04-21-2017 01:56 AM - edited 03-12-2019 02:14 AM
Hi,
I'm trying to do port forwarding on Cisco ASA 9.6(1) but for some reason it keeps failing for me. I would like to map port 3000 of host 172.16.0.10 to port 80 of the outside interface of ASA.
Here is what I've done so far:
object network obj_172.16.0.10
nat (internet-dmz,outside) static interface service tcp 3000 www
object network obj_172.16.0.10
host 172.16.0.10
access-list outside_access_in extended permit tcp any object obj_172.16.0.10 eq www
access-list outside_access_in extended permit tcp any object obj_172.16.0.10 eq 3000
access-group outside_access_in in interface outside
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet1/4
nameif internet-dmz
security-level 5
ip address 172.16.0.1 255.255.255.0
When I test access to it from the outside world, I get the following syslog message ID 710003 saying that access was denied:
TCP access denied by ACL from A.B.C.D/1024 to outside:W.X.Y.Z/80
show xlate on the ASA shows this:
TCP PAT from internet-dmz:172.16.0.10 3000-3000 to outside:W.X.Y.Z 80-80
This used to be piece of cake for me up until ASA version 7.x. But now I don't know why this is getting denied. Any suggestions will be much appreciated.
Thanks,
Pankaj
04-21-2017 04:11 AM
object network obj_172.16.0.10
nat (internet-dmz,outside) static interface service tcp 3000 www
The real port comes first i.e. 80 so
object network obj_172.16.0.10
nat (internet-dmz,outside) static interface service tcp www 3000
To test use packet-tracer
packet-tracer input outside tcp 1.1.1.1 1025 (whatever your public IP is) 3000
04-21-2017 11:58 AM
Hi Joel,
Thank you for your response. The real port of the actual Server is in fact 3000, Since my ISP is blocking all ports above 1024 I am trying to map it to port 80 of the outside interface of the Cisco ASA Firewall.
So the configuration is correct.
I think in this setup I could be running into ASA retaining port 80 for it's own use - like ASDM or webvpn.
I've reached out to comcast, asking them to open all ports for my internet, if that works then I'll try mapping 3000 to 3000.
I'll update this later today after trying the ISP and if needed have ASA give up port 80 for everything else.
04-21-2017 02:54 PM
Now that I've confirmed that comcast is not blocking any ports, I've updated my problem which still exists.
To keep it simple, I am trying to port forward TCP 3000 from interface of ASA to an host in DMZ.
object network obj_172.16.0.10
nat (internet-dmz,outside) static interface service tcp 3000 3000
object network obj_172.16.0.10
host 172.16.0.10
access-list outside_access_in extended permit tcp any4 host 172.16.0.10 range 2900 3100
access-list outside_access_in extended permit tcp any4 object obj_172.16.0.10 eq 3000 log
access-group outside_access_in in interface outside
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet1/4
nameif internet-dmz
security-level 5
ip address 172.16.0.1 255.255.255.0
When I test access to it from the outside world, I get the following syslog message:
Apr 20 2017 17:47:51: %ASA-7-710005: TCP request discarded from A.B.C.D/1064 to outside:W.X.Y.Z/3000
when I do a capture on the outside port I see traffic coming in. but another capture on internet-dmz port does not see the packet make it in. So the ACL is definitely blocking it, but I don't know why it would do that since I have the permit statements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide