Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1081
Views
0
Helpful
10
Replies

ASA5515 9.4 port forward help

Go to solution
Johnni211
Level 1
Level 1

‎02-05-2017 08:52 AM - edited ‎03-12-2019 01:53 AM

Hello I should reach our ftp servers in LAN from a public server. For example our public server 2.2.2.2, public interface of asa is 3.3.3.3. I set the following: Object NAT: object network obj_10.20.2.2 nat (inside,outside) static interface service tcp 21 2121 object network obj_10.20.2.3 nat (inside,outside) static interface service tcp 21 2122 My acls on the outside interface: access-list outside_access_in extended permit ip object myServer object ftp_server1 log notifications access-list outside_access_in extended permit ip object myServer object ftp_server2 log notifications access-list outside_access_in extended permit object ftp object Zabbix object log_server_zabbix access-list outside_access_in extended deny ip any any log warnings access-group outside_access_in in interface outside Objects: object network myServer host 2.2.2.2 object network ftp_server1 host 10.20.2.2 object network ftp_server2 host 10.20.2.3 But i can not reach the servers like this. The packet tracer said: asa5515# packet-tracer input outside tcp 2.2.2.2 1234 3.3.3.3 21 detail . . . Phase: 3 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7fffe1ad0d40, priority=0, domain=permit, deny=true hits=12461202, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Result: input-interface: outside input-status: up input-line-status: up output-interface: NP Identity Ifc output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule Any idea what should I do? Thank you in advance Johnni21
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Johnni211

‎02-05-2017 11:47 PM

this one is wrong:

nat (any,outside) source dynamic NETWORK_OBJ_10.20.0.0_16 interface

replace it with the following to bring the rule to section 3:

nat (any,outside) after-auto source dynamic NETWORK_OBJ_10.20.0.0_16 interface

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Karsten Iwen
VIP
VIP

‎02-05-2017 10:18 AM

Your config looks good. But the packet-tracer-simutlation is wrong. You have to use:

packet-tracer input outside tcp 2.2.2.2 1234 3.3.3.3 2121
packet-tracer input outside tcp 2.2.2.2 1234 3.3.3.3 2122
0 Helpful

Go to solution
Johnni211
Level 1
Level 1
In response to Karsten Iwen

‎02-05-2017 10:25 AM

Yes, you are right. I copied a wrong row. I used as you wrote.

So the config looks good. It is good, but i can not reach the server. Hmmm...

Thank you

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Johnni211

‎02-05-2017 11:52 AM

And what is the (complete) result of the packet-tracer?

0 Helpful

Go to solution
Johnni211
Level 1
Level 1
In response to Karsten Iwen

‎02-05-2017 12:20 PM

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 3.3.3.3 using egress ifc identity

Phase: 2

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffe138ef20, priority=0, domain=nat-per-session, deny=false

hits=101921769, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffe1ad0d40, priority=0, domain=permit, deny=true

hits=12461202, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Johnni211

‎02-05-2017 12:27 PM

Do you have a dynamic NAT statement in section 1? These statements should go to section 3. Can you share your complete NAT config?

0 Helpful

Go to solution
Johnni211
Level 1
Level 1
In response to Karsten Iwen

‎02-05-2017 11:40 PM

nat (any,any) source static All-inside All-inside destination static All-inside All-inside no-proxy-arp
nat (inside,outside) source static NETWORK_OBJ_10.20.0.0_19 NETWORK_OBJ_10.20.0.0_19 destination static NETWORK_OBJ_172.16.0.0_22 NETWORK_OBJ_172.16.0.0_22 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.20.253.0_24 NETWORK_OBJ_10.20.253.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.20.252.0_24 NETWORK_OBJ_10.20.252.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.20.0.0_16 NETWORK_OBJ_10.20.0.0_16 destination static NETWORK_OBJ_10.20.251.0_24 NETWORK_OBJ_10.20.251.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.20.252.0_24 NETWORK_OBJ_10.20.252.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.20.253.0_24 NETWORK_OBJ_10.20.253.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.20.2.0_24 NETWORK_OBJ_10.20.2.0_24 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.20.2.0_24 NETWORK_OBJ_10.20.2.0_24 destination static r1_subnet1 r1_subnet1 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.20.2.0_24 NETWORK_OBJ_10.20.2.0_24 destination static r1_subnets r1_subnets no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.20.2.31 NETWORK_OBJ_10.20.2.31 destination static r1_subnets r1_subnets no-proxy-arp
nat (any,outside) source dynamic NETWORK_OBJ_10.20.0.0_16 interface
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.20.250.0_24 NETWORK_OBJ_10.20.250.0_24 no-proxy-arp route-lookup

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Johnni211

‎02-05-2017 11:47 PM

this one is wrong:

nat (any,outside) source dynamic NETWORK_OBJ_10.20.0.0_16 interface

replace it with the following to bring the rule to section 3:

nat (any,outside) after-auto source dynamic NETWORK_OBJ_10.20.0.0_16 interface
0 Helpful

Go to solution
Johnni211
Level 1
Level 1
In response to Karsten Iwen

‎02-06-2017 12:14 AM

I think you are right.

Can i replace it without anybody notice it in the network?

Thank you

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Johnni211

‎02-06-2017 12:20 AM

If you first add the new line and then remove the old one, no user should notice it. But configurations like these should always be done at times of low network activity.

0 Helpful

Go to solution
Johnni211
Level 1
Level 1
In response to Karsten Iwen

‎02-06-2017 10:35 AM

Dear Karsten,

The after-auto solved the problem. Thank you very very much!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card