1) You need static nat.

2) Access list on outside interface. 

If you are doing port translation for the server on firewall you can do that in nat statement.

For more information on natting part refer :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_rules.html

isn't that just a repeat of what I posted?

Thanks for your response.

ACL and NAT rules have been defined, and packet tracer is working on both sides

(inside => outside  and  outside=>inside)

But the external access is still unavailable (trying telnet 25.37.123.16 on 8080 port)

And real-time log viewer is not showing error (all ACL have debugging mode logging)

Regards.

Hi,

If you have configured what Marius has suggested then your internal server should be accessible on public IP.

As it is not working then you can check following.:

1:ASA is getting the traffic or not. To check try following:

Apply capture:

Cap capi interface outside match TCP any host <public IP> eq 8080

Then initiate test traffic.

To view captures:

Show cap capi

Check if you are getting any traffic for port 8080

To remove capture:

No cap capi

Lets us know your findings

thanks,

RS

Hello,

Here are the results of capture :

(wan ip on asa : 25.37.123.16, wan ip at home 81.68.89.27)

   1: 21:55:40.583221 802.1Q vlan#2 P0 81.68.89.27.51332 > 25.37.123.16.80: S 1595282403:1595282403(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>
   2: 21:55:40.828036 802.1Q vlan#2 P0 81.68.89.27.51333 > 25.37.123.16.80: S 1350892881:1350892881(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>
   3: 21:55:42.669948 802.1Q vlan#2 P0 81.68.89.27.51335 > 25.37.123.16.80: S 1624536922:1624536922(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>

And with netstat -a  on home computer :

h-25-37-123-16-80:http   SYN_SENT
h-25-37-123-16-80:http   SYN_SENT

MSS is set to 1380 on ASA, I tried  1452 and 1460 values.

Shwo xlate command is showing :

TCP PAT from outside:0.0.0.0/0 80-80 to inside:192.168.78.254 80-80
    flags srT idle 2:46:57 timeout 0:00:00


TCP PAT from inside:192.168.78.252 80-80 to outside:25.37.123.16 80-80
    flags srT idle 10:16:24 timeout 0:00:00

Hi,

It looks like there is no SYN/ACK from the server side.

1. You can confirm whether the ASA is sending the SYN packet out of the firewall and check whether it gets any SYN/ACK back on the inside interface. You can do capture on the inside interface "cap capo int inside match tcp h 81.68.89.27 h <Real IP of the server>" 

2. You can check on the server whether it is responding back or not. Normally we see issue where the server does not respond back becasue the source IP does not belong to the same subnet as the server. 

Thanks,

Shivapramod M

Hi, here are the captures :

Cap capi interface inside match TCP any host <public IP> eq 80

Result of the command: "Show cap capi"

0 packet captured

0 packet shown




cap capo int inside match tcp h 81.68.89.27 h <Real IP of the server>


Result of the command: "Show cap capo"

0 packet captured

0 packet shown

I think you got ports wrong in your capture command. You should try port 8080 instead of 80 to capture traffic from Ingress on egress interfaces.

Follow the capture command suggested by Marius and share your findings.

Thanks,

RS

Can you perhaps post the output of "show nat"? This is just to verify the order of all your NAT rules and whether you are getting hits on the relevant rules in each of the 3 Sections.

Hello,

Sorry all, my test concerns http port and not 8080 .

Regards.

Could you run the following capture while testing.

Cap capin interface inside match TCP any host <private IP> eq 8080

Cap capout interface outside match TCP any host <public IP> eq 8080

show cap capout

show cap capin

If you see no traffic on the inside interface please post your ASA's full sanitised running config.

--

Please remember to select a correct answer and rate helpful posts

Hi,

In the show xlate output i do not see any xlates for the port 8080. 

Please check if you have the correct NAT statement,

object network SERVER_8080

  host 192.168.78.252

  nat (inside,outside) static interface service tcp 8080 8080

With above mentioned nat rule you should see the xlate as:

TCP PAT from inside:192.168.78.252 8080-8080 to outside: 25.37.123.16 8080-8080 flags sr idle 0:00:04 timeout 0:00:00

Whereas in the output you have attached i do not see anything for port 8080. Follow the steps mentioned by Marius.

Also try packet-tracer and check if corect NAT rule is getting evaluated.:

packet input outside tcp <sourceip> <src-port> 25.37.123.16 8080 det

Share your findings.

Thanks,

RS

The capture you posted doesn't show any return traffic either.  we only see traffic coming from 81.68.89.27 to 25.37.123.16  but nothing from 25.37.123.16 back to 81.68.89.27.

I am assuming this capture is on the ASA outside interface.  could you also do a capture on the inside interface to see if traffic is actually going out that interface.

follow what Rishabh has suggested but for the inside interface...like this:

Cap capi interface inside match TCP any host <private IP> eq 8080

Do you have any access lists on the inside interface that might be blocking return traffic?

--

Please remember to select a correct answer and rate helpful posts