Port Forwarding on Cisco ASA problem

nEkToSAN · ‎09-11-2023

Hi all!

I have two Cisco ASA 5585 in failover, Software Version 9.8(3)18.
I need to make Port Forwarding with NAT for access from outside host through ASA's interface to inside host. I made settings as always, but the access doesn't work.
There are parts of configuration for this access:

Spoiler

interface GigabitEthernet0/0.50
vlan 50
nameif outside
security-level 0
ip address 50.50.50.50 255.255.255.0
...
interface GigabitEthernet0/2.20
vlan 20
nameif inside
security-level 100
ip address 10.10.20.80 255.255.255.0
...
interface GigabitEthernet0/2.30
vlan 30
nameif inside2
security-level 100
ip address 10.10.30.80 255.255.255.0
...
object network H_10.10.20.116
host 10.10.10.116
...
object network H_10.10.30.59
host 10.10.30.59
...
object network H_77.77.77.77
host 77.77.77.77
...
object service tcp-8553-port
service tcp destination eq 8553
...
object service outside-40389-port
service tcp destination eq 40389
...
object service inside-3389-port
service tcp destination eq 3389
...
access-list from-outside extended permit tcp any object H_10.10.10.116 eq 8553
access-list from-outside extended permit tcp host 77.77.77.77 object H_10.10.30.59 eq 3389
...
nat (outside,inside) source static any interface destination static interface H_10.10.10.116 service tcp-8553-port tcp-8553-port
nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port

interface GigabitEthernet0/0.50vlan 50nameif outsidesecurity-level 0ip address 50.50.50.50 255.255.255.0...interface GigabitEthernet0/2.20vlan 20nameif insidesecurity-level 100ip address 10.10.20.80 255.255.255.0...interface GigabitEthernet0/2.30vlan 30nameif inside2security-level 100ip address 10.10.30.80 255.255.255.0...object network H_10.10.20.116host 10.10.10.116...object network H_10.10.30.59host 10.10.30.59...object network H_77.77.77.77host 77.77.77.77...object service tcp-8553-portservice tcp destination eq 8553...object service outside-40389-portservice tcp destination eq 40389...object service inside-3389-portservice tcp destination eq 3389...access-list from-outside extended permit tcp any object H_10.10.10.116 eq 8553access-list from-outside extended permit tcp host 77.77.77.77 object H_10.10.30.59 eq 3389...nat (outside,inside) source static any interface destination static interface H_10.10.10.116 service tcp-8553-port tcp-8553-portnat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port

There is packet-tracer output for faulty access:

Spoiler

asa-5585/sec/act(config)# packet-tracer input outside tcp 66.66.66.66 12345 50.50.50.50 8553

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 50.50.50.50 using egress ifc identity

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from-outside in interface outside control-plane
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4191741927, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow

asa-5585/sec/act(config)# packet-tracer input outside tcp 66.66.66.66 12345 50.50.50.50 8553Phase: 1Type: CAPTURESubtype:Result: ALLOWConfig:Additional Information:MAC Access listPhase: 2Type: ACCESS-LISTSubtype:Result: ALLOWConfig:Implicit RuleAdditional Information:MAC Access listPhase: 3Type: ROUTE-LOOKUPSubtype: Resolve Egress InterfaceResult: ALLOWConfig:Additional Information:found next-hop 50.50.50.50 using egress ifc identityPhase: 4Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group from-outside in interface outside control-planeAdditional Information:Phase: 5Type: NATSubtype: per-sessionResult: ALLOWConfig:Additional Information:Phase: 6Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:Phase: 7Type: CLUSTER-REDIRECTSubtype: cluster-redirectResult: ALLOWConfig:Additional Information:Phase: 8Type: FLOW-EXPORTSubtype:Result: ALLOWConfig:Additional Information:Phase: 9Type: VPNSubtype: ipsec-tunnel-flowResult: ALLOWConfig:Additional Information:Phase: 10Type: FLOW-CREATIONSubtype:Result: ALLOWConfig:Additional Information:New flow created with id 4191741927, packet dispatched to next moduleResult:input-interface: outsideinput-status: upinput-line-status: upoutput-interface: NP Identity IfcAction: allow

There is packet-tracer output for working access:

Spoiler

asa-5585/sec/act(config)# packet-tracer input outside tcp 77.77.77.77 12345 50.50.50.50 40389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port
Additional Information:
NAT divert to egress interface inside2
Untranslate 50.50.50.50/40389 to 10.10.30.59/3389

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from-outside in interface outside control-plane
access-list from-outside extended permit tcp host 77.77.77.77 object H_10.10.30.59 eq 3389
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port
Additional Information:
Static translate 77.77.77.77/12345 to 10.10.30.80/12345

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group to-inside2 out interface inside2
access-list to-inside2 extended permit ip any any
Additional Information:

Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-port
Additional Information:

Phase: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4168707154, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside2
output-status: up
output-line-status: up
Action: allow

asa-5585/sec/act(config)# packet-tracer input outside tcp 77.77.77.77 12345 50.50.50.50 40389Phase: 1Type: ACCESS-LISTSubtype:Result: ALLOWConfig:Implicit RuleAdditional Information:MAC Access listPhase: 2Type: UN-NATSubtype: staticResult: ALLOWConfig:nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-portAdditional Information:NAT divert to egress interface inside2Untranslate 50.50.50.50/40389 to 10.10.30.59/3389Phase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group from-outside in interface outside control-planeaccess-list from-outside extended permit tcp host 77.77.77.77 object H_10.10.30.59 eq 3389Additional Information:Phase: 4Type: CONN-SETTINGSSubtype:Result: ALLOWConfig:class-map class-defaultmatch anypolicy-map global_policyclass class-defaultset connection decrement-ttlservice-policy global_policy globalAdditional Information:Phase: 5Type: NATSubtype:Result: ALLOWConfig:nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-portAdditional Information:Static translate 77.77.77.77/12345 to 10.10.30.80/12345Phase: 6Type: NATSubtype: per-sessionResult: ALLOWConfig:Additional Information:Phase: 7Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:Phase: 8Type: FOVERSubtype: standby-updateResult: ALLOWConfig:Additional Information:Phase: 9Type: FLOW-EXPORTSubtype:Result: ALLOWConfig:Additional Information:Phase: 10Type: VPNSubtype: ipsec-tunnel-flowResult: ALLOWConfig:Additional Information:Phase: 11Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group to-inside2 out interface inside2access-list to-inside2 extended permit ip any anyAdditional Information:Phase: 12Type: NATSubtype: rpf-checkResult: ALLOWConfig:nat (outside,inside2) source static any interface destination static interface H_10.10.30.59 service outside-40389-port inside-3389-portAdditional Information:Phase: 13Type: NATSubtype: per-sessionResult: ALLOWConfig:Additional Information:Phase: 14Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:Phase: 15Type: FLOW-CREATIONSubtype:Result: ALLOWConfig:Additional Information:New flow created with id 4168707154, packet dispatched to next moduleResult:input-interface: outsideinput-status: upinput-line-status: upoutput-interface: inside2output-status: upoutput-line-status: upAction: allow

What did I make wrong? How can I check the issue and renew normal work?

Rob Ingram · ‎09-11-2023

@nEkToSAN remove your existing rule and add the following:

object network H_10.10.10.116
 host 10.10.10.116
 nat (inside,outside) static interface service tcp-8553-port tcp-8553-port

then try again and provide packet-tracer if it does not work.

nEkToSAN · ‎09-12-2023

I tried that. And the result is:

Spoiler

asa-5585/sec/act# packet-tracer input outside tcp 66.66.66.66 12345 50.50.50.50 8553