11-27-2018 11:20 PM - edited 02-21-2020 08:30 AM
Been frustrated with this all day ... here is my config:
: Saved ! ASA Version 9.2(4) ! hostname ciscoasa names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! ftp mode passive clock timezone PST -8 clock summer-time DST recurring 3 Sun Mar 2:00 2 Sun Nov 2:00 object network insideNet subnet 10.10.10.0 255.255.255.0 object network Mike host 10.10.10.90 access-list inbound extended permit udp any host 10.10.10.90 access-list inbound extended permit tcp any host 10.10.10.90 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network insideNet nat (inside,outside) dynamic interface object network Mike nat (outside,inside) static interface service udp 5800 5800 access-group inbound in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 10.10.10.0 255.255.255.0 inside no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 no ssh stricthostkeycheck ssh 10.10.10.0 255.255.255.0 inside ssh timeout 60 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 10.10.10.5-10.10.10.36 inside dhcpd dns 1.1.1.1 8.8.8.8 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 216.239.35.4 prefer ntp server 216.239.35.8 ntp server 216.239.35.12 username michael ...... privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous : end
Here is the output of this command: packet-tracer input outside udp 13.57.212.236 5800 10.10.10.90 5800
ciscoasa(config)# packet-tracer input outside udp 13.57.212.236 5800 10.10.$ Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: in 10.10.10.0 255.255.255.0 inside Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inbound in interface outside access-list inbound extended permit udp any host 10.10.10.90 Additional Information: Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: NAT Subtype: rpf-check Result: DROP Config: object network insideNet nat (inside,outside) dynamic interface Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Notice that it is the rule that lets me get out that is for some reason denying the inbound traffic.... I don't understand how to fix this...
11-28-2018 01:38 AM
Hi,
guess this will help you bit.
regards,
11-28-2018 01:39 AM
object network insideNet nat (inside,outside) dynamic interface
now if you want port forward this above command is not going to work.
as you doing NAT one to many.
object network Mike nat (outside,inside) static interface service udp 5800 5800
change this
object network Mike
nat (inside,outside) static interface server udp 5800 5800
and than do a packet tracer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide