ASA 8.4 port forwarding issue

Answered Question
May 21st, 2012
User Badges:

Hi all! I have ASA 5505 with 8.4(2)8 software for one of my branch offices and I can't configure port forwarding It seems to be very simple, but it's not working. I use my ASA as a gateway to the internet for users in office and for site-to-site IPSec VPN to HQ. I have pppoe-enabled outside interface, but ISP gives me static routable ip address. I have server behind my firewall and I should "publish" to the WAN some of its' tcp and udp ports, but I see that no packets forwarded through ASA. I tried to configure PAT as stated in official "Cisco Security Appliance Configuration Guide" through CLI and ASDM. I also used this video(same ASA and ASDM versions) by Cisco TAC's Mike Robertson.


While troubleshooting, I put permit-any-any rules on both interfaces and permitting rule for traffic to the outside interface.

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip any any

access-list global_access extended permit ip any any


I captured packets on ASA outside interface and I have it there.

1: 05:34:28.193578 802.1Q vlan#20 P0 46.158.x.x.59668 > 213.171.x.x.3389: S 3188198355:3188198355(0) win 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK>


Here is packet-tracer output

packet-tracer input outside tcp 46.158.x.x 3389 213.171.x.x 3389


Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list


Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   213.171.x.x  255.255.255.255 identity


Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:


Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule


So, here is my config(output omitted for some parts)

interface Vlan1

nameif inside

security-level 100

ip address 10.10.93.1 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

pppoe client vpdn group comlink-pppoe

ip address pppoe setroute

!

ftp mode passive

object network hq-lan-0

subnet 10.23.16.0 255.255.254.0

object network branch-lan

subnet 10.10.93.0 255.255.255.0

object network hq-lan-1

subnet 10.10.23.0 255.255.255.0

object network hq-lan-2

subnet 10.23.22.0 255.255.254.0

object network moonserver

host 10.10.93.6


!for real pat, will use after troubleshooting

object-group service DM_INLINE_SERVICE_1

service-object object RTP

service-object object SIP

service-object object STUN

service-object tcp destination eq www


!-------------------------inside_access_in---------------

access-list inside_access_in extended permit ip any any


!It's some rules for VPN users

access-list inside_access_in extended permit ip object branch-lan object hq-lan-1

access-list inside_access_in extended permit ip object branch-lan object hq-lan-2

access-list inside_access_in extended permit ip object branch-lan object hq-lan-0


!-------------------------outside_access_in---------------

!Added for troubleshooting as explicit rule for WAN access to outside interface address

access-list outside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip any any


access-list outside_access_in extended permit ip object hq-lan-1 object branch-lan

access-list outside_access_in extended permit ip object hq-lan-2 object branch-lan

access-list outside_access_in extended permit ip object hq-lan-0 object branch-lan


!-------------------------for real pat, will use after troubleshooting

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object krd-itk-vgw1



!---------------------------------------------------------------

access-list global_access extended permit ip any any


!------------------------VPN cryptomap acl for traffic encrypting purposes

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-1

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-2

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-0


!-------------------------VPN-related

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-1 hq-lan-1 no-proxy-arp route-lookup

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-2 hq-lan-2 no-proxy-arp route-lookup

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-0 hq-lan-0 no-proxy-arp route-lookup


!------------------------Let users get internet access

nat (inside,outside) source dynamic branch-lan interface


!------------------------Here is my server!!!

object network moonserver

nat (any,outside) static interface service tcp 3389 3389


access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

Correct Answer by Julio Carvajal about 4 years 10 months ago

Hello Andey,


My pleasure,


I would say it was the NAT.


Regards,


Julio


Do rate all the helpful posts!!

Correct Answer by Julio Carvajal about 4 years 10 months ago

Hello Andrey,


Please remove the following configuration:

object network moonserver

no nat (any,outside) static interface service tcp 3389 3389


object service RDP

service tcp source eq 3389


nat (inside, outside) 1 source static moonserver interface service RDP  RDP


Also please remove the following access-list:

no access-group global_access global



Regards,


Julio


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Julio Carvajal Mon, 05/21/2012 - 09:56
User Badges:
  • Purple, 4500 points or more

Hello Andrey,


Please remove the following configuration:

object network moonserver

no nat (any,outside) static interface service tcp 3389 3389


object service RDP

service tcp source eq 3389


nat (inside, outside) 1 source static moonserver interface service RDP  RDP


Also please remove the following access-list:

no access-group global_access global



Regards,


Julio


Andrey Kornienko Mon, 05/21/2012 - 10:54
User Badges:

Thanks, jcarvaja! You are a magician!!! )))

So, was it trouble in access-list or nat rules order or I made two mistakes?

Correct Answer
Julio Carvajal Mon, 05/21/2012 - 11:05
User Badges:
  • Purple, 4500 points or more

Hello Andey,


My pleasure,


I would say it was the NAT.


Regards,


Julio


Do rate all the helpful posts!!

Actions

This Discussion

Related Content