05-21-2012 07:28 AM - edited 03-11-2019 04:09 PM
Hi all! I have ASA 5505 with 8.4(2)8 software for one of my branch offices and I can't configure port forwarding It seems to be very simple, but it's not working. I use my ASA as a gateway to the internet for users in office and for site-to-site IPSec VPN to HQ. I have pppoe-enabled outside interface, but ISP gives me static routable ip address. I have server behind my firewall and I should "publish" to the WAN some of its' tcp and udp ports, but I see that no packets forwarded through ASA. I tried to configure PAT as stated in official "Cisco Security Appliance Configuration Guide" through CLI and ASDM. I also used this video(same ASA and ASDM versions) by Cisco TAC's Mike Robertson.
While troubleshooting, I put permit-any-any rules on both interfaces and permitting rule for traffic to the outside interface.
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any interface outside
access-list outside_access_in extended permit ip any any
access-list global_access extended permit ip any any
I captured packets on ASA outside interface and I have it there.
1: 05:34:28.193578 802.1Q vlan#20 P0 46.158.x.x.59668 > 213.171.x.x.3389: S 3188198355:3188198355(0) win 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK>
Here is packet-tracer output
packet-tracer input outside tcp 46.158.x.x 3389 213.171.x.x 3389
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 213.171.x.x 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So, here is my config(output omitted for some parts)
interface Vlan1
nameif inside
security-level 100
ip address 10.10.93.1 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
pppoe client vpdn group comlink-pppoe
ip address pppoe setroute
!
ftp mode passive
object network hq-lan-0
subnet 10.23.16.0 255.255.254.0
object network branch-lan
subnet 10.10.93.0 255.255.255.0
object network hq-lan-1
subnet 10.10.23.0 255.255.255.0
object network hq-lan-2
subnet 10.23.22.0 255.255.254.0
object network moonserver
host 10.10.93.6
!for real pat, will use after troubleshooting
object-group service DM_INLINE_SERVICE_1
service-object object RTP
service-object object SIP
service-object object STUN
service-object tcp destination eq www
!-------------------------inside_access_in---------------
access-list inside_access_in extended permit ip any any
!It's some rules for VPN users
access-list inside_access_in extended permit ip object branch-lan object hq-lan-1
access-list inside_access_in extended permit ip object branch-lan object hq-lan-2
access-list inside_access_in extended permit ip object branch-lan object hq-lan-0
!-------------------------outside_access_in---------------
!Added for troubleshooting as explicit rule for WAN access to outside interface address
access-list outside_access_in extended permit ip any interface outside
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip object hq-lan-1 object branch-lan
access-list outside_access_in extended permit ip object hq-lan-2 object branch-lan
access-list outside_access_in extended permit ip object hq-lan-0 object branch-lan
!-------------------------for real pat, will use after troubleshooting
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object krd-itk-vgw1
!---------------------------------------------------------------
access-list global_access extended permit ip any any
!------------------------VPN cryptomap acl for traffic encrypting purposes
access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-1
access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-2
access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-0
!-------------------------VPN-related
nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-1 hq-lan-1 no-proxy-arp route-lookup
nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-2 hq-lan-2 no-proxy-arp route-lookup
nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-0 hq-lan-0 no-proxy-arp route-lookup
!------------------------Let users get internet access
nat (inside,outside) source dynamic branch-lan interface
!------------------------Here is my server!!!
object network moonserver
nat (any,outside) static interface service tcp 3389 3389
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
Solved! Go to Solution.
05-21-2012 09:56 AM
Hello Andrey,
Please remove the following configuration:
object network moonserver
no nat (any,outside) static interface service tcp 3389 3389
object service RDP
service tcp source eq 3389
nat (inside, outside) 1 source static moonserver interface service RDP RDP
Also please remove the following access-list:
no access-group global_access global
Regards,
Julio
05-21-2012 11:05 AM
Hello Andey,
My pleasure,
I would say it was the NAT.
Regards,
Julio
Do rate all the helpful posts!!
05-21-2012 07:39 AM
05-21-2012 09:56 AM
Hello Andrey,
Please remove the following configuration:
object network moonserver
no nat (any,outside) static interface service tcp 3389 3389
object service RDP
service tcp source eq 3389
nat (inside, outside) 1 source static moonserver interface service RDP RDP
Also please remove the following access-list:
no access-group global_access global
Regards,
Julio
05-21-2012 10:54 AM
Thanks, jcarvaja! You are a magician!!! )))
So, was it trouble in access-list or nat rules order or I made two mistakes?
05-21-2012 11:05 AM
Hello Andey,
My pleasure,
I would say it was the NAT.
Regards,
Julio
Do rate all the helpful posts!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: