Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
865
Views
0
Helpful
8
Replies

Cannot get Port Forwarding to Work on ASA 5506

TyraMara
Level 1
Level 1

‎06-16-2022 06:14 PM

I have an older model ASA 5506 that I'm trying to get port forwarding working on.

I'm connecting to the 5506 via ASDM 7.10, which I know is a bit old, but that's what we have, at the moment.

 

In Under Firewall > Access Rules > Outside I have the following setup, line 17 is the one that I'm trying to get working but cannot.  What am I missing?  Note that I am hitting the "apply" button after I put the rule in.  The fact that there are zero "hits" tells me that the firewall isn't allowing this rule for some reason.

 

2022-06-16 20_07_07-Window.png

 

 

 

Labels:
0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎06-16-2022 06:28 PM

do packet-tracer using same source and destination and see if it hit any ACL before this ACL.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎06-17-2022 12:01 AM

what ASA  code running, some old versions of ASA the hit count not stable as new versions, so I will be not replied on that hit counts,

 

I will open a Real-time Monitor and test it - is that request coming in. Make sure you have any NAT involved, port forwarding, and  ACL in place to allow the required destination.

 

some example :

 

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

https://www.petenetlive.com/KB/Article/0000077

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

TyraMara
Level 1
Level 1

‎06-17-2022 02:43 PM - edited ‎06-17-2022 06:38 PM

I'm new to this system, so I may not know what to look for.

 

@MHM Cisco World ,

 

I've never worked with Packet Tracer before.  Looking at this tool, it seems to identify how a packet will travel given an established criteria.

So this is what I did for my test:

  • I turned on this rule:

Answer 1-2022-06-17 15_59_10-Window.png

Then I started an instance of Packet Tracer and ran it as noted.,  The IP address here is the TS server.

Answer-2-2022-06-17 16_19_07-Window.png

So, here we have a failure, it can't get to that port for some reason.

Changing the source to be my remote home office and keeping the destination as the location for the TS server, I get the following results:

Answer-3-2022-06-17 16_22_38-Window.png

Looking at the NAT rules after clicking on the link, the 7th rule was highlighted.

 

Answer-4-2022-06-17 16_39_31-Window.png

I'm not sure what it is about that rule that would cause a denial here.

0 Helpful

TyraMara
Level 1
Level 1

‎06-17-2022 06:44 PM

@MHM Cisco World , I don't think I understand what you're saying.  If I'm reading you correctly, the packet tracer didn't work correctly because I didn't configure the ports correctly?  I don't think I'm correct, but I'm not sure what else to think here.

Would you clarify for me, please?

0 Helpful

MHM Cisco World
VIP
VIP
In response to TyraMara

‎06-17-2022 06:56 PM

from packet-tracer rpf-check make packet drop, what is rpf-check?
it check the NAT of packet inbound with NAT of packet Outbound.

so are you config static PAT for this server ?

0 Helpful

TyraMara
Level 1
Level 1
In response to MHM Cisco World

‎06-17-2022 07:26 PM

@MHM Cisco World ,

OK, I think I understand a little bit better.  Basically, I've configured the inbound leg so that traffic from any IP on port 3389 should hit my TS server, but I don't have that set up on the outbound leg?

 

Regarding static PAT, 

I have a section in the router's UI called "Public Servers."  The TS server is not defined here.  So what I just now did is that I added this server in Firewall > Public Servers.  I set this as follows.  Note that if I click "Specify Public Service if different from Private Service.  This will enable the static PAT, I CANNOT add RDP as the public service.

 

 

 

I cannot add a public server because the IP address that we need to use for RDP is the same as the public interface address.  The UI balks at me when I try to do this:

2022-06-17 21_19_25-Window-Answer-1.png

2022-06-17 21_20_59-Window-Answer-2.png

 

Not sure if this is relevant right off, but I see in Firewall > Objects > Service Objects/Groups that there are a couple of objects that might be relevant to our situation:

2022-06-17 21_24_03-Window-Answer-3.png

So, I think the answer to your question is no.  I do not have static PAT for this server, and the UI won't allow me to set this up.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents