Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.3 port forward denied by ACL

Hi,

I consider the NAT mechanism to be quite straight forward, but although the firewall ACLs allow the traffic, it is being denied.

The ASDM log and packet-tracer indicate the problem being an ACL.

# the internal resource

object network mabe-mbp

host 10.0.0.36

!

# these are ALL of the rules on the outside/inside interfaces

access-list outside_access_in extended permit tcp host 1.2.3.90 any eq 12380 log disabled

access-list outside_access_out extended permit ip any any log

access-list inside_access_in extended permit ip any any log

access-list inside_access_out extended permit ip any any log

!

object network mabe-mbp

nat (inside,outside) static interface service tcp www 12380

!

# show access-list outside_access_in

access-list outside_access_in line 2 extended permit tcp host 1.2.3.90 any eq 12380 log disable (hitcnt=0) 0x5800aa82 <- no hits

# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static mabe-mbp interface service tcp www 12380

    translate_hits = 0, untranslate_hits = 9 <- untranslate here means exactly what?

ASDM log:

4          Jan 02 2012     13:40:28                1.2.3.90    59406   10.0.0.36 80 Deny tcp src outside:1.2.3.90/59406 dst inside:10.0.0.36/80 by access-group "outside_access_in" [0x0, 0x0]

Packet tracer:

asa# packet-tracer input outside tcp 1.2.3.90 12345 2.2.2.149 80 detailed

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcb365e08, priority=13, domain=capture, deny=false

hits=27462396, user_data=0xca999d08, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9d98308, priority=1, domain=permit, deny=false

hits=192253612, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   2.2.2.149   255.255.255.255 identity

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9d98b28, priority=0, domain=permit, deny=true

hits=867474, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Do you spot anything obvious?

1 ACCEPTED SOLUTION

Accepted Solutions

ASA 8.3 port forward denied by ACL

You should use private IP in outside ACL.

Thanks

Ajay

2 REPLIES

ASA 8.3 port forward denied by ACL

You should use private IP in outside ACL.

Thanks

Ajay

New Member

ASA 8.3 port forward denied by ACL

Thanks, I did notice that. That is counter intuitive, seeing as the (incoming) packets that reach the outside interface wouldn't have the internal IP (or port) in the respective destination fields.

Thanks for the answer!

793
Views
0
Helpful
2
Replies