Re: ASA5555-x cannot get traffic to pass through port forwarding

Semi-amateur · ‎10-19-2023

I'm trying to forward wan interface port 9982 to internal ip 192.168.1.20 port 9982 but I get packet drop: "Flow is denied by configured rule".

I tried to set the following config:

!
object network SERVER
 host 192.168.1.20
!
object service SERVICE_TCP_9982
 service tcp source eq 9982
!
nat (lan,wan) source static SERVER interface service SERVICE_TCP_9982 SERVICE_TCP_9982
access-list ALLOW_SERVER line 1 extended permit tcp any object SERVER eq 9982

This does not work for some reason and when checking with

capture DROP type asp-drop all buffer 500000 match tcp host any host 192.168.1.20 eq 9982

I get list full of:

external_ip.13101 > wan_ip.9982: S 4229306080:4229306080(0) win 62727 <mss 1318,sackOK,timestamp 967884582 0,nop,wscale 7> Drop-reason: (acl-drop) Flow is denied by configured rule

What am I doing wrong?

MHM Cisco World · ‎10-19-2023

object network SERVER
 192.168.1.20

I think you need to specify host in object network

Note:- do you config access-group to WAN interface ?

Semi-amateur · ‎10-19-2023

For some reason I dropped that out while copying, the hos entry is correct, updated the original post.

Semi-amateur · ‎10-19-2023

No, I have not configured any access-group on wan interface, I'm trying to follow tutorials and those that I found did not include any such stuff.

MHM Cisco World · ‎10-19-2023

For asa you need to use access-group apply to WAN interface to make traffic allow to pass through fw.

Semi-amateur · ‎10-19-2023

Also sh nat shows bunch of untranslate_hits but zero translate_hits

MHM Cisco World · ‎10-19-2023

Packet tracer input output tcp <any ip outside subnet> 1234 192.168.1.20 9982 detail

Check which make packet drop