Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4005
Views
0
Helpful
35
Replies

Cisco ASA 5508 Firewall - Port Forwarding

Casinoaus
Level 1
Level 1

‎01-30-2017 02:40 PM - edited ‎03-12-2019 01:51 AM

Hi Guys,


I have a client who has a 5508 firewall and am trying to forward port 25 to 10.0.0.7. I have had no success with this. The network is as follows:

Internet -> Cisco 2800 (port 25 open and working) -> HP Switch (Port forward working up to here) ->  ASA 5508 -> Internal network with mail server


Below is the config currently running on the 5508, the external IP have been replaced with exp_ip and the password removed for obvious reasons.


I would appreciate any help you can give.


Thanks


Casinoaus

Labels:
Preview file
4 KB
0 Helpful
35 Replies 35

Dennis Mink
VIP Alumni
VIP Alumni

‎01-30-2017 03:14 PM

you would need to allow port 25 on the outside interface as well.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni

‎01-30-2017 03:19 PM

Hi

Your NAT statement is :

object network obj_10.0.0.7
 nat (inside,outside) static ext_ip service tcp smtp smtp

You have an acl:

access-list from_outside extended permit icmp any any echo

But I don't see any acl attached to your outside interface.

Please do as follow:

access-group from_outside in interface outside
access-list from_outside extended permit icmp any any echo
access-list from_outside extended permit tcp any object obj_10.0.0.7 eq 25

To test it, you can do real test or also:

packet-tracer input outside tcp 8.8.8.8 25 10.0.0.7 25

Let me know if it works or not and if not, please paste the output of the packet-tracer

Just for your information, avoid using any in a nat statement, you can face weird situation:

object network obj_any
 nat (any,outside) dynamic interface

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Casinoaus
Level 1
Level 1
In response to Francesco Molino

‎01-31-2017 05:02 PM

Hi Francesco,

The config did not work, below is the packet tracer output and the current config on the ASA is attached.

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.7 using egress ifc  inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from_outside in interface outside
access-list from_outside extended permit tcp any object obj_10.0.0.7 eq smtp
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_10.0.0.7
 nat (inside,outside) static 59.100.224.70 service tcp smtp smtp
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Preview file
4 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Casinoaus

‎01-31-2017 05:45 PM

Hi

You're getting a NAT issue.

Could you modify your NAT as follow:

object network obj_10.0.0.7
 nat (inside,outside) static interface service tcp smtp smtp

Replace the IP by the keyword interface.

Let me know.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Casinoaus
Level 1
Level 1
In response to Francesco Molino

‎02-01-2017 11:58 AM

Thanks Francesco,

Which IP should I be using in place of "interface"? The IP from the router? or the public IP of the site? When I use the IP from the router I get an error about overlap with the outside interface and when I use the public IP the forward is still not working.

Cheers

Casinoaus

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Casinoaus

‎02-01-2017 07:08 PM

No you can put the word interface.

It seems that you have a router before the asa and I guess this router has the public IP? If yes you need to configure the Nat on your router to forward that traffic to ASA. The ASA could only allow this traffic but not mandatory to configure nat.

Do you have a high level design of your wan infrastructure? And the config of your router

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Casinoaus
Level 1
Level 1
In response to Francesco Molino

‎02-02-2017 04:26 PM

I don't have a layout of the network nor a router config at hand.

The post I just made includes the basic layout, and the port 25 forward in the router is definitely working.

Thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Casinoaus

‎02-02-2017 06:12 PM

Ok let me make a summary.

You a router that has the public IP.

This router already forward the port tcp 25 to your firewall.

Did you configured the nat statement with interface keyword instead of IP?

After that could you run again a packet-tracer?

You were close to have it working except that you have a nat drop. But with the interface command it should work.

Let me know

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Casinoaus
Level 1
Level 1
In response to Francesco Molino

‎02-02-2017 06:18 PM

Your statements are correct.

I replaced the IP with the work interface and ran the packet tracer, the result is in my post 2nd from the top of the page. It is still having a packet drop.

Thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Casinoaus

‎02-02-2017 06:32 PM

Could you paste your config?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Marius Gunnerud
VIP
VIP
In response to Casinoaus

‎02-01-2017 01:20 PM

The drop in NAT due to rfp is usually an incorrectly issued packet-tracer.  Did you use the public or private IP as the destination IP?

The ext_ip you are NATing to the interface IP?  If not, is the IP routed toward your ASA by your ISP?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Casinoaus
Level 1
Level 1

‎01-30-2017 11:17 PM

Thanks for the information.

I will be attempting the config on Thursday.

will let you know what has fixed the issue,.

Casinoaus

0 Helpful

Casinoaus
Level 1
Level 1

‎02-02-2017 04:24 PM

Ok so the latest progress.

The config is like this

Dynamic IP from ISP -> Cisco Router with port 25 forwarded to 172.16.0.13 which is the IP of the Cisco ASA 5508, tested and verified working. -> Netgear Layer 3 switch, configured as dummy switch -> Cisco ASA 5508, Internet IP = 172.16.0.13, Inside interface configured with 10.0.0.0 Range

Mail server located at 10.0.0.7 and ready to receive emails.

There is no traffic getting through the ASA as yet. Current packet tracer output from 8.8.8.8 to 10.0.0.7 below:

Result of the command: "packet-tracer input outside tcp 8.8.8.8 25 10.0.0.7 25"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.7 using egress ifc  inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from_outside in interface outside
access-list from_outside extended permit tcp any object obj_10.0.0.7 eq smtp
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_10.0.0.7
 nat (inside,outside) static interface service tcp smtp smtp
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I have followed Francesco's suggestions and the result is still the same. I believe it is 1 line of setting which isn't quite right but lack the necessary knowledge to fix it.

Thanks for you help so far everyone.

Casinoaus

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Casinoaus

‎02-03-2017 12:23 AM

Your packet tracer is incorrect you need to use the public IP as the destination IP

packet-tracer input outside tcp 8.8.8.8 25 192.168.1.1 25

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card