09-11-2023 12:00 PM
Hi all!
I have two Cisco ASA 5585 in failover, Software Version 9.8(3)18.
I need to make Port Forwarding with NAT for access from outside host through ASA's interface to inside host. I made settings as always, but the access doesn't work.
There are parts of configuration for this access:
There is packet-tracer output for faulty access:
asa-5585/sec/act(config)# packet-tracer input outside tcp 66.66.66.66 12345 50.50.50.50 8553
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 50.50.50.50 using egress ifc identity
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from-outside in interface outside control-plane
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4191741927, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow
There is packet-tracer output for working access:
asa-5585/sec/act(config)# packet-tracer input outside tcp 77.77.77.77 12345 50.50.50.50 40389
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port
Additional Information:
NAT divert to egress interface inside2
Untranslate 50.50.50.50/40389 to 10.10.30.59/3389
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from-outside in interface outside control-plane
access-list from-outside extended permit tcp host 77.77.77.77 object H_10.10.30.59 eq 3389
Additional Information:
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port
Additional Information:
Static translate 77.77.77.77/12345 to 10.10.30.80/12345
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group to-inside2 out interface inside2
access-list to-inside2 extended permit ip any any
Additional Information:
Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port
Additional Information:
Phase: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4168707154, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside2
output-status: up
output-line-status: up
Action: allow
What did I make wrong? How can I check the issue and renew normal work?
09-11-2023 12:37 PM
@nEkToSAN remove your existing rule and add the following:
object network H_10.10.10.116
host 10.10.10.116
nat (inside,outside) static interface service tcp-8553-port tcp-8553-port
then try again and provide packet-tracer if it does not work.
09-12-2023 05:56 AM
I tried that. And the result is:
asa-5585/sec/act# packet-tracer input outside tcp 66.66.66.66 12345 50.50.50.50 8553
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 50.50.50.50 using egress ifc identity
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from-outside in interface outside control-plane
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 26626876, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow
... the same(.
Maybe there are any additional settings in the configuration, which can affect the settings I need? But I cheched several times the config, and, in my opinion, the settings for "inside" and "inside2" are the same.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide