Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL help, cannot get traffic in from External IP to Internal IP

I need help getting port forwarding working on an ASA with 8.2(5). I only have one IP address that I can use for an internal device and I want to connect the internal device to the firewall. I have an interface on the ASA configured with the exernal IP address and I have a NAT rule with PAT enabled from the internal IP to the Interface address. I then configured an Access Rule on the interface to allow incoming traffic from a specific external IP to the internal IP. That did not work.

I then tried the External IP to the Interface IP, the packet trace fails.

I then tried with both rules in place and the packet trace fails. 

I cannot get traffic in from the external IP to the internal IP, the packet trace always fails at the implicit deny rule. 

If it helps, IP A (external) needs to go to IP B (ASA Interface) which needs to be sent to IP C (internal), when IP C responds, IP A needs to see it coming back as IP B.

The packet trace works going from inside IP to outside IP.

I NATed with PAT the internal IP C to the interface IP B.

I setup a route such that IP C reaches IP A through IP B's gateway(service provider)

Any assistance on what I am doing wrong would be greatly appreciated.

Everyone's tags (1)
3 REPLIES
Bronze

Hello Sealy,I hope you're

Hello Sealy,

I hope you're doing great

Based on your description you are using PAT (Port Address Translation) which is a one way NAT. Meaning that it will only work from inside to outside or from outside to inside, but not for both directions. In order to make this server accessible from the outside we would need to use a static NAT or port forwarding. For the first option you will need an extra Public IP address, however, for the second option you can use the External IP address of the ASA.

Port forwarding or port redirection is a useful feature where the outside users try to access an internal server on a specific port. In order to achieve this, the internal server, which has a private IP address, will be translated to a public IP address which in turn is allowed access for the specific port.

For example, let’s say that the users want to access server "C" on port 443 using the Outside IP address of the ASA:​

These will be the requirements:

 

- Allow Inside users to access the Internet.

- Allow Inside Web server to serve https services to the Internet.

- Allow Outside users to visit your Web server.

 

NAT configuration on ASA:

1-This configuration will redirect HTTPS requests for the ASA outside interface address to C.C.C.C internal host:

hostname(config)# static (inside,outside) tcp interface https C.C.C.C https netmask 255.255.255.255

 

2-You could also redirect for example HTTP requests on port 8080 for the ASA outside interface to C.C.C.C port 80 by entering the following command:

 

hostname(config)# static (inside,outside) tcp interface 8080 C.C.C.C www netmask 255.255.255.255

 

Hope this helps!

Luis.

 

VIP Green

I then tried the External IP

I then tried the External IP to the Interface IP, the packet trace fails.

I assume you mean the interface IP of the server? Then this fail is expected as the RPF check will fail. If I assumed wrong and you are tracing to the outside ASA interface, then the packet tracer will tell you where it is failing (ie. ACL, NAT, RPF..etc.)  It will help to know where it is failing

I setup a route such that IP C reaches IP A through IP B's gateway(service provider)

What do you mean by this?  IP C should have the ASA internal IP as its gateway.  The ASA should have a default route pointing to the ISP as its next hop.

Keep in mind the structure of the NAT statement:

static (<real int>,<mapped int>) tcp <mapped IP> 80 <real IP> 80

static (inside,outside) tcp interface 80 <server IP> 80

The access list permitting traffic into your network should be permitting to the ASA outside interface IP (public IP)

access-list WEB permit tcp any <ASA outside int IP> eq 80

access-group WEB in interface outside

If this does not help, it would really be useful seeing your ASA configuration. Just remember to remove any public IPs and passwords before posting it here.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Hi, You refer the below given

Hi,

 

You refer the below given link for all different port-forwarding scenarios explained in it.....

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_staticpat.html

 

Regards

Karthik

743
Views
0
Helpful
3
Replies
CreatePlease login to create content