cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2472
Views
0
Helpful
8
Replies

Port forwarding with ASA

I'm stuck with my Cisco ASA config.

What I try to do is forward TCP port 8443 on my OUTSIDE interface (111.x.x.444) to the same port on an internal machine (INSIDE 192.168.0.230).

I've got a static NAT rule and applied a access-list to accept TCP traffic on port 8443 OUTSIDE.

After every change I do a "clear xlate" so that can not be the problem.

When I sniff packages on the INSIDE 192.168.0.230 machine I don't see any incoming packets on port 8443.

Also when I do a check with the packet-tracer the problem looks te be at the outside_access_in ACL because the packet is blocked at the "deny any any" rule.

What am I doing wrong?

1 Accepted Solution

Accepted Solutions

First, this is NOT the way the ASA is suppsed to behave, in my opinion. There is a fast and easy workaround for it though.

When you port forward on the outside IP, the ASA should take the static command with the outside IP. The ASA does not. The ASA now requires you to use the keyword interface instead of the actual IP.

You static command should look like this:

static (inside,outside) tcp interface 8443 192.168.0.230 8443 netmask 255.255.255.255

Please rate when this works for you :-)

Bryan

View solution in original post

8 Replies 8

h2odata_ab
Level 1
Level 1

I've got the exact same problem so I'll be watching this.

I get the following error:

ASA-3-71003: TCP Access denied by ACL from xxx.xxx.xxx.xxx/xxxx to outside xxx.xxx.xxx.xxx/6574

Are you getting the same?

Well, the strange thing is that I'm not getting an error in my log buffer.

But with the packet-tracer I see that it's block by my rule that is enabled to log.

m.sir
Level 7
Level 7

It looks you have bad syntax of STATIC command

INSTEAD

static (outside,inside) tcp 192.168.0.230 8443 111.222.333.444 8443 netmask 255.255.255.255

USE

static (inside,outside) tcp 111.222.333.444 8443 192.168.0.230 8443 netmask 255.255.255.255

ASA has little bit non logical syntax of static command its:

static ( real_interface, mapped_interface) mapped_IP port real_IP port netmask

Check this link for more info

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f101.html#wp1182234

M.

hope that helps rate if it does

Unfortunately that doesn't help.

First I had that syntax as m.sir said. I tried it again but without success.

I reconfigured my NAT rules:

1) no global (outside) 1 interface

2) no nat (inside) 0 access-list inside_nat0_outbound

3) no nat (inside) 1 192.168.0.0 255.255.255.0

4) no static (inside,outside) tcp 111.222.333.444 netmask 255.255.255.255

5) static (inside,outside) tcp 111.222.333.444 netmask 255.255.255.255

6) global (outside) 1 interface

7) nat (inside) 1 192.168.0.0 255.255.255.0

8) nat (inside) 0 access-list inside_nat0_outbound

9) clear xlate

Also without success

My ASA config

First, this is NOT the way the ASA is suppsed to behave, in my opinion. There is a fast and easy workaround for it though.

When you port forward on the outside IP, the ASA should take the static command with the outside IP. The ASA does not. The ASA now requires you to use the keyword interface instead of the actual IP.

You static command should look like this:

static (inside,outside) tcp interface 8443 192.168.0.230 8443 netmask 255.255.255.255

Please rate when this works for you :-)

Bryan

Great! It is working but strange that there is not much information about this.

I searched Google, this forum and the Cisco site.

One question... why the word "interface"?

How does the ASA know which interface you mean?

THe ASA knows its the outside interface becasue of te syntax of the static command.

static (intside,outside) OUTSIDE_IP INSIDE_IP netmask 255.255.255.255

Bryan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: