Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
1
Replies

port forwarding help

Go to solution
gdimitris
Level 1
Level 1

‎09-23-2017 05:30 AM - edited ‎02-21-2020 06:21 AM

I cannot reach internal web server 192.168.127.1 on port 443 from outside, on ASA 5506

In fact I cannot reach 192.168.127.1 and 192.168.127.10 on any port from outside.

ASA Version 9.7(1)4 
!
hostname xx
domain-name x.local
enable password x
names
ip local pool VPN_POOL 10.10.127.10-10.10.127.50 mask 255.255.255.0

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/1.6
 vlan 6
 nameif ROUTIT_VLAN6
 security-level 6
 pppoe client vpdn group ROUTIT
 ip address pppoe setroute 
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 description LAN
 nameif LAN
 security-level 100
 ip address 192.168.127.2 255.255.255.0 
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup ROUTIT_VLAN6
dns server-group DefaultDNS
 name-server 8.8.8.8 
 name-server 8.8.4.4 
 domain-name x.local
same-security-traffic permit inter-interface
object network NAT_RULE
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network SERVER_SMTP
 host 192.168.127.1
object network SERVER_IMAP_SSL
 host 192.168.127.1
object network SERVER_IMAP
 host 192.168.127.1
object network VPN_10.10.127.0_26
 subnet 10.10.127.0 255.255.255.192
object network SERVER_SMTP_MSA
 host 192.168.127.1
object network SERVER_HTTP
 host 192.168.127.1
object network SERVER_HTTPS
 host 192.168.127.1
object network SERVER_CALDAV
 host 192.168.127.1
object network NAS_FTP
 host 192.168.127.10
object network NAS_SVN
 host 192.168.127.10
object network NAS_MGMT_1
 host 192.168.127.10
object network NAS_MGMT_2
 host 192.168.127.10
object network NAS_WEBDAV_1
 host 192.168.127.10
object network NAS_WEBDAV_2
 host 192.168.127.10
object-group service IMAP_SSL tcp
 port-object eq 993
object-group network Internal_Network
 network-object 192.168.127.0 255.255.255.0
object-group network AnyConnect_Clients
 network-object object VPN_10.10.127.0_26
object-group service CALDAV tcp
 port-object eq 1080
object-group service SMTP_MSA tcp
 port-object eq 587
object-group service SVN tcp
 port-object eq 3690
object-group service SYNOLOGY_MGMT_1 tcp
 port-object eq 5000
object-group service SYNOLOGY_MGMT_2 tcp
 port-object eq 5001
object-group service SYNOLOGY_WEBDAV_1 tcp
 port-object eq 5005
object-group service SYNOLOGY_WEBDAV_2 tcp
 port-object eq 5006
access-list ROUTIT_VLAN6_access_in extended permit tcp any object SERVER_SMTP eq smtp 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object SERVER_SMTP_MSA object-group SMTP_MSA 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object SERVER_IMAP eq imap4 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object SERVER_IMAP_SSL object-group IMAP_SSL 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object SERVER_HTTP eq www 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object SERVER_HTTPS eq https 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object SERVER_CALDAV object-group CALDAV 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object NAS_SVN object-group SVN 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object NAS_FTP eq ftp 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object NAS_MGMT_1 object-group SYNOLOGY_MGMT_1 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object NAS_MGMT_2 object-group SYNOLOGY_MGMT_2 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object NAS_WEBDAV_1 object-group SYNOLOGY_WEBDAV_1 
access-list ROUTIT_VLAN6_access_in extended permit tcp any object NAS_WEBDAV_2 object-group SYNOLOGY_WEBDAV_2 
access-list ROUTIT_VLAN6_access_in extended deny ip any any 
access-list Local_LAN_Access standard permit 192.168.127.0 255.255.255.0 
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu ROUTIT_VLAN6 1492
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (any,any) source static Internal_Network Internal_Network destination static AnyConnect_Clients AnyConnect_Clients no-proxy-arp
nat (any,any) source static AnyConnect_Clients AnyConnect_Clients destination static Internal_Network Internal_Network no-proxy-arp
!
object network NAT_RULE
 nat (any,ROUTIT_VLAN6) dynamic interface
object network SERVER_SMTP
 nat (any,ROUTIT_VLAN6) static interface service tcp smtp smtp 
object network SERVER_IMAP_SSL
 nat (any,ROUTIT_VLAN6) static interface service tcp 993 993 
object network SERVER_IMAP
 nat (any,ROUTIT_VLAN6) static interface service tcp imap4 imap4 
object network SERVER_SMTP_MSA
 nat (any,ROUTIT_VLAN6) static interface service tcp 587 587 
object network SERVER_HTTP
 nat (any,ROUTIT_VLAN6) static interface service tcp www www 
object network SERVER_HTTPS
 nat (any,ROUTIT_VLAN6) static interface service tcp https https 
object network SERVER_CALDAV
 nat (any,ROUTIT_VLAN6) static interface service tcp 1080 1080 
object network NAS_FTP
 nat (any,ROUTIT_VLAN6) static interface service tcp ftp ftp 
object network NAS_SVN
 nat (any,ROUTIT_VLAN6) static interface service tcp 3690 3690 
object network NAS_MGMT_1
 nat (any,ROUTIT_VLAN6) static interface service tcp 5000 5000 
object network NAS_MGMT_2
 nat (any,ROUTIT_VLAN6) static interface service tcp 5001 5001 
object network NAS_WEBDAV_1
 nat (any,ROUTIT_VLAN6) static interface service tcp 5005 5005 
object network NAS_WEBDAV_2
 nat (any,ROUTIT_VLAN6) static interface service tcp 5006 5006 
access-group ROUTIT_VLAN6_access_in in interface ROUTIT_VLAN6
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable 10443
http 192.168.127.0 255.255.255.0 inside_2
http 192.168.127.0 255.255.255.0 inside_3
http 192.168.127.0 255.255.255.0 inside_4
http 192.168.127.0 255.255.255.0 inside_5
http 192.168.127.0 255.255.255.0 inside_6
http 192.168.127.0 255.255.255.0 inside_7
http 192.168.127.0 255.255.255.0 inside_1
http 83.247.xx.xxx 255.255.255.255 ROUTIT_VLAN6
http 89.146.x.xx 255.255.255.255 ROUTIT_VLAN6
http 89.146.xx.xx 255.255.255.255 ROUTIT_VLAN6
http 80.101.xxx.xx 255.255.255.255 ROUTIT_VLAN6
http 213.46.xxx.xxx 255.255.255.255 ROUTIT_VLAN6
http 80.60.xxx.xxx 255.255.255.255 ROUTIT_VLAN6
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map ROUTIT_VLAN6_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ROUTIT_VLAN6_map interface ROUTIT_VLAN6
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 subject-name CN=x
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 subject-name CN=x.xx.local,O=xxx,C=xx
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.127.2,CN=x
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca x
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate x
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable ROUTIT_VLAN6 client-services port 20443
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
ssh stricthostkeycheck
ssh 83.247.xxx.xxx 255.255.255.255 ROUTIT_VLAN6
ssh 89.146.x.xx 255.255.255.255 ROUTIT_VLAN6
ssh 89.146.xx.xx 255.255.255.255 ROUTIT_VLAN6
ssh 213.46.xxx.xxx 255.255.255.255 ROUTIT_VLAN6
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ROUTIT request dialout pppoe
vpdn group ROUTIT localname xxx
vpdn group ROUTIT ppp authentication pap
vpdn username xxx password xxxx 

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 51.141.xx.xx source ROUTIT_VLAN6
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 ROUTIT_VLAN6
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_2
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_3
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_4
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_5
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_6
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_7
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 LAN
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 LAN vpnlb-ip
webvpn
 port 20443
 enable ROUTIT_VLAN6
 dtls port 20443
 anyconnect image disk0:/anyconnect-win-4.4.00243-webdeploy-k9.pkg 1
 anyconnect profiles CISCO_VPN_client_profile disk0:/CISCO_VPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_CISCO_VPN internal
group-policy GroupPolicy_CISCO_VPN attributes
 wins-server none
 dns-server none
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_LAN_Access
 default-domain value x.local
 webvpn
  anyconnect profiles value CISCO_VPN_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username x password xx privilege 15
tunnel-group CISCO_VPN type remote-access
tunnel-group CISCO_VPN general-attributes
 address-pool VPN_POOL
 default-group-policy GroupPolicy_CISCO_VPN
tunnel-group CISCO_VPN webvpn-attributes
 group-alias CISCO_VPN enable
!
class-map global-class
 match any
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 description POLICY_SHAPER
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class global-class
  police input 50000000 25000
  police output 50000000 25000
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:x
: end
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gdimitris
Level 1
Level 1

‎09-23-2017 06:45 AM

Nevermind... found the problem.

Had to be: nat (inside_5,ROUTIT_VLAN6) static interface service tcp https https 

instead of: nat (any,ROUTIT_VLAN6) static interface service tcp https https 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
gdimitris
Level 1
Level 1

‎09-23-2017 06:45 AM

Nevermind... found the problem.

Had to be: nat (inside_5,ROUTIT_VLAN6) static interface service tcp https https 

instead of: nat (any,ROUTIT_VLAN6) static interface service tcp https https 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card