Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.4 port forwarding issue

Hi all! I have ASA 5505 with 8.4(2)8 software for one of my branch offices and I can't configure port forwarding It seems to be very simple, but it's not working. I use my ASA as a gateway to the internet for users in office and for site-to-site IPSec VPN to HQ. I have pppoe-enabled outside interface, but ISP gives me static routable ip address. I have server behind my firewall and I should "publish" to the WAN some of its' tcp and udp ports, but I see that no packets forwarded through ASA. I tried to configure PAT as stated in official "Cisco Security Appliance Configuration Guide" through CLI and ASDM. I also used this video(same ASA and ASDM versions) by Cisco TAC's Mike Robertson.

While troubleshooting, I put permit-any-any rules on both interfaces and permitting rule for traffic to the outside interface.

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip any any

access-list global_access extended permit ip any any

I captured packets on ASA outside interface and I have it there.

1: 05:34:28.193578 802.1Q vlan#20 P0 46.158.x.x.59668 > 213.171.x.x.3389: S 3188198355:3188198355(0) win 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK>

Here is packet-tracer output

packet-tracer input outside tcp 46.158.x.x 3389 213.171.x.x 3389

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   213.171.x.x  255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So, here is my config(output omitted for some parts)

interface Vlan1

nameif inside

security-level 100

ip address 10.10.93.1 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

pppoe client vpdn group comlink-pppoe

ip address pppoe setroute

!

ftp mode passive

object network hq-lan-0

subnet 10.23.16.0 255.255.254.0

object network branch-lan

subnet 10.10.93.0 255.255.255.0

object network hq-lan-1

subnet 10.10.23.0 255.255.255.0

object network hq-lan-2

subnet 10.23.22.0 255.255.254.0

object network moonserver

host 10.10.93.6

!for real pat, will use after troubleshooting

object-group service DM_INLINE_SERVICE_1

service-object object RTP

service-object object SIP

service-object object STUN

service-object tcp destination eq www

!-------------------------inside_access_in---------------

access-list inside_access_in extended permit ip any any

!It's some rules for VPN users

access-list inside_access_in extended permit ip object branch-lan object hq-lan-1

access-list inside_access_in extended permit ip object branch-lan object hq-lan-2

access-list inside_access_in extended permit ip object branch-lan object hq-lan-0

!-------------------------outside_access_in---------------

!Added for troubleshooting as explicit rule for WAN access to outside interface address

access-list outside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit ip object hq-lan-1 object branch-lan

access-list outside_access_in extended permit ip object hq-lan-2 object branch-lan

access-list outside_access_in extended permit ip object hq-lan-0 object branch-lan

!-------------------------for real pat, will use after troubleshooting

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object krd-itk-vgw1

!---------------------------------------------------------------

access-list global_access extended permit ip any any

!------------------------VPN cryptomap acl for traffic encrypting purposes

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-1

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-2

access-list outside_cryptomap extended permit ip object branch-lan object hq-lan-0

!-------------------------VPN-related

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-1 hq-lan-1 no-proxy-arp route-lookup

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-2 hq-lan-2 no-proxy-arp route-lookup

nat (inside,outside) source static branch-lan branch-lan destination static hq-lan-0 hq-lan-0 no-proxy-arp route-lookup

!------------------------Let users get internet access

nat (inside,outside) source dynamic branch-lan interface

!------------------------Here is my server!!!

object network moonserver

nat (any,outside) static interface service tcp 3389 3389

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: ASA 8.4 port forwarding issue

Hello Andrey,

Please remove the following configuration:

object network moonserver

no nat (any,outside) static interface service tcp 3389 3389

object service RDP

service tcp source eq 3389

nat (inside, outside) 1 source static moonserver interface service RDP  RDP

Also please remove the following access-list:

no access-group global_access global

Regards,

Julio


Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

ASA 8.4 port forwarding issue

Hello Andey,

My pleasure,

I would say it was the NAT.

Regards,

Julio

Do rate all the helpful posts!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
4 REPLIES
New Member

Re: ASA 8.4 port forwarding issue

Re: ASA 8.4 port forwarding issue

Hello Andrey,

Please remove the following configuration:

object network moonserver

no nat (any,outside) static interface service tcp 3389 3389

object service RDP

service tcp source eq 3389

nat (inside, outside) 1 source static moonserver interface service RDP  RDP

Also please remove the following access-list:

no access-group global_access global

Regards,

Julio


Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 8.4 port forwarding issue

Thanks, jcarvaja! You are a magician!!! )))

So, was it trouble in access-list or nat rules order or I made two mistakes?

ASA 8.4 port forwarding issue

Hello Andey,

My pleasure,

I would say it was the NAT.

Regards,

Julio

Do rate all the helpful posts!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
3120
Views
0
Helpful
4
Replies