07-26-2016 09:12 AM - edited 03-12-2019 01:03 AM
Hi,
We have one ASA 5505 version 9.1(5) and we need to open the 55055 TCP port on firewall that redirect to port TCP 80 on QNAP Viostor ip 192.168.11.254
I have added one object network in this way:
Object network Viostor
host 192.168.11.54
description QNAP_Viostor
nat rule:
nat (inside,outside) static interface service tcp 80 55055
Firewall rule:
access-list outside_access_in line 8 remark Viostor
access-list outside_access_in line 9 extended permit tcp any object Viostor eq 55055
When i try to connect with the Android app Vmobile i see this notify on ASA log:
TCP request discarded from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055
The ASA does not have UDP server that services the UDP request
I don't understand why UDP instead of TCP.
Please help me!
Thanks
Solved! Go to Solution.
08-05-2016 08:59 AM
The traffic is TCP.
I need to connect to my QNAP Viostor with the android/iOS app.
So the traffic is only TCP.
That's why i'm a little confused about the message The ASA does not have UDP server that services the UDP request
08-05-2016 09:05 AM
Please share the complete syslog message.
08-07-2016 11:56 PM
Can you give me the correct way to do this?
08-09-2016 09:43 AM
Hello,
Before proceeding to a different step, I have a catch again. Checking on the first messages of this thread, you confirmed that the host is 192.168.11.254 not 192.168.11.54, and the packet-tracer results shows (in phase 2 and phase 9) it is translating to the IP 192.168.11.54 instead; so please make sure the host value for that object is correct. Once corrected, please go ahead and try your connection again and let me know the results.
08-10-2016 03:47 AM
Man you are the greatest supermaxihero of the universe!
My mistake, the network-object was wrong..
Fixed with the correct IP and everything works!
Thank you!!
08-10-2016 10:21 AM
Hey! I am so glad it is now working as you expect! Anytime you need assistance, feel free to open a thread here :)
Please rate and endorse the answers :)
Thanks and enjoy!
08-02-2016 10:46 AM
Ahmed,
The packet-flow on versions 8.2 and earlier does check the ACL first and then the NAT statement. ASA version 8.3 and later, NAT is checked first, then the ACL; this is the reason why on the 8.3 and later versions, we use now the real IP and Port on the ACLs.
Take a look at this post to review this, it is very helpful: https://supportforums.cisco.com/document/48646/asa-83-upgrade-what-you-need-know
08-10-2016 03:46 AM
semi-cleaned conf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide