Solved: unable to portforward 80 from outside to inside using NAT in 5506-X FTD 6.2.2 using manager

jeba1521 · ‎11-03-2017

I am trying to portforward 80 and 443 to host a website . ASA 5506-X is used as firewall . I was able to configure in ASDM in previous versions, but unable to do the same in the new 6.2.2 FTD image. The traffic doesnt seem to flow . Have created static NAT from outside to inside interface with outside interface ip as source and server ip from internal networrk as destination with http-8080 port. Can someone suggest what is wrong with my configuration?

(www.piems4u.com, an personal income expense Management system)

Marius Gunnerud · ‎11-05-2017

Your ACL is not correct. You are specifying that the source port should also be tcp/8080. source port is almost always a random high number unless it is manually manipulated by the source user. So your ACL should look like this:

outside_zone Any Any Inside_zone Management_S... http-8080 Any Any Any

This is assuming that the server on the inside is listening on port tcp/8080 as it suggests in your NAT statement. If the server is listening on port tcp/80 and you want to access it using port tcp/8080 then you need to change both NAT and ACL.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Flavio Miranda · ‎11-03-2017

Hello @jeba1521

Original Packet should come with Any IP address and Any port as source.

Destination address Outside-interface and Destination port 80.

Translated Packet should be Management as source address and Source port as 80.

Destination address the Web server and destination port 8080.

-If I helped you somehow, please, rate it as useful.-

jeba1521 · ‎11-05-2017

Hi Flavio Miranda,
This is a test server and the url for request will be http://www.piems4u.com:8080/mfa/faces/index.xhtml. Hence port translation from 80 to 8080 is not required. I have recreated it as automatic static NAT and I have attached the screen shot.still its not working.
In older ASDM, the reverse NAT was automatically created. But in new FTD image, as it was not created, I have created one as well. Still its not working.

Thanks and Regards

Jeba J

Marius Gunnerud · ‎11-04-2017

First off I would suggest doing static NAT with the source being inside and destination outside. Not that what you are doing wont work, it will, just easier to read and a better practice.

have you created an ACP entry for the NAT rule? Could you post the configuration?

--
Please remember to select a correct answer and rate helpful posts

jeba1521 · ‎11-05-2017

Hi Marius Gunnerud
As the request comes from the ouside world, I have set from outside to inside. Also I have attached the ACL that I have created, for both the direction..

Thanks and Regards

Jeba J

Marius Gunnerud · ‎11-05-2017

Your ACL is not correct. You are specifying that the source port should also be tcp/8080. source port is almost always a random high number unless it is manually manipulated by the source user. So your ACL should look like this:

outside_zone Any Any Inside_zone Management_S... http-8080 Any Any Any

This is assuming that the server on the inside is listening on port tcp/8080 as it suggests in your NAT statement. If the server is listening on port tcp/80 and you want to access it using port tcp/8080 then you need to change both NAT and ACL.

--
Please remember to select a correct answer and rate helpful posts