cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1742
Views
0
Helpful
3
Replies

Port forwarding ASA 9.1(2)

walters199
Level 1
Level 1

Hi guys.

 

I am completely lost with my asa 5505.
No props forwarding ports on other cisco routers but this device is driving me nuts.

I have tried countless setups and followed so many examples. I have seriously no clue anymore.

I just want my 25 be forwarded to my mail server on the dmz interface.

 

I put my config in the attachements ( incl sh nat, sh acl)
What I already tried was nat on the objects itself.
acl with and without objects
 

The strange thing is that no counters of the nat or acl are running up if I telnet on port 25 from an outside machine.
Also the syslog server doesn't show anything blocking on port 25.

 

My packet trace.

 

RTR01# packet-tracer input outside tcp 4.4.4.2 smtp 192.168.101.10 25

 

Phase: 1

Type: ACCESS-LIST

Subtype: 

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.101.0   255.255.255.0   DMZ

 

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_acl in interface outside

access-list outside_acl extended permit tcp any object srv-192.168.101.10 eq smtp log debugging 

Additional Information:

              

Phase: 4      

Type: NAT     

Subtype: per-session

Result: ALLOW 

Config:       

Additional Information:

              

Phase: 5      

Type: IP-OPTIONS

Subtype:      

Result: ALLOW 

Config:       

Additional Information:

              

Phase: 6      

Type: NAT     

Subtype: rpf-check

Result: DROP  

Config:       

nat (DMZ,outside) source dynamic any interface

Additional Information:

              

Result:       

input-interface: outside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: drop  

Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

 

sh nat

 

 

 

1 Accepted Solution

Accepted Solutions

Poonam Garg
Level 3
Level 3

Hi Walter,

The problem seems to be related to order of operation of NAT statements.

nat (DMZ,outside) source dynamic any interface

nat (DMZ,outside) source static srv-192.168.101.10 interface service tcp-25 tcp-25

Check "Show Nat", your SMTP NAT statement must come before your dynamic NAT statement.

Twice NAT statements are executed in the order they are configured.

 

View solution in original post

3 Replies 3

Poonam Garg
Level 3
Level 3

Hi Walter,

The problem seems to be related to order of operation of NAT statements.

nat (DMZ,outside) source dynamic any interface

nat (DMZ,outside) source static srv-192.168.101.10 interface service tcp-25 tcp-25

Check "Show Nat", your SMTP NAT statement must come before your dynamic NAT statement.

Twice NAT statements are executed in the order they are configured.

 

Poonam,

 

Thank you for your reply.
I have changed a few things after this and it works now after weeks of trial and error.

What I changed

 

I removed the NAT rule on object network srv-192.168.101.10

I created an object service MAIL
service tcp source eq smtp

I removed the object service TCP-25 because that would constantly giving me an error that it was not mapped ?

 

I created a manual NAT rule

 

nat (DMZ,outside) 1 source static srv-192.168.101.10 interface service MAIL MAIL
 

My acl was already in place. A telnet from a remote machine on port 25 works perfectly.

 

sh nat

Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source static srv-192.168.101.10 interface   service MAIL MAIL
    translate_hits = 1, untranslate_hits = 1
2 (DMZ) to (outside) source dynamic DMZ interface  
    translate_hits = 87, untranslate_hits = 0
3 (inside) to (outside) source dynamic inside interface  
    translate_hits = 32, untranslate_hits = 0

 

So probably the auto nat function didn t work. For me I need to find out why the first time the rule under the object came under the auto nat functions. 

 

Learned a lot this time.

SO problem solved
 


 

Hi Walter,

I am happy to hear that your problem resolved.

Kindly rate the solution, if it helped you so that it will also be helpful to others.

Review Cisco Networking for a $25 gift card