Port Forward DHCP WAN address

mumbles202 · ‎04-13-2020

Is it possible to do a port forward on dhcp address to a host inside? I have the following configuration:

interface Management0/0
nameif management
security-level 0
ip address dhcp setroute

route inside 192.168.0.0 255.255.0.0 192.168.4.4

access-list management_access_in extended permit tcp object-group obj_mytest interface management eq https

access-group management_access_in in interface management

object network obj_testserver_HTTPS
nat (inside,management) static interface service tcp https https

to forward requests from 1 ip to the public of the firewall (the firewall "public" is actually a private ip of 192.168.3.4). When i do a test i see the incoming packets but they get dropped. And if do a packet-tracer i get the following:

firewall# packet-tracer input management tcp 1.1.1.1 1024 192.168.3.4 https d$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ff1b4654cd0, priority=13, domain=capture, deny=false
        hits=14636973, user_data=0x7ff1b4543f40, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=management, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ff1b41260b0, priority=1, domain=permit, deny=false
        hits=2690965408, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=management, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.3.4 using egress ifc  identity

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ff1a11a15a0, priority=0, domain=nat-per-session, deny=false
        hits=22685371, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ff1b41274a0, priority=0, domain=permit, deny=true
        hits=567396, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=management, output_ifc=any

Result:
input-interface: management
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000561e1458c5f0 flow (NA)/NA

Rob Ingram · ‎04-13-2020

Hi, the destination in your ACL would be the IP address of obj_testserver_HTTPS not the management interface.

HTH

mumbles202 · ‎04-13-2020

Thanks. I actually have that as line 2 of the ACL as well:

access-list management_access_in extended permit tcp object-group obj_mytest object obj_testserver_HTTPS eq https

which was in place and failing. When i saw it failing i added the line 1 w/ the interface command.

Rob Ingram · ‎04-13-2020

What ip addresses are defined in the object-group obj_my test? Is 1.1.1.1?

mumbles202 · ‎04-14-2020

Got this working, though I'm unclear as to why it was failing. I had the nat in place from my first post as well as this:

nat (management,management) source dynamic Anyconnect-Client interface

where the object Anyconnect-Client is 10.180.0.0/24

I added this:

object service TCP_HTTPS
service tcp source eq https

nat (inside,management) 2 source static obj_testserver_HTTPS interface service TCP_HTTPS TCP_HTTPS

and was able to confirm it works via packet-tracer as well as remotely. Why would that nat policy cause an issue?