Cisco ASA 8.4 Static NAT (Port Forwarding Issue)

ugabichipaopao · ‎04-07-2014

Dear Colleagues,

Please help me to solve NAT translation issue. I have ASA v.8.4(5) image.

I need to implement static port forwarding translation (to forward packets from Internet to DMZ server when connecting on custom port TCP/17887)

Server in DMZ has IP address 172.23.255.3/24. I used Cisco ASDM for port forwarding configuration .

Under Edit Network Object (NAT Section) I did:

1. Chose Add Automatic Address Translation Rules

2. Type is set to "Static"

3. Translate Addr (I will use my outside interface)

Then I pressed Advenced button and did:

1) I chose in Interface section: source interface (my DMZ interface), destination Interface (my outside interface)

2) I choose in service section: Protocol (TCP), Real port (17887), Mapped Port (17887).

After I applied configuration, added access rule on outside interface ( any ---> Real Server IP --->tcp17887--->permit) and did attempt to connect from Internet to my public interface (my outside IP address).

Connection was not successful. I see a in ASDM Log Viewer:

TCP request discarded from 213.111.83.151/57976 to outside:77.222.x.x/17887

(Explanation from ASDM -

%ASA-7-710005: {TCP|UDP} request discarded from 
source_address/source_port to interface_name:dest_address/service

The ASA does not have a UDP server that services the UDP request. Also, a TCP packet that does not belong to any session on the ASA may have been discarded. In addition, this message appears (with the SNMP service) when the ASA receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is SNMP, this message occurs a maximum of once every 10 seconds so that the log receiver is not overwhelmed.)

Please Help me to solve this problem. Did i do something wrong?

Best Regard,

Maxim

I added a file with Packet Tracer output where we can see that for some reason traffic was droped

Ruben Cocheno · ‎04-07-2014

i'm not very familiar with ASDM, so can you share the config?

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

ugabichipaopao · ‎04-07-2014

Hello,

My config is huge. May be I can show you a some part of it?

interface GigabitEthernet0/2.11
description ===== Socar Test =====
vlan 11
nameif Socar_Test
security-level 0
ip address 172.23.255.1 255.255.255.0 standby 172.23.255.2

interface GigabitEthernet0/3
description ===== External Internet Connection =====
nameif outside
security-level 0
ip address 77.222.x.x 255.255.255.248 standby 77.222.x.x
ospf cost 10

object network Socar_test_SRV
host 172.23.255.3

object network Socar_test_SRV
nat (Socar_Test,outside) static interface service tcp 17887 17887

access-list Socar_Test_access_in extended deny ip any any (ACL for interface GigabitEthernet0/2.11)

access-list FromOutside extended permit tcp any object Socar_test_SRV eq 17887 (ACL for interface GigabitEthernet0/3)

If I need to show some additional part of config, let me know please.

Poonam Garg · ‎04-07-2014

Hello,

As per NAT configuration, its correct.

Both your external interface and DMZ interface have same security level=0, check your config that same security traffic must be permitted between interfaces.

By default, these same security interfaces cannot communicate with one another. In order to work around this, the same-security-traffic permit inter-interface command was introduced. This command allows for communication between interfaces of the same security level.

"Please rate helpful posts"

ugabichipaopao · ‎04-07-2014

Hello,

Still not working. The same syslog message:

%ASA-7-710005: {TCP|UDP} request discarded from 
source_address/source_port to interface_name:dest_address/service

The ASA does not have a UDP server that services the UDP request. Also, a TCP packet that does not belong to any session on the ASA may have been discarded. In addition, this message appears (with the SNMP service) when the ASA receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is SNMP, this message occurs a maximum of once every 10 seconds so that the log receiver is not overwhelmed.

Poonam Garg · ‎04-07-2014

Hello,

Check the access-list Socar_Test_access_in , in which direction it is applied ,as well as if possible try to do logging on console while attempting to connect, see whether traffic is denied by any ACL.

ugabichipaopao · ‎04-07-2014

access-group Socar_Test_access_in in interface Socar_Test

asa1/act# show running-config access-list Socar_Test_access_in
access-list Socar_Test_access_in extended deny ip any any

Should I open something?

Poonam Garg · ‎04-07-2014

This access-group shows that any traffic trying to enter DMZ will be denied. Either remove this acl if not specifically applied or permit your source IP/port to destination/port.

ugabichipaopao · ‎04-07-2014

asa1/act# show running-config access-list Socar_Test_access_in
access-list Socar_Test_access_in extended permit ip any any
access-list Socar_Test_access_in extended deny ip any any

I added permit any any but still does not working