Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
848
Views
0
Helpful
1
Replies

ASA UDP Port Forwarding

leighharrison
Level 7
Level 7

‎05-21-2021 05:02 AM

Hello all,

 

I'm having some trouble with an ASA not port forwarding correctly.  I've no doubt I'm missing something, but can't see it.

 

Set up is simple:-

port forwarding.PNG

vIOS 3 is the "inside" - 10.0.0.10

vIOS 2 is the "outside" - 20.0.0.10

ASAv is 10.0.0.1 (inside) and 20.0.0.1 (outside)

 

I've got the tcp and udp small servers running on vIOS 3 on the inside and some port-forwarding set up on the ASAv for:-

TCP 13 (daytime)

UDP 7 (echo)

 

ASA config is:-

ciscoasa# sh run object
object network r1-daytime
 host 10.0.0.10
object network r1-echo
 host 10.0.0.10

ciscoasa# sh run nat
object network r1-daytime
 nat (any,outside) static interface service tcp daytime daytime 
object network r1-echo
 nat (any,outside) static interface service udp echo echo 

ciscoasa# sh run access-list 
access-list outside_access_in extended permit tcp any object r1-daytime eq daytime 
access-list outside_access_in extended permit udp any object r1-echo eq echo

I run both through packet tracer and both come out as allowed.

 

I run a packet capture on the outside and I can see Echo (7) come in to the ASA and daytime (13):-

  15: 11:28:58.121865       10.0.0.10 > 20.0.0.10: icmp: echo request 
  16: 11:29:00.131401       10.0.0.10 > 20.0.0.10: icmp: echo request 
  17: 11:29:02.131920       10.0.0.10 > 20.0.0.10: icmp: echo request 
  18: 11:29:04.133461       10.0.0.10 > 20.0.0.10: icmp: echo request 
  19: 11:29:06.132866       10.0.0.10 > 20.0.0.10: icmp: echo request 
  20: 11:29:09.274369       20.0.0.10.49194 > 20.0.0.1.7: S 665420328:665420328(0) win 4128 <mss 1460> 
  21: 11:29:11.276032       20.0.0.10.49194 > 20.0.0.1.7: S 665420328:665420328(0) win 4128 <mss 1460> 
  22: 11:29:15.405328       20.0.0.10.49194 > 20.0.0.1.7: S 665420328:665420328(0) win 4128 <mss 1460> 
  23: 11:29:24.947323       20.0.0.10.38899 > 20.0.0.1.13: S 2964825655:2964825655(0) win 4128 <mss 1460> 
  24: 11:29:24.954128       20.0.0.1.13 > 20.0.0.10.38899: S 2542277600:2542277600(0) ack 2964825656 win 4128 <mss 536> 
  25: 11:29:24.958156       20.0.0.10.38899 > 20.0.0.1.13: . ack 2542277601 win 4128 
  26: 11:29:24.961177       20.0.0.10.38899 > 20.0.0.1.13: . ack 2542277601 win 4128 
  27: 11:29:24.965495       20.0.0.1.13 > 20.0.0.10.38899: . 2542277601:2542277636(35) ack 2964825656 win 4128 
  28: 11:29:24.967174       20.0.0.1.13 > 20.0.0.10.38899: FP 2542277636:2542277636(0) ack 2964825656 win 4128 
  29: 11:29:24.974253       20.0.0.10.38899 > 20.0.0.1.13: . ack 2542277637 win 4093 
  30: 11:29:24.977869       20.0.0.10.38899 > 20.0.0.1.13: FP 2964825656:2964825656(0) ack 2542277637 win 4093 
  31: 11:29:24.979868       20.0.0.1.13 > 20.0.0.10.38899: . ack 2964825657 win 4128

On the inside I see only daytime going out (13):-

   1: 11:28:58.121407       10.0.0.10 > 20.0.0.10: icmp: echo request 
   2: 11:29:00.131371       10.0.0.10 > 20.0.0.10: icmp: echo request 
   3: 11:29:02.131905       10.0.0.10 > 20.0.0.10: icmp: echo request 
   4: 11:29:04.133309       10.0.0.10 > 20.0.0.10: icmp: echo request 
   5: 11:29:06.132851       10.0.0.10 > 20.0.0.10: icmp: echo request 
   6: 11:29:24.947582       20.0.0.10.38899 > 10.0.0.10.13: S 85698377:85698377(0) win 4128 <mss 1380> 
   7: 11:29:24.954113       10.0.0.10.13 > 20.0.0.10.38899: S 1253307133:1253307133(0) ack 85698378 win 4128 <mss 536> 
   8: 11:29:24.958202       20.0.0.10.38899 > 10.0.0.10.13: . ack 1253307134 win 4128 
   9: 11:29:24.961177       20.0.0.10.38899 > 10.0.0.10.13: . ack 1253307134 win 4128 
  10: 11:29:24.965465       10.0.0.10.13 > 20.0.0.10.38899: . 1253307134:1253307169(35) ack 85698378 win 4128 
  11: 11:29:24.967143       10.0.0.10.13 > 20.0.0.10.38899: FP 1253307169:1253307169(0) ack 85698378 win 4128 
  12: 11:29:24.974284       20.0.0.10.38899 > 10.0.0.10.13: . ack 1253307170 win 4093 
  13: 11:29:24.977869       20.0.0.10.38899 > 10.0.0.10.13: FP 85698378:85698378(0) ack 1253307170 win 4093 
  14: 11:29:24.979838       10.0.0.10.13 > 20.0.0.10.38899: . ack 85698379 win 4128

There are no hits on the ASAv for the incoming echo rule, but when I run packet tracer it clocks up the hits.

 

What am I missing to make the UDP port forwarding work?!?

 

Best, Leigh

0 Helpful
1 Reply 1

leighharrison
Level 7
Level 7

‎05-21-2021 05:03 AM

As an addition, I can telnet to the echo port from vIOS 3 to itself and that works fine.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card