Solved: ASA v8.0(5) Port Forwarding

desmond.liew · ‎11-07-2011

Hi All,

This should be a straight forward solution for all but I am having some issues regarding port forwarding in Cisco ASA. Say my ASA is using a public IP 200.0.0.2/24, its default route is 200.0.0.1. I have two servers internally on 192.168.1.2 and 192.168.1.3, both a web server.

If I do:

Static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255

Access-list ACLOUTSIDE permit tcp any host 200.0.0.2 eq www

Access-group ACLOUTSIDE in interface outside

This works... However if I do this:

Static (inside,outside) tcp 200.0.0.3 www 192.168.1.3 www netmask 255.255.255.255

Access-list ACLOUTSIDE permit tcp any host 200.0.0.3 eq www

Access-group ACLOUTSIDE in interface outside

It doesn't work. I used ASDM and tried to create a Static PAT rule and it produces the same results above which also doesn't work. I did a packet-tracer and ASA sees it as okay. Anyone ever encounter this issue?

Sent from Cisco Technical Support iPad App

Julio Carvajal · ‎11-07-2011

Hello Desmond,

The best thing would be to do captures because as I can see here the configuration is the one required to allow this connections.

Can you do the following capture and attach it to the case on a pcap format:

access-list capin permit tcp host 192.168.1.3 eq 80 any

access-list capin permit tcp any host 192.168.1.3 eq 80

access-list capout permit tcp any host 200.0.0.3 eq 80

access-list capout permit tcp host 200.0.0.3 eq 80 any

capture capin access-list capin interface inside

capture capout access-list capout interface outside.

Then try to access the web server from the outside and download the captures via HTTP, for this do the following:

http server enable

http 0 0 inside

And then on a local host go to a browser and :

https/insideipaddress/capture/capin/pcap

https:/insideipaddress/capture/capout/pcap

This will show us what is going on.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎11-07-2011

Hello Desmond,

The best thing would be to do captures because as I can see here the configuration is the one required to allow this connections.

Can you do the following capture and attach it to the case on a pcap format:

access-list capin permit tcp host 192.168.1.3 eq 80 any

access-list capin permit tcp any host 192.168.1.3 eq 80

access-list capout permit tcp any host 200.0.0.3 eq 80

access-list capout permit tcp host 200.0.0.3 eq 80 any

capture capin access-list capin interface inside

capture capout access-list capout interface outside.

Then try to access the web server from the outside and download the captures via HTTP, for this do the following:

http server enable

http 0 0 inside

And then on a local host go to a browser and :

https/insideipaddress/capture/capin/pcap

https:/insideipaddress/capture/capout/pcap

This will show us what is going on.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

desmond.liew · ‎11-08-2011

hi Julio,

This is embarrassing. I was doing a parallel firewall migration remotely when the port forwarding commands didn't work. I took a rest and I checked about an hour ago (didn't check until then) and the port forwardings are working now. I am not sure why but it might have been to do with ARP on the Internet router side. Thanks for the packet capture commands. It might help me out one day.

Sent from Cisco Technical Support iPad App

Julio Carvajal · ‎11-08-2011

Hello Desmon,

Do not worry, it is great to hear that everything is working fine with the ASA.

Please mark the question as answered.

Have a wonderful day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC