Hi,

This is a NAT example for the port forwarding requirement:-

object network obj-192.168.1.174

host 192.168.1.174

nat (inside,outside) static interface service tcp 8080 8080

On the Outside interface apply this ACL:-

access-list Out-In permit tcp any obj-192.168.1.174 eq 8080

For the other issue , for the VPN access to the internal resources:-

Check if you have all these networks in Split Tunnel policy and you have NAT statement for the VPN pool and internal Subnets between the Inside and Outside interface.

Thanks and Regards,

Vibhor Amrodia

Hi, 

regarding port forwarding it is already done in that way You suggested.

See config file in first post.

Hi,

So , is it not working ? If no , can you send me this output:-

packet trace input outside tcp 4.2.2.2 34456 <Outside Interface IP> 8080 det

Thanks and Regards,

Vibhor Amrodia

Merry Christmas.

Here's the output:

Result of the command: "packet input KabelBW tcp 4.2.2.2 34456 external_ip 8080 det"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   external_ip  255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff29b7d5b0, priority=0, domain=nat-per-session, deny=false
    hits=241387, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a5f96f0, priority=0, domain=permit, deny=true
    hits=94800, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=KabelBW, output_ifc=any

Result:
input-interface: KabelBW
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Here's also acess-group and acess-list

Result of the command: "show run access-group"

access-group KabelBW_access_in_1 in interface KabelBW control-plane
access-group KabelBW_access_in in interface KabelBW
access-group LAN_access_in in interface LAN
access-group Servers_access_in in interface Servers
access-group global_access global

Result of the command: "show run access-list"

access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 any 
access-list LAN_access_in extended permit icmp 192.168.1.0 255.255.255.0 any 
access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any eq sip 
access-list Split-Tunnel standard permit 192.168.1.0 255.255.255.0 
access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0 
access-list Split-Tunnel remark access to hidden_net
access-list Split-Tunnel standard permit 192.168.244.0 255.255.255.0 
access-list KabelBW_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 
access-list KabelBW_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list KabelBW_access_in extended permit tcp any eq 8080 object STATIC-PAT eq 8080 log debugging 
access-list KabelBW_access_in remark Starface Portweiterleitung extern an Starface
access-list KabelBW_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host 192.168.1.5 eq sip 
access-list KabelBW_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list Servers_access_in extended permit ip 192.168.1.0 255.255.255.0 any 
access-list KabelBW_cryptomap_3 extended permit object-group DM_INLINE_PROTOCOL_2 192.168.1.0 255.255.255.0 object hidden_net1
access-list KabelBW_access_in_1 extended permit tcp any eq 8080 object STATIC-PAT eq 8080 
access-list KabelBW_access_in_1 extended permit ip object-group VPN any 
access-list global_access extended permit ip any any log debugging 

Thanks.

Hi,

This is the issue:-

nat (LAN,KabelBW) source dynamic any interface

NAT Statement is not even being hit for this traffic.

I would recommend you to change this NAT to the Auto NAT section and that should resolve this issue.

Thanks and Regards,

Vibhor Amrodia

I agree with Vibhor. Your NAT order of operations is incorrect.

They are processed "top down" and first match will end NAT processing.

The one Vibhor cited is your second statement and will effectively catch all traffic from the LAN to KabelBW interface.

Ok. I did tried your suggested configuration, but then i added auto static nat rule instead of dynamic, vpn started not to be accessible, i mean i can't even connect to vpn. Though port forwarding was working, but i need both, port forwarding and vpn working.

Maybe you can suggest that was wrong, or i missed something.

I reverted back to original configuration.

Result of the command: "show run nat"

nat (LAN,KabelBW) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static VPN VPN
nat (LAN,KabelBW) source dynamic any interface
nat (LAN,KabelBW) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp
nat (any,KabelBW) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp
nat (KabelBW,KabelBW) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp
nat (LAN,KabelBW) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

Result of the command: "show run access-list"

access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 any 
access-list LAN_access_in extended permit icmp 192.168.1.0 255.255.255.0 any 
access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any eq sip 
access-list Split-Tunnel standard permit 192.168.1.0 255.255.255.0 
access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0 
access-list Split-Tunnel remark access to hidden_net
access-list Split-Tunnel standard permit 192.168.244.0 255.255.255.0 
access-list KabelBW_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 
access-list KabelBW_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list KabelBW_access_in
access-list KabelBW_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host 192.168.1.5 eq sip 
access-list KabelBW_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list Servers_access_in extended permit ip 192.168.1.0 255.255.255.0 any 
access-list KabelBW_cryptomap_3 extended permit object-group DM_INLINE_PROTOCOL_2 192.168.1.0 255.255.255.0 object hidden_network
access-list KabelBW_access_in_1 extended permit ip object-group VPN any 

Hi,

Did you add something like this on the ASA device:-

nat (LAN,KabelBW) static any interface

If not , what is the NAT you added. I am sure that port forward with the VPN will work but we need to verify the actual configuration when you saw the issue.

Thanks and Regards,

Vibhor Amrodia