Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
4
Replies

Cisco ASA - Port Forward Denied

Go to solution
TomBarber2830
Level 1
Level 1

‎07-11-2019 08:18 AM

Hi Folks

I've been trying for a few hours and failing. I have an old Cisco ASA Firewall and I'm trying to configure port forwarding on it to expose a webserver sat on the other side of the firewall. From the firewall I can ping the webserver so I know there is life there but I can't get it to be visible in the outside world...

 

object network Internal_Web_Server
host 10.10.8.253

access-list RA_VPN-access extended permit ip 11.0.0.0 255.255.255.0 any
access-list RA_VPN-access extended permit object-group DM_INLINE_PROTOCOL_1 object RA_VPN-hosts object InternalHosts
access-list RA_VPN-access extended permit tcp object RA_VPN-hosts 172.16.0.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list internet extended permit object-group DM_INLINE_SERVICE_1 object InternalHosts any
access-list outside_access_in extended permit tcp any object Internal_Web_Server eq www
access-list outside_access_in extended permit ip 11.0.0.0 255.255.255.0 any
access-list outside_access_in extended permit ip any interface inside
access-list outside_access_in extended permit ip object RA_VPN-hosts object InternalHosts
access-list outside_nat extended permit ip 11.0.0.0 255.255.255.0 any
access-list Split_Tunnel_List remark The corporate network behind the ASA
access-list Split_Tunnel_List standard permit 10.10.10.0 255.255.255.0
access-list Split_Tunnel_List standard permit 11.0.0.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.16.0.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.8.0 255.255.255.0

nat (any,any) source static RA_VPN-hosts RA_VPN-hosts destination static InternalHosts InternalHosts
nat (any,outside) source dynamic InternalHosts interface
nat (ManageASDM,outside) source static any any destination static NETWORK_OBJ_11.0.0.0_24 NETWORK_OBJ_11.0.0.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_11.0.0.0_24 NETWORK_OBJ_11.0.0.0_24 no-proxy-arp route-lookup
nat (outside,inside) source static RA_VPN-hosts RA_VPN-hosts
!
object network Internal_Web_Server
nat (inside,outside) static interface service tcp www www
!
nat (ManageASDM,outside) after-auto source dynamic any interface
nat (outside,outside) after-auto source dynamic any interface
nat (any,outside) after-auto source dynamic OpenstackHosts interface

If I run a packet-trace I can't get it to accept the connection...

 

I've followed about 100 different tutorials and failed.

 

What have I misconfigured?

 

Thanks

 

Tom

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to TomBarber2830

‎07-11-2019 08:47 AM

Remove this nat rule "nat (any,outside) source dynamic InternalHosts interface" and replace with "nat (any,outside) after-auto source dynamic any interface". This moves this nat rule from before the static NAT rule for the Internal Web Server to after.

Test again, run packet-tracert with the valid public IP address.

HTH

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎07-11-2019 08:29 AM

Hi,

My guess would be that there is another NAT rule  above your NAT for the webserver that traffic is matched against first, which is causing you issues.

 

Please provide the output of "show nat" and provide the output from the CLI of the packet-tracer command - this should indicate which NAT rule is being matched.

 

HTH

0 Helpful

Go to solution
TomBarber2830
Level 1
Level 1
In response to Rob Ingram

‎07-11-2019 08:32 AM

Thanks

spicule-firewall# show nat
Manual NAT Policies (Section 1)
1 (any) to (any) source static RA_VPN-hosts RA_VPN-hosts destination static InternalHosts InternalHosts
translate_hits = 63, untranslate_hits = 2
2 (any) to (outside) source dynamic InternalHosts interface
translate_hits = 5077, untranslate_hits = 19
3 (ManageASDM) to (outside) source static any any destination static NETWORK_OBJ_11.0.0.0_24 NETWORK_OBJ_11.0.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static any any destination static NETWORK_OBJ_11.0.0.0_24 NETWORK_OBJ_11.0.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (outside) to (inside) source static RA_VPN-hosts RA_VPN-hosts
translate_hits = 30, untranslate_hits = 2

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Internal_Web_Server interface service tcp www www
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (ManageASDM) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
2 (outside) to (outside) source dynamic any interface
translate_hits = 3209, untranslate_hits = 0
3 (any) to (outside) source dynamic OpenstackHosts interface
translate_hits = 7, untranslate_hits = 0

 I'm not sure what the currect packet-tracer command is:

 

If I do

 

packet-tracer input outside tcp 8.8.8.8 80 10.10.8.253 80

 I get

 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.8.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object Internal_Web_Server eq www
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network Internal_Web_Server
nat (inside,outside) static interface service tcp www www
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

If I do

packet-tracer input outside tcp 8.8.8.8 80 185.136.244.10 80

 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 185.136.244.10 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to TomBarber2830

‎07-11-2019 08:47 AM

Remove this nat rule "nat (any,outside) source dynamic InternalHosts interface" and replace with "nat (any,outside) after-auto source dynamic any interface". This moves this nat rule from before the static NAT rule for the Internal Web Server to after.

Test again, run packet-tracert with the valid public IP address.

HTH
0 Helpful

Go to solution
TomBarber2830
Level 1
Level 1
In response to Rob Ingram

‎07-11-2019 08:50 AM

Amazing.... this is why you ask the pros!....

 

Knew it would be something trivial!

 

Thanks

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card