Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1849
Views
0
Helpful
15
Replies

ASA5505 - Need help with port forwarding

Go to solution
northernlight
Level 1
Level 1

‎01-02-2019 01:26 AM - edited ‎02-21-2020 08:37 AM

Hi everyone,

I have been struggling to get port forwarding to work on my ASA5505.

So far I have setup an ACL to permit the port traffic and NAT rule to forward to port to the specific host.

Packet tracer in the ASDM shows that the packet is allowed. However when I test using the below powershell command :

 

tnc  [ASA outside interface address] -port [port number]

 

it shows that the connection to the port is failed. ASDM syslog doesnt even have logged the tcp connnection try.

Any help would be appreciated.

 

ASA Version : 9.2(4)33

ASDM Version : 7.9(2)152

 

ASA1.jpg

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to northernlight

‎01-02-2019 06:04 PM

after looking at the packet tracer log and looking at your nat order if seems you have a nat order issue. VPN-Server rule should be in section 1

ciscoasa(config)# show nat

Manual NAT Policies (Section 1)

1 (Lab_Outside_Gateway) to (WAN) source dynamic any interface

    translate_hits = 28304, untranslate_hits = 815

2 (Lab_Host_Network) to (WAN) source dynamic any interface

    translate_hits = 18387, untranslate_hits = 172

3 (Home_Network_1_Gateway) to (WAN) source dynamic any interface

    translate_hits = 73636, untranslate_hits = 729

4 (Home_Network_2_Gateway) to (WAN) source dynamic any interface

    translate_hits = 59292, untranslate_hits = 11423

5 (WAN) to (Lab_Outside_Gateway) source dynamic any interface

    translate_hits = 9, untranslate_hits = 0



Auto NAT Policies (Section 2)

1 (Lab_Outside_Gateway) to (WAN) source static VPN-Server interface   service tcp 1701 1701

    translate_hits = 0, untranslate_hits = 0

 

please do not forget to rate.

View solution in original post

0 Helpful
15 Replies 15

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-02-2019 01:54 AM

Post your CLI config and we can check.
0 Helpful

Go to solution
northernlight
Level 1
Level 1
In response to Mohammed al Baqari

‎01-02-2019 02:08 AM - edited ‎01-02-2019 02:09 AM

Here is the config. Thanks.

 


ASA Version 9.2(4)33
!

!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 11
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 13
!
interface Ethernet0/4
switchport access vlan 14
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan10
nameif WAN
security-level 0
ip address dhcp setroute
!
interface Vlan11
nameif Lab_Outside_Gateway
security-level 100
ip address 10.0.255.254 255.255.255.0
!
interface Vlan12
nameif Home_Network_1_Gateway
security-level 90
ip address 172.31.255.254 255.255.255.0
!
interface Vlan13
nameif Home_Network_2_Gateway
security-level 10
ip address 192.168.255.254 255.255.255.0
!
interface Vlan14
nameif Lab_Host_Network
security-level 100
ip address 10.0.0.254 255.255.255.0
!
ftp mode passive
clock timezone HKST 8
dns server-group DefaultDNS
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VPN-Server
host 10.0.78.250
object service VPN-Service-Port-3
service tcp destination eq 1701
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list WAN_access_in extended permit icmp any 10.0.0.0 255.255.255.0
access-list WAN_access_in extended permit icmp any 10.0.255.0 255.255.255.0
access-list WAN_access_in extended permit icmp any 172.31.255.0 255.255.255.0
access-list WAN_access_in extended permit icmp any 192.168.255.0 255.255.255.0
access-list WAN_access_in extended permit object VPN-Service-Port-3 any object VPN-Server
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu Lab_Outside_Gateway 1500
mtu Home_Network_1_Gateway 1500
mtu Lab_Host_Network 1500
mtu WAN 1500
mtu Home_Network_2_Gateway 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Lab_Outside_Gateway,WAN) source dynamic any interface
nat (Lab_Host_Network,WAN) source dynamic any interface
nat (Home_Network_1_Gateway,WAN) source dynamic any interface
nat (Home_Network_2_Gateway,WAN) source dynamic any interface
nat (WAN,Lab_Outside_Gateway) source dynamic any interface
!
object network VPN-Server
nat (Lab_Outside_Gateway,WAN) static interface service tcp 1701 1701
access-group WAN_access_in in interface WAN
route Lab_Outside_Gateway 10.0.11.0 255.255.255.0 10.0.255.10 1
route Lab_Outside_Gateway 10.0.14.0 255.255.255.0 10.0.255.10 1
route Lab_Outside_Gateway 10.0.78.0 255.255.255.0 10.0.255.10 1
route Lab_Outside_Gateway 10.0.254.0 255.255.255.0 10.0.255.10 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 Lab_Host_Network
no snmp-server location
no snmp-server contact
no sysopt connection permit-vpn

 

0 Helpful

Go to solution
northernlight
Level 1
Level 1
In response to Mohammed al Baqari

‎01-02-2019 02:12 AM

Here is the config. Thanks.


ASA Version 9.2(4)33
!

!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 11
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 13
!
interface Ethernet0/4
switchport access vlan 14
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan10
nameif WAN
security-level 0
ip address dhcp setroute
!
interface Vlan11
nameif Lab_Outside_Gateway
security-level 100
ip address 10.0.255.254 255.255.255.0
!
interface Vlan12
nameif Home_Network_1_Gateway
security-level 90
ip address 172.31.255.254 255.255.255.0
!
interface Vlan13
nameif Home_Network_2_Gateway
security-level 10
ip address 192.168.255.254 255.255.255.0
!
interface Vlan14
nameif Lab_Host_Network
security-level 100
ip address 10.0.0.254 255.255.255.0
!
ftp mode passive
clock timezone HKST 8
dns server-group DefaultDNS
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network VPN-Server
host 10.0.78.250
object service VPN-Service-Port-3
service tcp destination eq 1701
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list WAN_access_in extended permit icmp any 10.0.0.0 255.255.255.0
access-list WAN_access_in extended permit icmp any 10.0.255.0 255.255.255.0
access-list WAN_access_in extended permit icmp any 172.31.255.0 255.255.255.0
access-list WAN_access_in extended permit icmp any 192.168.255.0 255.255.255.0
access-list WAN_access_in extended permit object VPN-Service-Port-3 any object VPN-Server
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging asdm informational
mtu Lab_Outside_Gateway 1500
mtu Home_Network_1_Gateway 1500
mtu Lab_Host_Network 1500
mtu WAN 1500
mtu Home_Network_2_Gateway 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Lab_Outside_Gateway,WAN) source dynamic any interface
nat (Lab_Host_Network,WAN) source dynamic any interface
nat (Home_Network_1_Gateway,WAN) source dynamic any interface
nat (Home_Network_2_Gateway,WAN) source dynamic any interface
nat (WAN,Lab_Outside_Gateway) source dynamic any interface
!
object network VPN-Server
nat (Lab_Outside_Gateway,WAN) static interface service tcp 1701 1701
access-group WAN_access_in in interface WAN
route Lab_Outside_Gateway 10.0.11.0 255.255.255.0 10.0.255.10 1
route Lab_Outside_Gateway 10.0.14.0 255.255.255.0 10.0.255.10 1
route Lab_Outside_Gateway 10.0.78.0 255.255.255.0 10.0.255.10 1
route Lab_Outside_Gateway 10.0.254.0 255.255.255.0 10.0.255.10 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 Lab_Host_Network
no snmp-server location
no snmp-server contact
no sysopt connection permit-vpn

 

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to northernlight

‎01-02-2019 06:01 AM

you config is wrong

 

 

put this command

no access-list WAN_access_in extended permit object VPN-Service-Port-3 any object VPN-Server

access-list WAN_access_in extended permit tcp any object VPN-Service-Port-3 object VPN-Server

 

please do not forget to rate.
0 Helpful

Go to solution
northernlight
Level 1
Level 1
In response to Sheraz.Salim

‎01-02-2019 04:03 PM - edited ‎01-02-2019 04:04 PM

Thanks for taking a look at the config.

I have tried to put in the two commands you listed. the second command doesn't seem to work.

 

ERROR : specified object <VPN-Service-Port-3> has wrong type;

0 Helpful

Go to solution
northernlight
Level 1
Level 1
In response to Mohammed al Baqari

‎01-02-2019 02:31 AM

Here is the config. Thanks.

Preview file
5 KB
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to northernlight

‎01-02-2019 05:16 PM - edited ‎01-02-2019 05:24 PM

test this

 

no access-list WAN_access_in extended permit tcp any object VPN-Service-Port-3 object VPN-Server

access-list WAN_access_in extended permit tcp any object VPN-Server eq 1701

 

also thought instead of this

!

object network VPN-Server

  host 10.0.78.250
  nat (Lab_Outside_Gateway,WAN) static interface service tcp 1701 1701

!

you can have this

!

object network VPN-Server

  host 10.0.78.250
  nat (Lab_Outside_Gateway,WAN) static interface

!

because we have access-list narrow it down to certain port no. so when someone from outside internet connects to your asa WAN link address with port 1701 will be directed to VPN-Server

please do not forget to rate.
0 Helpful

Go to solution
northernlight
Level 1
Level 1
In response to Sheraz.Salim

‎01-02-2019 05:25 PM - edited ‎01-02-2019 05:32 PM

The commands can be successfully applied.

However ASDM still doesnt register any hit when I try to make connection to port 1701 and the connection still fails.

 

Edit : I have also tried to change the NAT rule like you stated. but it seems like the asa internet facing interface (WAN) is still not registering any connection made to port 1701

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to northernlight

‎01-02-2019 05:32 PM - edited ‎01-02-2019 05:33 PM

run this and share the output

packet-tracer input WAN tcp 8.8.8.8 1701 10.0.78.250 1701 detail

please do not forget to rate.
0 Helpful

Go to solution
northernlight
Level 1
Level 1
In response to Sheraz.Salim

‎01-02-2019 05:37 PM

Here is the output.

Also , I would like to thank you again for your help all along.

Preview file
5 KB
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to northernlight

‎01-02-2019 05:42 PM

share the output of command

 

show nat

please do not forget to rate.
0 Helpful

Go to solution
northernlight
Level 1
Level 1
In response to Sheraz.Salim

‎01-02-2019 05:51 PM

Here is the show nat result

Preview file
1 KB
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to northernlight

‎01-02-2019 06:04 PM

after looking at the packet tracer log and looking at your nat order if seems you have a nat order issue. VPN-Server rule should be in section 1

ciscoasa(config)# show nat

Manual NAT Policies (Section 1)

1 (Lab_Outside_Gateway) to (WAN) source dynamic any interface

    translate_hits = 28304, untranslate_hits = 815

2 (Lab_Host_Network) to (WAN) source dynamic any interface

    translate_hits = 18387, untranslate_hits = 172

3 (Home_Network_1_Gateway) to (WAN) source dynamic any interface

    translate_hits = 73636, untranslate_hits = 729

4 (Home_Network_2_Gateway) to (WAN) source dynamic any interface

    translate_hits = 59292, untranslate_hits = 11423

5 (WAN) to (Lab_Outside_Gateway) source dynamic any interface

    translate_hits = 9, untranslate_hits = 0



Auto NAT Policies (Section 2)

1 (Lab_Outside_Gateway) to (WAN) source static VPN-Server interface   service tcp 1701 1701

    translate_hits = 0, untranslate_hits = 0

 

please do not forget to rate.
0 Helpful

Go to solution
northernlight
Level 1
Level 1
In response to Sheraz.Salim

‎01-02-2019 06:19 PM

I went on to perform packet trace again after I changed the NAT rule orders.

However this time packet trace failed at the NAT rule.

Preview file
4 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card