cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2348
Views
0
Helpful
13
Replies

Port forwarding not working ASA5505

ewood2624
Level 5
Level 5

I'm not able to access my Slingbox from the outside.  I've set up port forwarding on port 5001 to allow outside connections in, but port forwarding isn't working.  Am I missing something?

object network INSIDE-HOSTS

subnet 10.10.10.0 255.255.255.0

object network Slingbox

host 10.10.10.254

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list Internet_IN extended permit icmp any interface outside echo-reply

access-list Internet_IN extended permit icmp any interface outside

access-list outside_access_in extended permit tcp any host 10.10.10.254 eq 5001

nat (inside,outside) source dynamic AnyConnect-INET interface

!

object network INSIDE-HOSTS

nat (inside,outside) dynamic interface

object network AnyConnect-INET

nat (outside,outside) dynamic interface

object network Slingbox

nat (inside,outside) static interface service tcp 5001 5001

13 Replies 13

Amit Rai
Level 1
Level 1

Can you post the output of packet-tracer as the config look correct.

packet-tracer input outside tcp 1.1.1.1 1234 5001 det

use the above command as it is replace the with the ip address assigned on the outside interface of the firewall.

this will let you know if the packet is allowed through the firewall or not and what rule is matching to this traffic.

Send me the output in case you find it difficult to understand.

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Depending on what host/networks object "AnyConnect-INET" contains, I think it can be the only NAT configuration overriding the port forward configuration.

Please include the configuration for object network AnyConnect-INET

- Jouni

And what I mean by overriding is that if it happened to have the LAN network it would mean that it would always be applied before all of the other NAT configurations you have visible in your original post

Here's what I got from packet tracer:

ciscoasa# packet-tracer input outside tcp 98.184.159.213 5001 10.10.10.254 5001

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.10.10.0      255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcaf8b8d8, priority=500, domain=permit, deny=true

        hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=98.184.159.213, mask=255.255.255.255, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Here's a copy of my config:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password xxxxxxxxxx encrypted

passwd xxxxxxxxxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

banner motd

banner motd +...................................................-+

banner motd |                                                    |

banner motd |   *** Unauthorized Use or Access Prohibited ***    |

banner motd |                                                    |

banner motd |        For Authorized Official Use Only            |

banner motd | You must have explicit permission to access or     |

banner motd | configure this device. All activities performed    |

banner motd | on this device will be logged, and violations of   |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities.    |

banner motd |                                                    |

banner motd |   There is no right to privacy on this device.     |

banner motd |                                                    |

banner motd +...................................................-+

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network INSIDE-HOSTS

subnet 10.10.10.0 255.255.255.0

object network AnyConnect-INET

subnet 192.168.10.0 255.255.255.0

object network Slingbox

host 10.10.10.254

object-group service slingbox_out tcp

port-object eq 5001

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list Internet_IN extended permit icmp any interface outside echo-reply

access-list Internet_IN extended permit icmp any interface outside

access-list outside_access_in extended permit tcp any host 10.10.10.254 eq 5001

access-list inside_access_in extended permit ip any any

access-list outside_access_in_1 extended permit ip any object Slingbox inactive

pager lines 24

logging enable

logging timestamp

logging buffered informational

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any echo-reply inside

icmp permit any echo-reply outside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic AnyConnect-INET interface

!

object network INSIDE-HOSTS

nat (inside,outside) dynamic interface

object network AnyConnect-INET

nat (outside,outside) dynamic interface

object network Slingbox

nat (inside,outside) static interface service tcp 5001 5001

access-group inside_access_in in interface inside

access-group outside_access_in_1 in interface outside

!

router eigrp 100

network 10.0.0.0 255.0.0.0

network 192.168.10.0 255.255.255.0

!

route inside 192.168.10.0 255.255.255.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 10.10.10.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.10.10.25-10.10.10.50 inside

dhcpd dns 68.105.28.12 68.105.29.12 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy "Client Group" internal

group-policy "Client Group" attributes

wins-server none

dns-server value 68.105.28.12

vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

split-tunnel-policy tunnelall

default-domain value ok.cox.net

webvpn

  anyconnect ssl rekey time none

  anyconnect ssl rekey method ssl

  anyconnect ask none default anyconnect

username admin password xxxxxxxxxx encrypted privilege 15

tunnel-group TunnelGroup1 type remote-access

tunnel-group TunnelGroup1 general-attributes

address-pool vpnpool

default-group-policy "Client Group"

tunnel-group TunnelGroup1 webvpn-attributes

group-alias ssl_group_users enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:96ebbf1752af67ce817c102f49d3668d

: end

Hey,

If you are testing the port forwarding rule you will have to use the public IP address (of the outside interface)  in the packet-tracer command.

Even though you are using the private IP address in the outside access-list

Also at the moment it seems you have set the only access-list rule in your OUTSIDE access-list to be inactive.

access-list outside_access_in_1 extended permit ip any object Slingbox inactive

access-group outside_access_in_1 in interface outside

Correct those and test again. If your access-list has had the inactive all the time I suppose its the reason for the connection not working. With the packet-tracer both the access-list statement and the packet-tracers destination IP address are the cause for it to fail.

- Jouni

I used my outside address when I issues the packet tracer command.

packet-tracer input outside tcp 98.184.159.213 5001 10.10.10.254 5001

Am I checking the outside address 98.184.159.213 to the inside destination of 10.10.10.254 both for port 5001?

Please explain it again on what I need to change on the access list going out. I'm just now learning about ASA and Cisco firewalls. Are there any good books that I can purchase to help me out?

Sent from Cisco Technical Support iPad App

Hi,

I think you will need to use the mapped destination address in the "packet-tracer" command.

It seems you are getting the outside IP address with DHCP. So check that IP addres with "show ip address" command.

Then use that IP address as the destination address in "packet-tracer" command. You can use any random source address though.

For example:

packet-tracer input outside tcp 1.2.3.4 1025 5001

The packet-tracer command lets you test what would happen to connections going through your firewall. The above command would example test what would happen to a connection that is coming FROM outside interface, using TCP with the SOURCE IP address of 1.2.3.4 with SOURCE port of 1025 to the DESTINATION IP address (of your outside interface IP) with DESTINATION port of 5001

Even though the real destination address is 10.10.10.254, you will have to use the public IP address in the packet-tracer command as naturally that would be the IP address a remote user on the Internet would use as the destination address to reach your device

Also as I mentioned in the earlier post. It seems you have set your access-list opening statement as "inactive"

You could try addint to the following access-list line

access-list outside_access_in_1 extended permit tcp any object Slingbox eq 5001

Please ask for additional information if needed. Please rate if any information was helpful

- Jouni

Here's what I'm getting when I do the packet trace:

ciscoasa(config)# packet-tracer input outside tcp 1.2.3.4 1025 98.184.159.213 $

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   98.184.159.213  255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Which access-list is denying the packet?

Hi,

Is it possible for you to remove this NAT statement

nat (inside,outside) source dynamic AnyConnect-INET interface

And try that same packet-tracer again and post the result?

- Jouni

I disabled the AnyConnect nat.  Will disabling the NAT affect my Anyconnect users?

ciscoasa(config)# packet-tracer input outside tcp 1.2.3.4 1025 98.184.159.213 $

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network Slingbox

nat (inside,outside) static interface service tcp 5001 5001

Additional Information:

NAT divert to egress interface inside

Untranslate 98.184.159.213/5001 to 10.10.10.254/5001

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in_1 in interface outside

access-list outside_access_in_1 extended permit tcp any object Slingbox eq 5001

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network Slingbox

nat (inside,outside) static interface service tcp 5001 5001

Additional Information:

Phase: 6

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 84664, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Hi,

I don't know what the NAT command you removed was supposed to be doing though. To me it said that it would NAT traffic from inside network 192.168.10.0/24 to the outside interface IP.

Also I dont know why you have VPN configurations on your ASA that state the VPN users pool is 192.168.10.0/24 and you have also routed that network towards inside interface with the following command?

route inside 192.168.10.0 255.255.255.0 10.10.10.1 1

You seem to have one NAT configuration left that does gives your VPN Client users access to the Internet using ASA outside interface.(which seems fine)

object network AnyConnect-INET

nat (outside,outside) dynamic interface

What I dont see though is the NAT0 configuration for the VPN pool <-> LAN configuration. This would basicly would allow the communication between VPN Client pool 192.168.10.0/24 and Local LAN 10.10.10.0/24 without translation.

This could be achieved by the following configuration

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static AnyConnect-INET AnyConnect-INET

- Jouni

The VPN users pool is for AnyConnect clients.  I just wanted a different pool to distinguish the AnyConnect clients.  I'm still not able to access my Slingbox on port 5001 from outside.

Hi,

The packet-tracer does seem to go through though which would indicate the firewall rules are ok.

Are the settings on the LAN device itself correct?

Maybe you should next look at the logs on the ASDM while attempting the connection and see what happens to it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: