04-07-2012 08:22 PM - edited 03-11-2019 03:51 PM
I'm not able to access my Slingbox from the outside. I've set up port forwarding on port 5001 to allow outside connections in, but port forwarding isn't working. Am I missing something?
object network INSIDE-HOSTS
subnet 10.10.10.0 255.255.255.0
object network Slingbox
host 10.10.10.254
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Internet_IN extended permit icmp any interface outside echo-reply
access-list Internet_IN extended permit icmp any interface outside
access-list outside_access_in extended permit tcp any host 10.10.10.254 eq 5001
nat (inside,outside) source dynamic AnyConnect-INET interface
!
object network INSIDE-HOSTS
nat (inside,outside) dynamic interface
object network AnyConnect-INET
nat (outside,outside) dynamic interface
object network Slingbox
nat (inside,outside) static interface service tcp 5001 5001
04-07-2012 10:43 PM
Can you post the output of packet-tracer as the config look correct.
packet-tracer input outside tcp 1.1.1.1 1234
use the above command as it is replace the
this will let you know if the packet is allowed through the firewall or not and what rule is matching to this traffic.
Send me the output in case you find it difficult to understand.
04-08-2012 03:25 AM
Hi,
Depending on what host/networks object "AnyConnect-INET" contains, I think it can be the only NAT configuration overriding the port forward configuration.
Please include the configuration for object network AnyConnect-INET
- Jouni
04-08-2012 03:31 AM
And what I mean by overriding is that if it happened to have the LAN network it would mean that it would always be applied before all of the other NAT configurations you have visible in your original post
04-08-2012 12:00 PM
Here's what I got from packet tracer:
ciscoasa# packet-tracer input outside tcp 98.184.159.213 5001 10.10.10.254 5001
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcaf8b8d8, priority=500, domain=permit, deny=true
hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=98.184.159.213, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Here's a copy of my config:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
banner motd
banner motd +...................................................-+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device will be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +...................................................-+
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE-HOSTS
subnet 10.10.10.0 255.255.255.0
object network AnyConnect-INET
subnet 192.168.10.0 255.255.255.0
object network Slingbox
host 10.10.10.254
object-group service slingbox_out tcp
port-object eq 5001
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Internet_IN extended permit icmp any interface outside echo-reply
access-list Internet_IN extended permit icmp any interface outside
access-list outside_access_in extended permit tcp any host 10.10.10.254 eq 5001
access-list inside_access_in extended permit ip any any
access-list outside_access_in_1 extended permit ip any object Slingbox inactive
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply inside
icmp permit any echo-reply outside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AnyConnect-INET interface
!
object network INSIDE-HOSTS
nat (inside,outside) dynamic interface
object network AnyConnect-INET
nat (outside,outside) dynamic interface
object network Slingbox
nat (inside,outside) static interface service tcp 5001 5001
access-group inside_access_in in interface inside
access-group outside_access_in_1 in interface outside
!
router eigrp 100
network 10.0.0.0 255.0.0.0
network 192.168.10.0 255.255.255.0
!
route inside 192.168.10.0 255.255.255.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.10.10.25-10.10.10.50 inside
dhcpd dns 68.105.28.12 68.105.29.12 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy "Client Group" internal
group-policy "Client Group" attributes
wins-server none
dns-server value 68.105.28.12
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelall
default-domain value ok.cox.net
webvpn
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username admin password xxxxxxxxxx encrypted privilege 15
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
address-pool vpnpool
default-group-policy "Client Group"
tunnel-group TunnelGroup1 webvpn-attributes
group-alias ssl_group_users enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:96ebbf1752af67ce817c102f49d3668d
: end
04-08-2012 01:03 PM
Hey,
If you are testing the port forwarding rule you will have to use the public IP address (of the outside interface) in the packet-tracer command.
Even though you are using the private IP address in the outside access-list
Also at the moment it seems you have set the only access-list rule in your OUTSIDE access-list to be inactive.
access-list outside_access_in_1 extended permit ip any object Slingbox inactive
access-group outside_access_in_1 in interface outside
Correct those and test again. If your access-list has had the inactive all the time I suppose its the reason for the connection not working. With the packet-tracer both the access-list statement and the packet-tracers destination IP address are the cause for it to fail.
- Jouni
04-08-2012 02:48 PM
I used my outside address when I issues the packet tracer command.
packet-tracer input outside tcp 98.184.159.213 5001 10.10.10.254 5001
Am I checking the outside address 98.184.159.213 to the inside destination of 10.10.10.254 both for port 5001?
Please explain it again on what I need to change on the access list going out. I'm just now learning about ASA and Cisco firewalls. Are there any good books that I can purchase to help me out?
Sent from Cisco Technical Support iPad App
04-08-2012 02:54 PM
Hi,
I think you will need to use the mapped destination address in the "packet-tracer" command.
It seems you are getting the outside IP address with DHCP. So check that IP addres with "show ip address" command.
Then use that IP address as the destination address in "packet-tracer" command. You can use any random source address though.
For example:
packet-tracer input outside tcp 1.2.3.4 1025
The packet-tracer command lets you test what would happen to connections going through your firewall. The above command would example test what would happen to a connection that is coming FROM outside interface, using TCP with the SOURCE IP address of 1.2.3.4 with SOURCE port of 1025 to the DESTINATION IP address (of your outside interface IP) with DESTINATION port of 5001
Even though the real destination address is 10.10.10.254, you will have to use the public IP address in the packet-tracer command as naturally that would be the IP address a remote user on the Internet would use as the destination address to reach your device
Also as I mentioned in the earlier post. It seems you have set your access-list opening statement as "inactive"
You could try addint to the following access-list line
access-list outside_access_in_1 extended permit tcp any object Slingbox eq 5001
Please ask for additional information if needed. Please rate if any information was helpful
- Jouni
04-08-2012 05:14 PM
Here's what I'm getting when I do the packet trace:
ciscoasa(config)# packet-tracer input outside tcp 1.2.3.4 1025 98.184.159.213 $
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 98.184.159.213 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Which access-list is denying the packet?
04-08-2012 05:18 PM
Hi,
Is it possible for you to remove this NAT statement
nat (inside,outside) source dynamic AnyConnect-INET interface
And try that same packet-tracer again and post the result?
- Jouni
04-08-2012 05:45 PM
I disabled the AnyConnect nat. Will disabling the NAT affect my Anyconnect users?
ciscoasa(config)# packet-tracer input outside tcp 1.2.3.4 1025 98.184.159.213 $
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Slingbox
nat (inside,outside) static interface service tcp 5001 5001
Additional Information:
NAT divert to egress interface inside
Untranslate 98.184.159.213/5001 to 10.10.10.254/5001
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in_1 in interface outside
access-list outside_access_in_1 extended permit tcp any object Slingbox eq 5001
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Slingbox
nat (inside,outside) static interface service tcp 5001 5001
Additional Information:
Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 84664, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
04-08-2012 06:00 PM
Hi,
I don't know what the NAT command you removed was supposed to be doing though. To me it said that it would NAT traffic from inside network 192.168.10.0/24 to the outside interface IP.
Also I dont know why you have VPN configurations on your ASA that state the VPN users pool is 192.168.10.0/24 and you have also routed that network towards inside interface with the following command?
route inside 192.168.10.0 255.255.255.0 10.10.10.1 1
You seem to have one NAT configuration left that does gives your VPN Client users access to the Internet using ASA outside interface.(which seems fine)
object network AnyConnect-INET
nat (outside,outside) dynamic interface
What I dont see though is the NAT0 configuration for the VPN pool <-> LAN configuration. This would basicly would allow the communication between VPN Client pool 192.168.10.0/24 and Local LAN 10.10.10.0/24 without translation.
This could be achieved by the following configuration
nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static AnyConnect-INET AnyConnect-INET
- Jouni
04-08-2012 06:13 PM
The VPN users pool is for AnyConnect clients. I just wanted a different pool to distinguish the AnyConnect clients. I'm still not able to access my Slingbox on port 5001 from outside.
04-08-2012 06:18 PM
Hi,
The packet-tracer does seem to go through though which would indicate the firewall rules are ok.
Are the settings on the LAN device itself correct?
Maybe you should next look at the logs on the ASDM while attempting the connection and see what happens to it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: