10-15-2015 12:55 PM - edited 03-11-2019 11:45 PM
I work mainly with Barracuda firewalls and my Cisco command line is bad bad.
I have a cisco 5515 at 216.x.x.39 and I need to forward port 46611 to an internal ip address 10.10.3.7 port 9000
my inside interface is nas-main
oustide interface is twtc
I tried using ASDM and it didn't work and currently I am trying command line, but I keep getting error messages with my nat command.
Also, please detailed help would be appreciated, as I said my cisco command line experience is lacking.
Thanks in adavance.
Solved! Go to Solution.
10-16-2015 02:30 PM
Can you remove a line from your configuration temporarily.
So type this -
"no access-group global_access global"
Then in this order -
1) run "sh nat" and save the output
2) run the same packet-tracer command as before
3) run "sh nat" again
post results.
Jon
10-16-2015 02:32 PM
am getting an error message on the command
no access-group global_access global
it is putting a marker at the a in the first access
10-16-2015 02:37 PM
Not sure why, it's in your configuration.
Can you post output of "sh run access-group".
Jon
10-16-2015 02:38 PM
got it I had to do config t first
but now run sh nat is not working.
I am at the enable level
10-16-2015 02:41 PM
At the enable mode it should just be "sh nat".
Jon
10-16-2015 02:45 PM
ok got the info
first sh nat
enable
BAEng(config)# sh nat
Manual NAT Policies (Section 1)
1 (NAS-Main) to (TWTC) source static any interface unidirectional
translate_hits = 1655, untranslate_hits = 0
2 (NAS-QA1) to (TWTC) source static any interface unidirectional
translate_hits = 0, untranslate_hits = 0
3 (NAS-QA2) to (TWTC) source static any interface unidirectional
translate_hits = 0, untranslate_hits = 0
4 (BTC) to (TWTC) source static BTC-ClearOS BTC-Email inactive
translate_hits = 0, untranslate_hits = 0
5 (BTC) to (TWTC) source static BTC-Metric-Private BTC-Metric-Public service E
ncryptedMail EncryptedMail
translate_hits = 0, untranslate_hits = 0
6 (BTC) to (TWTC) source static BTC-Email-Private BTC-Email-Public service BTC
-EmailPort25 BTC-EmailPort25
translate_hits = 0, untranslate_hits = 0
7 (BTC) to (TWTC) source static BTC-Email-Private BTC-Email-Public service BTC
-ICMP BTC-ICMP
translate_hits = 0, untranslate_hits = 0
8 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR-
VPN-UDP-1194 ENGR-VPN-UDP-1194
translate_hits = 0, untranslate_hits = 0
9 (NAS-Main) to (TWTC) source static ENGR-OpenVPN DM_INLINE_NETWORK_1 service
ENGR-VPN-1194 ENGR-VPN-1194
translate_hits = 0, untranslate_hits = 0
10 (NAS-Main) to (TWTC) source static GIt-SERVER NASMAIN-Public service SSH SS
H
translate_hits = 0, untranslate_hits = 0
11 (NAS-Main) to (TWTC) source static Terastation BTC-Email service SSH SSH
translate_hits = 0, untranslate_hits = 0
12 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR
12 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR
translate_hits = 0, untranslate_hits = 0
13 (NAS-Main) to (TWTC) source static TS3000-Build NASMAIN-Public service TSbu
ild-4343-2 TSbuild-4343-2
translate_hits = 0, untranslate_hits = 0
14 (NAS-Main) to (TWTC) source static WEBAccess-FW interface service WEBAccess
-FW-Port-2 WEBAccess-FW-Port-2
translate_hits = 0, untranslate_hits = 0
15 (NAS-Main) to (TWTC) source static TestRail-private NASMAIN-Public service
TestRAil-80-2 TestRAil-80-2
translate_hits = 0, untranslate_hits = 0
16 (NAS-Main) to (TWTC) source static TS-WEbAccess-Test-private interface serv
ice Web-Access-Test-2 Web-Access-Test-2
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (BTC) to (TWTC) source static BTC-ClearOS BTC-Public
translate_hits = 0, untranslate_hits = 37
2 (VideoConference) to (TWTC) source static VC VideoConferencePublic
translate_hits = 0, untranslate_hits = 37
Manual NAT Policies (Section 3)
1 (BTC) to (TWTC) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
BAEng(config)#
then tracer
BAEng(config)# packet-tracer input nas-main tcp 10.10.0.2 12345 8.8.8.8 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 TWTC
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (NAS-Main,TWTC) source static any interface unidirectional
Additional Information:
Static translate 10.10.0.2/12345 to 216.54.247.34/12345
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2228, packet dispatched to next module
Result:
input-interface: NAS-Main
input-status: up
input-line-status: up
output-interface: TWTC
output-status: up
output-line-status: up
Action: allow
BAEng(config)#
then second sh
BAEng(config)# sh nat
Manual NAT Policies (Section 1)
1 (NAS-Main) to (TWTC) source static any interface unidirectional
translate_hits = 2301, untranslate_hits = 0
2 (NAS-QA1) to (TWTC) source static any interface unidirectional
translate_hits = 0, untranslate_hits = 0
3 (NAS-QA2) to (TWTC) source static any interface unidirectional
translate_hits = 0, untranslate_hits = 0
4 (BTC) to (TWTC) source static BTC-ClearOS BTC-Email inactive
translate_hits = 0, untranslate_hits = 0
5 (BTC) to (TWTC) source static BTC-Metric-Private BTC-Metric-Public service E
ncryptedMail EncryptedMail
translate_hits = 0, untranslate_hits = 0
6 (BTC) to (TWTC) source static BTC-Email-Private BTC-Email-Public service BTC
-EmailPort25 BTC-EmailPort25
translate_hits = 0, untranslate_hits = 0
7 (BTC) to (TWTC) source static BTC-Email-Private BTC-Email-Public service BTC
-ICMP BTC-ICMP
translate_hits = 0, untranslate_hits = 0
8 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR-
VPN-UDP-1194 ENGR-VPN-UDP-1194
translate_hits = 0, untranslate_hits = 0
9 (NAS-Main) to (TWTC) source static ENGR-OpenVPN DM_INLINE_NETWORK_1 service
ENGR-VPN-1194 ENGR-VPN-1194
translate_hits = 0, untranslate_hits = 0
10 (NAS-Main) to (TWTC) source static GIt-SERVER NASMAIN-Public service SSH SS
H
translate_hits = 0, untranslate_hits = 0
11 (NAS-Main) to (TWTC) source static Terastation BTC-Email service SSH SSH
translate_hits = 0, untranslate_hits = 0
12 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR
-VPN-443 ENGR-VPN-443
translate_hits = 0, untranslate_hits = 0
13 (NAS-Main) to (TWTC) source static TS3000-Build NASMAIN-Public service TSbu
ild-4343-2 TSbuild-4343-2
translate_hits = 0, untranslate_hits = 0
14 (NAS-Main) to (TWTC) source static WEBAccess-FW interface service WEBAccess
-FW-Port-2 WEBAccess-FW-Port-2
translate_hits = 0, untranslate_hits = 0
15 (NAS-Main) to (TWTC) source static TestRail-private NASMAIN-Public service
TestRAil-80-2 TestRAil-80-2
translate_hits = 0, untranslate_hits = 0
16 (NAS-Main) to (TWTC) source static TS-WEbAccess-Test-private interface serv
ice Web-Access-Test-2 Web-Access-Test-2
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (BTC) to (TWTC) source static BTC-ClearOS BTC-Public
translate_hits = 0, untranslate_hits = 39
2 (VideoConference) to (TWTC) source static VC VideoConferencePublic
translate_hits = 0, untranslate_hits = 40
Manual NAT Policies (Section 3)
1 (BTC) to (TWTC) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
BAEng(config)#
10-16-2015 02:46 PM
disabling the group opened up outside internet.
10-16-2015 02:48 PM
Do you mean it worked ?
Jon
10-16-2015 02:50 PM
yes, we can surf the internet now, just not sure how open we are.
What did that group do?
10-16-2015 04:16 PM
You are not open at all because you have no acl on your TWTC interface so nothing can come in except return traffic to clients.
Basically all traffic is allowed from a higher interface to a lower interface by default so NAS-Main should be allowed out.
You can configure interface acls or global acls which apply to all interfaces and interface acls take precedence.
By the looks of it the global_access acl was created for the server access that you mentioned was working.
What you should have done was to create the acl and apply it to the TWTC interface inbound just allowing that port.
But you created a global acl and applied it inbound only allowing that port to your server.
But a global acl applies inbound to all interfaces including the NAS-Main interface so you effectively blocked all traffic.
When you rebooted the device any new connections were then blocked.
By taking it off traffic is now allowed by default from the NAS-Main interface to the TWTC interface.
So don't worry about any access from outside because like I say you would need an acl on the TWTC interface applied inbound for traffic to be initiated from outside.
If you want access back to your server then just create a new acl copying the global_access acl but probably with a better name eg.
TWTC_access_in
and apply it to your TWTC interface -
"access-group TWTC_access_in in interface TWTC"
make sure you only allow the ports you need so basically a copy of the global_access acl.
Does all that make sense ?
Any queries, clarifications please ask.
Jon
10-16-2015 02:48 PM
That looks better.
Can you test from a client and then if it is working post back here and I'll explain what went wrong.
Jon
10-19-2015 07:27 AM
Jon,
Thank you for your help on Friday, sorry not to thank you then, but had to go deal with another problem the popped up.
Things seem to be ok. I need to work on getting some of the old rules removed and turning on a few of the ones we disabled.
Also, to finish up the port forwarder correctly.
But I wanted to say, thank you!!!!
10-19-2015 11:04 AM
Chris
No problem, I figured things might be a bit hectic for you.
By all means post a new question if you need to when looking at the port forwarding.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide