08-05-2017 12:04 AM - edited 03-12-2019 02:46 AM
Hi,
I'm configuring an Asa5506 and i have a problem with port forwarding.
My configuration is:
I want to redirect port 80 to the host 192.168.0.3, so i have used these commands:
access-list outside extended permit tcp any host 192.168.0.3 eq www
access-group outside in interface outside
When i try to connect from outside, i got this error in the ASA log:
3 Aug 05 2017 08:55:22 my remote ip 56141 192.168.12.2 80 TCP access denied by ACL from my remote ip/56141 to outside:192.168.12.2/80
Can you help me to solve it?
Regards
Solved! Go to Solution.
08-05-2017 01:01 AM
Can you add this NAT and test :
object network obj_192.168.0.3
host 192.168.0.3
nat (inside,outside) static interface service
Regards,
Aditya
Please rate helpful and mark correct answers
08-05-2017 12:27 AM
Hi,
Please share the packet tracer output
packet-tracer input outside
What is the IP 192.168.12.2/80?
Regards,
Aditya
Please rate helpful and mark correct answers
08-05-2017 12:43 AM
Hi Aditya,
This is the result of: packet-tracer input outside tcp 4.2.2.2 7676 my_remote_ip 80 det
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2cb8d17950, priority=1, domain=permit, deny=false
hits=19263822, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=anyPhase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.12.1 using egress ifc outsidePhase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2cba69d620, priority=11, domain=permit, deny=true
hits=0, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=anyResult:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
192.168.12.2 is the ip of the ASA outside interface.
I have attached to this post a schematic of the network.
Regards
08-05-2017 12:46 AM
Hi,
I checked this:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
Why is it taking this path?
Can you share the NAT statement for this traffic?
Regards,
Aditya
Please rate helpful and mark correct answers
08-05-2017 01:00 AM
This is the NAT Statement which DROP the packet.
obj_any1 is 0.0.0.0/0.0.0.0
object network obj_any1
nat (any,outside) dynamic interface
Show nat results
Auto NAT Policies (Section 2)
1 (any) to (outside) source dynamic obj_any1 interface
translate_hits = 30140, untranslate_hits = 692
2 (inside_3) to (outside) source dynamic obj_any3 interface
translate_hits = 0, untranslate_hits = 0
3 (inside_4) to (outside) source dynamic obj_any4 interface
translate_hits = 0, untranslate_hits = 0
4 (inside_5) to (outside) source dynamic obj_any5 interface
translate_hits = 0, untranslate_hits = 0
5 (inside_6) to (outside) source dynamic obj_any6 interface
translate_hits = 0, untranslate_hits = 0
6 (inside_7) to (outside) source dynamic obj_any7 interface
translate_hits = 5958, untranslate_hits = 1
08-05-2017 01:01 AM
Can you add this NAT and test :
object network obj_192.168.0.3
host 192.168.0.3
nat (inside,outside) static interface service
Regards,
Aditya
Please rate helpful and mark correct answers
08-05-2017 01:09 AM
08-05-2017 01:26 AM
Thanks to you Aditya, i solve the problem.
I have to use:
object network obj_192.168.0.3
host 192.168.0.3
nat (inside_1,outside) static interface service tcp http http
Regards
08-05-2017 01:32 AM
Happy to help :)
Regards,
Aditya
Please rate helpful and mark correct answers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide