Port Forwarding eq www with NAT, ACL, Object Network and Access-group on ASA5506 Version 9.81

sarnold270 · ‎08-14-2018

Having issues with port forwarding eq www. Ran packet-tracer yielding following:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

We have build many on ASA 5506 Firmware 9.61. Has Cisco CLI language changed that much on firmware 9.61 to 9.81? Any help is much appreciated.

Thank You,

SA

Mohammed al Baqari · ‎08-15-2018

Nothing changed. Its seems that you don't have an ACL entry to allow the
traffic so its dropped by implicit deny ip any any. Check your ACLs as you
might have a typo mistake which is causing problem

sarnold270 · ‎08-16-2018

At this moment W only have one ACL. We have additional ones to create later. It is access-list out-to-in extended permit tcp any host 192.168.1.100 eq www

sarnold270 · ‎08-18-2018

Still not working here is config:

****FIREWALL(config)# sh run object
object network obj-192.168.1.100
host 192.168.1.100
object service obj-80
service tcp source eq www
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_inside
subnet 192.168.1.0 255.255.255.0
****FIREWALL(config)# sh run access-l
access-list out-to-in extended permit tcp any host 192.168.1.100 eq www
****FIREWALL(config)# sh run nat
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static obj-192.168.1.100 interface service obj-80 obj-80

sarnold270 · ‎08-18-2018

Working. Issue was NAT statement.