07-28-2013 12:30 PM - edited 03-11-2019 07:18 PM
Hello everyone. I'm having difficulty getting an abnormal port (TCP/8080) forwarded to an internal web server(TCP/80) on a test firewall. I tried using the steps listed in a blog post I found, but haven't been able to actually get to the web server from the outside.
My rules look like this.
object network WebServer
host 192.168.35.150
description Web Server
object network WebServer
nat (inside,outside) static interface service tcp www 8080
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any interface outside eq 8080
I'm also attaching a redacted version of my running config. I have the firewall setup to do VPN hairpinning as well.
Thank you for your help in advance!
Solved! Go to Solution.
07-28-2013 12:36 PM
Hi,
The problem is in the interface ACL.
In the new software 8.3 and forward the NAT is processed before the ACLs.
So this both means that you have to allow the traffic to the real IP address and the real port.
So if you change the ACL to
access-list outside_access_in extended permit tcp any interface outside eq 80
Then it should be fine
You can test it also with the "packet-tracer" command
packet-tracer input outside tcp 1.1.1.1 12345
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
- Jouni
07-28-2013 12:36 PM
Hi,
The problem is in the interface ACL.
In the new software 8.3 and forward the NAT is processed before the ACLs.
So this both means that you have to allow the traffic to the real IP address and the real port.
So if you change the ACL to
access-list outside_access_in extended permit tcp any interface outside eq 80
Then it should be fine
You can test it also with the "packet-tracer" command
packet-tracer input outside tcp 1.1.1.1 12345
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
- Jouni
07-28-2013 02:48 PM
Thank you for the responce Jouni! I'll test this out and let you know.
07-28-2013 08:20 PM
I changed the access rule to
access-list outside_access_in extended permit tcp any interface outside eq 80
but the traffic is still being blocked. From the packet-tracer it looks like it is being blocked by an implicit rule. I see one global ACL in ASDM that looks like this.
1 | any | any | ip | Deny | Default | [Implicit rule] |
Do I need to remove the global deny rule and change it to a deny rule on the outside interface underneth my allow tcp/80 rule? 8.3 and above are a lot different than 8.2
Here are the packet tracer results
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
07-29-2013 06:45 AM
Hi,
Did you use the port TCP/8080 in the "packet-tracer" as the destination port?
What global deny rule are you talking about?
- Jouni
07-29-2013 07:24 AM
Hi,
I used TCP/8080 in the packet-tracer as the destination port.
This is the global rule I was refering to.
Thank you for your help so far!
07-29-2013 07:27 AM
Gah,
Sorry, I have been blind.
The actual ACL is wrong. You were using the "interface outside" as the destination. You need to allow the traffic to the real IP address. For some reason I completely missed that until now.
Also seems I managed to provide the "packet-tracer" command with completely wrong destination port also. (the TCP/80 port earlier)
You need this
access-list outside_access_in extended permit tcp any object Webserver eq 80
After this it should work.
- Jouni
07-29-2013 09:37 PM
I figured out what it was causing the traffic to be dropped. I had configured the ASA for VPN hairpinning (u-turn) so I could VPN from a public network and be able to browse the internet securly. (more on that here http://nat0.net/cisco-asa-hairpinning/) When I removed the NAT rules I created for the hairpinning the port forwarding worked sorry for the noise.
These are the rules I had for the hairpinning.
nat (inside,outside) source static any any destination static NETWORK_OBJ_VPNpool NETWORK_OBJ_VPNpool no-proxy-arp route-lookup
nat (outside,outside) source dynamic NETWORK_OBJ_VPNpool interface
07-29-2013 10:22 PM
I got the VPN hairpinning and port forwading working correctly! I used this for VPN hairpinning https://supportforums.cisco.com/docs/DOC-11640
Here are my NAT rules now that everything is working. # are comments I added.
# this rule allows my inside network to talk to my vpn network and visa versa
nat (inside,outside) source static InsideNetwork InsideNetwork destination static VPNNetwork VPNNetwork
!
#Dynamic NAT for inside trafic going out
object network obj_any
nat (inside,outside) dynamic interface
#Dynamic NAT for VPN hairpinning
object network VPNNetwork
nat (outside,outside) dynamic interface
#Static NAT (port forward) for external 8080 to internal 80
object network FTBcloud
nat (inside,outside) static interface service tcp www 8080
Thank you for your help Jouni!
Mike H.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide