Single Ports forwarding on ASA 5506x doesn't work

Zargham Haider · ‎02-01-2018

Dear All,

I have ASA 5506x (Firepower) firewall. we have multiple public servers inside network. i have configured public server in firewall in "PUBLIC SERVER" section against live IPs. all are now accessible from outside on specific ports. the issue is : when i simply use NAT against only one object say "Alpha_Server (192.168.81.14), and i enable port forwarding on specific tcp port like rdp 3389, and bind it with firewall outside interface, and also enable acl rule on outside interface, but it didnt work. and according to the packet trace, Action is drop "Config Implicit rule".

1......is this due to implicit rule or what? and i think implicit rule should not block the incoming request when i have acl for permit against specific port.

2......but when i use PUBLIC SERVER section it allows all desired ports accessible from outside . which means live IPs are ok. and when i want to save my live IP and want to use outside interface IP, i cant do port forwarding.

whenever i tried to contact alpha server from outside, there is even no hit counts as well....!!!!

any idea....!!!!

Ajay Saini · ‎02-04-2018

Hello,

Port-forwarding should work with outside interface as well, unless that port is already used somewhere else like port 443 which is used for anyconnect vpn or ASD>

Please share the running config hiding the sensitive data and the packet-tracer output.

Regards,

AJ

Zargham Haider · ‎02-06-2018

Hi Aj,

Sorry for late reply,

i am attaching jpeg's of asdm for your review.

Ajay Saini · ‎02-07-2018

Hello,

I am not an expert on ASDM, I am more of a CLI fan.

Can you confirm if you are using 'interface' keyword in NAT statement for outside interface rather than creating an object with outside interface ip address.

Also, the access-list should have destination ip as the real server ip address rather than outside interface ip.

From the cli, can you please attach the output of NAT, packet-tracer and specific access-list masking the public ip addresses.

-

HTH
AJ

Zargham Haider · ‎02-11-2018

Hi AJ,

Please check ur required info.....

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Result of #sh nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic any interface dns

translate_hits = 5770746, untranslate_hits = 776656

2 (Winside) to (inside) source dynamic any interface dns

translate_hits = 23196, untranslate_hits = 264

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static Server_1

translate_hits = 0, untranslate_hits = 80182

2 (inside) to (outside) source static Server_Alpha interface service tcp 3389 3

389

translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source static Server_2

translate_hits = 0, untranslate_hits = 216110

4 (inside) to (outside) source Server_3

translate_hits = 0, untranslate_hits = 79382

5 (inside) to (outside) source static Server_4

translate_hits = 0, untranslate_hits = 903587

6 (inside) to (outside) source static ServerManager_81.199 interface service

tcp 8221 8221

Result of # sh run | inc nat

nat (inside,outside) source dynamic any interface dns

nat (Winside,inside) source dynamic any interface dns

nat (inside,outside) static interface service tcp 3389 3389

nat (inside,outside) static Server_2

nat (inside,outside) static Server_3

nat (inside,outside) static Server_1

nat (inside,outside) static Server_4

nat (inside,outside) static interface service tcp 8221 8221

Result of : FW# sh access-list outside_access_Out

access-list outside_access_Out line 1 extended permit tcp any interface outside

eq 8221 (hitcnt=0) 0xd452a422

Result of Packet Tracer:

FW# packet-tracer input outside tcp 8.8.8.8 8221 x.x.x.x 8221

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop x.x.x.x using egress ifc identity

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

FW#

Please feel free to ask any other information regarding this

Ajay Saini · ‎02-12-2018

Hello,

In the acl, we need to allow traffic for the real server ip address and not the mapped ip address. The acl should look like:

access-list outside_access_Out line 1 extended permit tcp any host <real_server_ip> eq 8221

This behavior changed post 8.3. Please try and confirm.

Regards,

AJ

Zargham Haider · ‎02-12-2018

Hi AJ,

You are right, if i would have spare live IP then i can use it and it will be all OK. and i am already using live server IP to use 8221 port but it causes my 1 server go offline and i cant using it more then a day or two. but in current scenario i don't have spare IP and i am willing to use outside IP (PATing). that is why i am using interface outside in acl. now when i am using outside interface IP, its getting blocked by implicit deny rule. one more thing, i have recently changed / upgrade ASA 5506-x from ASA5510. i assume previous ASA 5510 was superb (Except RAM ISSUE). and i had this working scenario but in ASA 5506-x with same configuration pattern i couldn't do it. as per your suggestion, i reconfigure ACL but still it is getting blocked on same level.

Ajay Saini · ‎02-13-2018

Hello,

I just lost you there. You don't need a separate public ip, you can still use outside interface IP address to NAT, only on the access-list you need to specify the real server ip address and port to allow traffic and not the mapped ip which in your case is the outside interface.

ASA5510 might be running 8.2 code which has a different way of handling NAT and access-list. If you can paste the running-config and output of packet-tracer, I can have a look.

This is a common scenario and should work.

HTH

AJ