07-04-2021 01:43 AM
Hi,
do not port forward on a private address.
private address 10.100.100.6:80
Interface OUTSIDE
interface GigabitEthernet1/1
description Redundant1 backup upplink
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
description Redundant1 backup upplink
no nameif
no security-level
no ip address
!
interface Redundant1
description Redundant1 upplink
member-interface GigabitEthernet1/1
member-interface GigabitEthernet1/2
mac-address 9ceb.e87c.8c8f
nameif OUTSIDE
security-level 0
ip address dhcp
!
!
Host server 80
object network obj_test
host 10.100.100.6
!
!
Access list OUTSIDE
access-list OUTSIDE extended permit tcp any object obj_test eq www
!
!
Access group OUTSIDE
access-group OUTSIDE in interface OUTSIDE
!
!
NAT
object network obj_LAN_networks
nat (LAN-NETWORKS,OUTSIDE) dynamic interface
!
object network obj_test
nat (LAN-NETWORKS,OUTSIDE) static interface service tcp www 8443
!
!
Ping server 10.100.100.6:80
ASA(config)# ping tcp 10.100.100.6 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 10.100.100.6 port 80
from 10.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
!
!
Packet tracer
packet-tracer input OUTSIDE tcp 8.8.8.8 12345 10.100.100.6 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.100.6 using egress ifc LAN-NETWORKS
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface OUTSIDE
access-list OUTSIDE extended permit tcp any object obj_test eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7c5bfb28d0, priority=13, domain=permit, deny=false
hits=10, user_data=0x7f7c5593b2c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.100.100.6, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7c5d7d8a60, priority=7, domain=conn-set, deny=false
hits=17, user_data=0x7f7c5d7d5b10, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7c5b2d8670, priority=0, domain=nat-per-session, deny=false
hits=2678, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7c5bfdd5d0, priority=0, domain=inspect-ip-options, deny=true
hits=2516, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_test
nat (LAN-NETWORKS,OUTSIDE) static interface service tcp www 8443
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f7c5bf82bd0, priority=6, domain=nat-reverse, deny=false
hits=6, user_data=0x7f7c5c285340, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.100.100.6, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=OUTSIDE, output_ifc=LAN-NETWORKS
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: LAN-NETWORKS
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
07-04-2021 02:54 AM
See a packet coming from Internet let say source 8.8.8.8:22 destination to 10.100.100.6:80 the ASA will drop the packet. you can check this with syslogs if configured on the firewall. Also you can do a packet-tracer as you did. the mistake you made is you insert the RFC 1918 IP address. therefore that why we noted the rpf-check drop.
or in simple words, when you are coming from public network to your local LAN then the destination IP address of the "packet-tracer" cant be a private IP address.
therefore to get this work you should put the outide ASA ip address.
packet-tracer input OUTSIDE tcp 8.8.8.8 12345 X.X.X. 80 detailed (where X.X.X. is you ASA OUTSIDE ip address).
07-04-2021 02:01 AM
@Fajfo123 Run packet-tracer using the destination IP address as the ASAs outside interface, not the private IP address of the server.
07-04-2021 02:54 AM
See a packet coming from Internet let say source 8.8.8.8:22 destination to 10.100.100.6:80 the ASA will drop the packet. you can check this with syslogs if configured on the firewall. Also you can do a packet-tracer as you did. the mistake you made is you insert the RFC 1918 IP address. therefore that why we noted the rpf-check drop.
or in simple words, when you are coming from public network to your local LAN then the destination IP address of the "packet-tracer" cant be a private IP address.
therefore to get this work you should put the outide ASA ip address.
packet-tracer input OUTSIDE tcp 8.8.8.8 12345 X.X.X. 80 detailed (where X.X.X. is you ASA OUTSIDE ip address).
07-04-2021 03:48 PM - edited 07-04-2021 03:50 PM
@Sheraz.Salim @Rob Ingram Thank you. Packet-tracer is pass:
packet-tracer input OUTSIDE tcp 8.8.8.8 12345 public_IP_outside 80
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide