list access-list outside_access_in extended permit tcp any object r1-daytime eq daytime access-list outside_access_in extended permit udp any object r1-echo eq echo
I run both through packet tracer and both come out as allowed.
I run a packet capture on the outside and I can see Echo (7) come in to the ASA and daytime (13):-
15: 11:28:58.121865 10.0.0.10 > 20.0.0.10: icmp: echo request 16: 11:29:00.131401 10.0.0.10 > 20.0.0.10: icmp: echo request 17: 11:29:02.131920 10.0.0.10 > 20.0.0.10: icmp: echo request 18: 11:29:04.133461 10.0.0.10 > 20.0.0.10: icmp: echo request 19: 11:29:06.132866 10.0.0.10 > 20.0.0.10: icmp: echo request 20: 11:29:09.274369 20.0.0.10.49194 > 20.0.0.1.7: S 665420328:665420328(0) win 4128 <mss 1460> 21: 11:29:11.276032 20.0.0.10.49194 > 20.0.0.1.7: S 665420328:665420328(0) win 4128 <mss 1460> 22: 11:29:15.405328 20.0.0.10.49194 > 20.0.0.1.7: S 665420328:665420328(0) win 4128 <mss 1460> 23: 11:29:24.947323 20.0.0.10.38899 > 20.0.0.1.13: S 2964825655:2964825655(0) win 4128 <mss 1460> 24: 11:29:24.954128 20.0.0.1.13 > 20.0.0.10.38899: S 2542277600:2542277600(0) ack 2964825656 win 4128 <mss 536> 25: 11:29:24.958156 20.0.0.10.38899 > 20.0.0.1.13: . ack 2542277601 win 4128 26: 11:29:24.961177 20.0.0.10.38899 > 20.0.0.1.13: . ack 2542277601 win 4128 27: 11:29:24.965495 20.0.0.1.13 > 20.0.0.10.38899: . 2542277601:2542277636(35) ack 2964825656 win 4128 28: 11:29:24.967174 20.0.0.1.13 > 20.0.0.10.38899: FP 2542277636:2542277636(0) ack 2964825656 win 4128 29: 11:29:24.974253 20.0.0.10.38899 > 20.0.0.1.13: . ack 2542277637 win 4093 30: 11:29:24.977869 20.0.0.10.38899 > 20.0.0.1.13: FP 2964825656:2964825656(0) ack 2542277637 win 4093 31: 11:29:24.979868 20.0.0.1.13 > 20.0.0.10.38899: . ack 2964825657 win 4128
On the inside I see only daytime going out (13):-
1: 11:28:58.121407 10.0.0.10 > 20.0.0.10: icmp: echo request 2: 11:29:00.131371 10.0.0.10 > 20.0.0.10: icmp: echo request 3: 11:29:02.131905 10.0.0.10 > 20.0.0.10: icmp: echo request 4: 11:29:04.133309 10.0.0.10 > 20.0.0.10: icmp: echo request 5: 11:29:06.132851 10.0.0.10 > 20.0.0.10: icmp: echo request 6: 11:29:24.947582 20.0.0.10.38899 > 10.0.0.10.13: S 85698377:85698377(0) win 4128 <mss 1380> 7: 11:29:24.954113 10.0.0.10.13 > 20.0.0.10.38899: S 1253307133:1253307133(0) ack 85698378 win 4128 <mss 536> 8: 11:29:24.958202 20.0.0.10.38899 > 10.0.0.10.13: . ack 1253307134 win 4128 9: 11:29:24.961177 20.0.0.10.38899 > 10.0.0.10.13: . ack 1253307134 win 4128 10: 11:29:24.965465 10.0.0.10.13 > 20.0.0.10.38899: . 1253307134:1253307169(35) ack 85698378 win 4128 11: 11:29:24.967143 10.0.0.10.13 > 20.0.0.10.38899: FP 1253307169:1253307169(0) ack 85698378 win 4128 12: 11:29:24.974284 20.0.0.10.38899 > 10.0.0.10.13: . ack 1253307170 win 4093 13: 11:29:24.977869 20.0.0.10.38899 > 10.0.0.10.13: FP 85698378:85698378(0) ack 1253307170 win 4093 14: 11:29:24.979838 10.0.0.10.13 > 20.0.0.10.38899: . ack 85698379 win 4128
There are no hits on the ASAv for the incoming echo rule, but when I run packet tracer it clocks up the hits.
What am I missing to make the UDP port forwarding work?!?
Best, Leigh
05-21-2021 05:03 AM
As an addition, I can telnet to the echo port from vIOS 3 to itself and that works fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide