05-08-2014 03:14 PM - edited 03-04-2019 10:57 PM
Ok, I have an ASA 5515. 8.6.(1)5
ASDM 7.1(5)
I am trying to re-forward some ports.
I clicked or did something wrong and now my forward on port 8082 is not working anymore.
I am trying to do this with the ASDM.
I have 2 simple web servers for users to access. One is on port 8080 and the other is on 8082. I created an object for each and then created an access rule for each.
The only differences between the 2 are:
a. the internal IP
b. the port
Internally I can go to 192.168.x.x:8080 and it works. I can also go to 192.168.x.x:8082 and it works.
Externally, I can view 8080 without any issues. But I cannot see 8082 at all. This is driving me nuts.
Solved! Go to Solution.
05-09-2014 10:32 AM
Ok the problem is with the order of the NAT statements in this new version of Cisco asa IOS. I will send you the email reply from my personal email on how to fix it.
For other people with same problem, please refer to :
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html#anc6
Manish
05-08-2014 04:11 PM
copy paste the related configuration for both Nat and ACL before anyone can provide you with any help.
Just double check you have created a hole in your ACL for port 8082.
Manish
05-08-2014 04:49 PM
: Saved
:
ASA Version 8.6(1)5
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 98.172.XXX.XXX 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.0.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
no ip address
management-only
!
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
domain-name mydomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 192.168.0.190
host 192.168.0.190
object network 192.168.0.4
host 192.168.0.4
object network 192.168.0.5
host 192.168.0.5
object network 192.168.0.213
host 192.168.0.213
object network inside-network
subnet 192.168.0.0 255.255.0.0
object network 192.168.0.190-2001
host 192.168.0.190
object network 192.168.0.4-1723
host 192.168.0.4
object network 192.168.0.5-rdp
host 192.168.0.5
object network 192.168.0.213-http
host 192.168.0.213
object network insideclient
subnet 192.168.1.0 255.255.255.0
object network SpiceworksServer
host 192.168.0.4
description Spiceworks Server
object network 192.168.0.5-https
host 192.168.0.5
description SSL On AgmServer
object network 192.168.0.13smtp
host 192.168.0.13
description Barracuda SPAM Filter
object network 192.168.0.5smtp
host 192.168.0.5
description AGM Server SMTP
object network STATIC-PAT
object network FacilitiesSpiceworks
host 192.168.0.132
description FacilitiesSpiceworks
object-group network DM_INLINE_NETWORK_1
network-object object 192.168.0.13smtp
network-object object 192.168.0.5smtp
object-group service SpiceWorks tcp
description Spiceworks
port-object eq 8080
object-group service SpiceworksFacilities tcp
description Spiceworks for Facilities
port-object eq 8082
access-list outside_access_in extended permit tcp any object 192.168.0.5-rdp eq 3389
access-list outside_access_in extended permit tcp any object 192.168.0.213 eq www
access-list outside_access_in extended permit tcp any object 192.168.0.190 eq 2001
access-list outside_access_in extended permit tcp any object 192.168.0.4 eq pptp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any object SpiceworksServer object-group SpiceWorks
access-list outside_access_in extended permit tcp any object 192.168.0.5-https eq https
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq smtp
access-list outside_access_in extended permit tcp any object FacilitiesSpiceworks object-group SpiceworksFacilities
access-list insideclient_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list insideclient_access_in extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool AnyConnect 192.168.3.0-192.168.3.255 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network 192.168.0.5
nat (any,outside) static interface
object network inside-network
nat (inside,outside) dynamic interface
object network 192.168.0.190-2001
nat (inside,outside) static interface service tcp 2001 2001
object network 192.168.0.4-1723
nat (inside,outside) static interface service tcp pptp pptp
object network 192.168.0.5-rdp
nat (inside,outside) static interface service tcp 3389 3389
object network 192.168.0.213-http
nat (inside,outside) static interface service tcp www www
object network SpiceworksServer
nat (inside,outside) static interface service tcp 8080 8080
object network 192.168.0.5-https
nat (any,outside) static interface
object network 192.168.0.13smtp
nat (any,outside) static interface service tcp smtp smtp
object network 192.168.0.5smtp
nat (any,outside) static interface service tcp smtp smtp
object network FacilitiesSpiceworks
nat (inside,outside) static interface service tcp 8082 8082
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 98.172.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crl configure
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcprelay server 192.168.0.2 inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.113.32.5 source outside
ntp server 64.236.96.53 source outside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 192.168.0.2
vpn-tunnel-protocol ikev2 ssl-client
default-domain value mydomain.com
webvpn
anyconnect profiles value AnyConnect_client_profile type user
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool AnyConnect
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
ips inline fail-open sensor vs0
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
: end
no asdm history enable
05-08-2014 05:29 PM
I dont see anything wrong in your configuration, would you PM me your public IP so I check|nmap from my location if I can reach it or not or what ports are open on it ?
object network SpiceworksServer
host 192.168.0.4
description Spiceworks Server
object network FacilitiesSpiceworks
host 192.168.0.132
description FacilitiesSpiceworks
object network SpiceworksServer
nat (inside,outside) static interface service tcp 8080 8080
object network FacilitiesSpiceworks
nat (inside,outside) static interface service tcp 8082 8082
access-list outside_access_in extended permit tcp any object SpiceworksServer object-group SpiceWorks
access-list outside_access_in extended permit tcp any object FacilitiesSpiceworks object-group SpiceworksFacilities
access-group outside_access_in in interface outside
You Nat & ACL are configured correctly, just doublecheck if you fat fingered the IP or port. :-)
Thanks
Manish
05-09-2014 08:55 AM
I am sorry but I am new to these forums, how the heck do I PM someone? I went to your profile and there is no option to do so.
05-09-2014 09:15 AM
send it to techmediaexperts at gmail .
Manish
05-09-2014 09:45 AM
I don't see 8082 open on the firewall which is strange since you have the configuration present on the ASA and you said internally it works just fine. I would suggest you to remove and reapply the configuration related to 192.168.0.132 IP on the CLI one more time.
Here's Nmap result from external network :
[root@TM-VLX-137 ~]# nmap -sS -P0 X.X.X.X
Starting Nmap 5.51 ( http://nmap.org ) at 2014-05-09 09:31 PDT
Failed to find device eth0 which was referenced in /proc/net/route
Nmap scan report for ws-X-X-X-X (X.X.X.X)
Host is up (0.031s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
25/tcp open smtp
443/tcp open https
1723/tcp closed pptp
3389/tcp open ms-term-serv
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 4.79 seconds
#no access-list outside_access_in extended permit tcp any object FacilitiesSpiceworks object-group SpiceworksFacilities
#no nat (inside,outside) static interface service tcp 8082 8082
#no object network FacilitiesSpiceworks
and then reapply
#object network FacilitiesSpiceworks
#host 192.168.0.132
#nat (any,outside) static interface service tcp 8082 8082
#access-list outside_access_in extended permit tcp any object FacilitiesSpiceworks eq 8082
Manish
05-09-2014 09:55 AM
Thanks for your help Manish. I re-applied the settings and it still doesnt work.
I use my home IP to connect and I found an error in the syslog that might help.
"Deny tcp src outside:myhomip/50193 dst inside:192.168.0.5/8082 by access-group "outside_access_in" [0x0, 0x0].
It seems like it is trying to go to 0.5 instead of 0.132. is there a cache or something i can clear to get this flushed out?
05-09-2014 10:10 AM
Can you please post the output of "show nat detail" ? Also, you can use "clear xlate" to clear old NAT translations but be careful with that it might drop and reestablish connection for users as well.
Manish
05-09-2014 10:23 AM
Please also run the following command & copy paste the output :
#packet-tracer input outside tcp SOURCE_IP 1234 YOUR_IP 8082
Manish
05-09-2014 10:32 AM
Ok the problem is with the order of the NAT statements in this new version of Cisco asa IOS. I will send you the email reply from my personal email on how to fix it.
For other people with same problem, please refer to :
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html#anc6
Manish
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: