cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

279
Views
0
Helpful
1
Replies
Highlighted
Beginner

ASA5516-X SFR Portforword not working

Hi

I tried to configure Port forwarding to   Local DVR to Public IP address but its not working

Device Cisco ASA5516-XSFR (IOS 9.12)

Public IP address xxx.xxx.xxx.12x

Local IP address 10.10.8.25

Ports need to be forwarder : 554 ,8000,   81 all are TCP Ports

find the configuration

object network DVR1
 host 192.168.8.11

object network DVR1
nat (any,outside) static interface service tcp 8000 8000
object network DVR1-554
nat (any,outside) static interface service tcp rtsp rtsp
object network DVR-80
nat (inside,outside) static interface service tcp 81 81

access-list inbound extended permit tcp any eq rtsp object DVR1-554 eq rtsp
access-list inbound extended permit tcp any eq 81 object DVR1 eq 81

access-list inbound extended permit tcp any eq 8000 object DVR1 eq 8000

access-group inbound in interface outsidse

I tried to change the configuration but Port forwarding is not happening Please do let me know where i am missing the configuration

Thanks in advance

Javahar

1 REPLY 1
Highlighted
Mentor

Hi,

Hi,

Presuming that all the "object" configurations have the "host 192.168.8.11" under them then I it seems to me that the only problem is in your "access-list" configurations.

Please remove the source ports that you have defined in your current "access-list"

This configuration (problematic section marked with red)

access-list inbound extended permit tcp any eq rtsp object DVR1-554 eq rtsp
access-list inbound extended permit tcp any eq 81 object DVR1 eq 81
access-list inbound extended permit tcp any eq 8000 object DVR1 eq 8000

Needs to be this

access-list inbound extended permit tcp any object DVR1-554 eq rtsp
access-list inbound extended permit tcp any object DVR1 eq 81
access-list inbound extended permit tcp any object DVR1 eq 8000

With the current rule the traffic would only be allowed if the connections source port was the same as the destination port and that will not happen.

After you have changed the configuratoins (or even before it) you can use the "packet-tracer" command to test your configurations and find the problems


Example of the format of testing connection attempts from behind "outside" interface

packet-tracer input outside tcp <source ip> 12345 <public nat IP> <destination port>

I used the source port 12345 randomly. It can really be anything you like. Source IP address can be anything also but naturally according to the ASAs routing table it has to be located behind the "outside" interface.

Hope this helps :)

- Jouni