Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
0
Helpful
2
Replies

Port forwarding with PAT on 5505

Go to solution
bellinom1
Level 1
Level 1

‎02-18-2016 11:42 AM - edited ‎03-12-2019 12:20 AM

Hey guys,

I'd like some help with port forwarding on a 5505 running 9.2(4) code.

I'm trying to forward requests on port 80 on my outside, ISP provided IP to port 8000 on an internal server. Everything inside the ASA is PATing on the outside address.

Here is the relevant config:

object network SERVER_TO_FORWARD
  host 10.21.0.51

object network SERVER_TO_FORWARD
  nat (inside,outside) static interface service tcp www 8000

nat (inside,outside) after-auto source dynamic ALL_NETWORKS interface

access-list acl_OUTSIDE_IN extended permit tcp any object SERVER_TO_FORWARD eq www

From what I've read, here and other places, this should work. My issue is an ACL drop in the logs, like so:

Feb 18 2016 13:28:55: %ASA-3-710003: TCP access denied by ACL from SOME_OUTSIDE_IP/38152 to outside:MY_OUTSIDE_IP/80

Packet tracer looks fine, other than an RPF check fail because of using the SERVER_TO_FORWARD address. But it passes my ACL and my NAT entry.

Any suggestions?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joel
Level 1
Level 1

‎02-18-2016 12:43 PM

Hi Bellinom,

The NAT services are the wrong way round on the NAT statement. 8000 is the real port where as 80 (mapped port) you say is what users on the outside world connect too which translate to 8000.

object network SERVER_TO_FORWARD
  nat (inside,outside) static interface service tcp www 8000

Should be

object network SERVER_TO_FORWARD
  nat (inside,outside) static interface service tcp 8000 WWW

The ACL should have the real port i.e. 8000, it appears you have port 80 (www).

access-list acl_OUTSIDE_IN extended permit tcp any object SERVER_TO_FORWARD eq 8000

Joel

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Joel
Level 1
Level 1

‎02-18-2016 12:43 PM

Hi Bellinom,

The NAT services are the wrong way round on the NAT statement. 8000 is the real port where as 80 (mapped port) you say is what users on the outside world connect too which translate to 8000.

object network SERVER_TO_FORWARD
  nat (inside,outside) static interface service tcp www 8000

Should be

object network SERVER_TO_FORWARD
  nat (inside,outside) static interface service tcp 8000 WWW

The ACL should have the real port i.e. 8000, it appears you have port 80 (www).

access-list acl_OUTSIDE_IN extended permit tcp any object SERVER_TO_FORWARD eq 8000

Joel

0 Helpful

Go to solution
bellinom1
Level 1
Level 1
In response to Joel

‎02-18-2016 01:19 PM

Thanks joel, that was exactly the problem.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card