Port forwarding on Cisco ASA 5506 running 9.6(1)

pahuja · ‎04-21-2017

Hi,

I'm trying to do port forwarding on Cisco ASA 9.6(1) but for some reason it keeps failing for me. I would like to map port 3000 of host 172.16.0.10 to port 80 of the outside interface of ASA.

Here is what I've done so far:

object network obj_172.16.0.10
nat (internet-dmz,outside) static interface service tcp 3000 www

object network obj_172.16.0.10
host 172.16.0.10

access-list outside_access_in extended permit tcp any object obj_172.16.0.10 eq www
access-list outside_access_in extended permit tcp any object obj_172.16.0.10 eq 3000

access-group outside_access_in in interface outside

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute

interface GigabitEthernet1/4
nameif internet-dmz
security-level 5
ip address 172.16.0.1 255.255.255.0

When I test access to it from the outside world, I get the following syslog message ID 710003 saying that access was denied:

TCP access denied by ACL from A.B.C.D/1024 to outside:W.X.Y.Z/80

show xlate on the ASA shows this:

TCP PAT from internet-dmz:172.16.0.10 3000-3000 to outside:W.X.Y.Z 80-80

This used to be piece of cake for me up until ASA version 7.x. But now I don't know why this is getting denied. Any suggestions will be much appreciated.

Thanks,

Pankaj

Joel · ‎04-21-2017

object network obj_172.16.0.10
nat (internet-dmz,outside) static interface service tcp 3000 www

The real port comes first i.e. 80 so

object network obj_172.16.0.10
nat (internet-dmz,outside) static interface service tcp www 3000

To test use packet-tracer

packet-tracer input outside tcp 1.1.1.1 1025 (whatever your public IP is) 3000

pahuja · ‎04-21-2017

Hi Joel,

Thank you for your response. The real port of the actual Server is in fact 3000, Since my ISP is blocking all ports above 1024 I am trying to map it to port 80 of the outside interface of the Cisco ASA Firewall.

So the configuration is correct.

I think in this setup I could be running into ASA retaining port 80 for it's own use - like ASDM or webvpn.

I've reached out to comcast, asking them to open all ports for my internet, if that works then I'll try mapping 3000 to 3000.

I'll update this later today after trying the ISP and if needed have ASA give up port 80 for everything else.

pahuja · ‎04-21-2017

Now that I've confirmed that comcast is not blocking any ports, I've updated my problem which still exists.

To keep it simple, I am trying to port forward TCP 3000 from interface of ASA to an host in DMZ.

object network obj_172.16.0.10
nat (internet-dmz,outside) static interface service tcp 3000 3000

object network obj_172.16.0.10
host 172.16.0.10

access-list outside_access_in extended permit tcp any4 host 172.16.0.10 range 2900 3100
access-list outside_access_in extended permit tcp any4 object obj_172.16.0.10 eq 3000 log

access-group outside_access_in in interface outside

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute

interface GigabitEthernet1/4
nameif internet-dmz
security-level 5
ip address 172.16.0.1 255.255.255.0

When I test access to it from the outside world, I get the following syslog message:
Apr 20 2017 17:47:51: %ASA-7-710005: TCP request discarded from A.B.C.D/1064 to outside:W.X.Y.Z/3000

when I do a capture on the outside port I see traffic coming in. but another capture on internet-dmz port does not see the packet make it in. So the ACL is definitely blocking it, but I don't know why it would do that since I have the permit statements.