ASA 8.4 port forwarding issue

Answered Question
May 21st, 2012

Hi all! I have ASA 5505 with 8.4(2)8 software for one of my branch offices and I can't configure port forwarding It seems to be very simple, but it's not working. I use my ASA as a gateway to the internet for users in office and for site-to-site IPSec VPN to HQ. I have pppoe-enabled outside interface, but ISP gives me static routable ip address. I have server behind my firewall and I should "publish" to the WAN some of its' tcp and udp ports, but I see that no packets forwarded through ASA. I tried to configure PAT as stated in official "Cisco Security Appliance Configuration Guide" through CLI and ASDM. I also used this video(same ASA and ASDM versions) by Cisco TAC's Mike Robertson.

While troubleshooting, I put permit-any-any rules on both interfaces and permitting rule for traffic to the outside interface.

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip any any

access-list global_access extended permit ip any any

I captured packets on ASA outside interface and I have it there.

1: 05:34:28.193578 802.1Q vlan#20 P0 46.158.x.x.59668 > 213.171.x.x.3389: S 3188198355:3188198355(0) win 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK>

Here is packet-tracer output

packet-tracer input outside tcp 46.158.x.x 3389 213.171.x.x 3389

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   213.171.x.x  255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So, here is my config(output omitted for some parts)

interface Vlan1

nameif inside

security-level 100

ip address 10.10.93.1 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

pppoe client vpdn group comlink-pppoe

ip address pppoe setroute

!

ftp mode passive

object network hq-lan-0

subnet 10.23.16.0 255.255.254.0

object network branch-lan

subnet 10.10.93.0 255.255.255.0

object network hq-lan-1

subnet 10.10.23.0 255.255.255.0

object network hq-lan-2

subnet 10.23.22.0 255.255.254.0

object network moonserver

host 10.10.93.6

!for real pat, will use after troubleshooting

object-group service DM_INLINE_SERVICE_1

service-object object RTP

service-object object SIP

service-object object STUN

service-object tcp destination eq www

!-------------------------inside_access_in---------------

access-list inside_access_in extended permit ip any any

!It's some rules for VPN users

access-list inside_access_in extended permit ip object branch-lan object hq-lan-1

access-list inside_access_in extended permit ip object branch-lan object hq-lan-2

access-list inside_access_in extended permit ip object branch-lan object hq-lan-0

!-------------------------outside_access_in---------------

!Added for troubleshooting as explicit rule for WAN access to outside interface address

access-list outside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit ip object hq-lan-1 object branch-lan

access-list outside_access_in extended permit ip object hq-lan-2 object branch-lan

access-list outside_access_in extended permit ip object hq-lan-0 object branch-lan

!-------------------------for real pat, will use after troubleshooting

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object krd-itk-vgw1

!---------------------------------------------------------------

access-list global_access extended permit ip any any

!------------------------VPN cryptomap acl for traffic encrypting purposes

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-1

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-2

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-0

!-------------------------VPN-related

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-1 hq-lan-1 no-proxy-arp route-lookup

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-2 hq-lan-2 no-proxy-arp route-lookup

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-0 hq-lan-0 no-proxy-arp route-lookup

!------------------------Let users get internet access

nat (inside,outside) source dynamic branch-lan interface

!------------------------Here is my server!!!

object network moonserver

nat (any,outside) static interface service tcp 3389 3389

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

I have this problem too.
0 votes
Correct Answer by Julio Carvaja about 1 year 10 months ago

Hello Andey,

My pleasure,

I would say it was the NAT.

Regards,

Julio

Do rate all the helpful posts!!

Correct Answer by Julio Carvaja about 1 year 10 months ago

Hello Andrey,

Please remove the following configuration:

object network moonserver

no nat (any,outside) static interface service tcp 3389 3389

object service RDP

service tcp source eq 3389

nat (inside, outside) 1 source static moonserver interface service RDP  RDP

Also please remove the following access-list:

no access-group global_access global

Regards,

Julio


  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Correct Answer
Julio Carvaja Mon, 05/21/2012 - 09:56

Hello Andrey,

Please remove the following configuration:

object network moonserver

no nat (any,outside) static interface service tcp 3389 3389

object service RDP

service tcp source eq 3389

nat (inside, outside) 1 source static moonserver interface service RDP  RDP

Also please remove the following access-list:

no access-group global_access global

Regards,

Julio


AKornienko Mon, 05/21/2012 - 10:54

Thanks, jcarvaja! You are a magician!!! )))

So, was it trouble in access-list or nat rules order or I made two mistakes?

Correct Answer
Julio Carvaja Mon, 05/21/2012 - 11:05

Hello Andey,

My pleasure,

I would say it was the NAT.

Regards,

Julio

Do rate all the helpful posts!!

Actions

Login or Register to take actions

This Discussion

Posted May 21, 2012 at 7:28 AM
Stats:
Replies:4 Avg. Rating:5
Views:2730 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446