09-05-2014 02:40 AM - edited 03-11-2019 09:42 PM
ASA is 5510, ver 8.3(1), I can't forward ports (www, ftp) from outside to DMZ.
My configuration:
outside: IP Public (X.X.X.X)
DMZ: 10.10.10.0/24
access-list outside-in extended permit tcp any interface outside eq www
access-group outside-in in interface outside
nat (DMZ,outside) source dynamic DMZ interface
object network WEB
host 10.10.10.5
nat (DMZ,outside) static interface service tcp www www
asa#sh xlate type static
TCP PAT from DMZ:10.10.10.5 80-80 to outside:X.X.X.X 80-80
asa#sh nat
(DMZ) to (outside) source static WEB interface service tcp www www
translate_hits = 0, untranslate_hits = 0
asa#sh access-list
access-list outside-in line 2 extended permit tcp any interface outside eq www (hitcnt=0) 0xacb645cb
******************************************************************
Syslog: ASA-3-710003: TCP access denied by ACL from Y.Y.Y.Y/64141 to outside:X.X.X.X/80
******************************************************************
ASA# packet-tracer input outside tcp X.X.X.X 80 10.10.10.5 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 DMZ
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa88943e0, priority=500, domain=permit, deny=true
hits=11, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=X.X.X.X, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
*************************************************
In access-list, I've changed destination to real IP (10.10.10.5) or public IP, the result was the same.
I don't know which mistake in my configuration. Could anyone help me?
Thank you very much for your help.
09-05-2014 03:00 AM
The destination address in the ACL has to be the real IP of the server. And upgrade the ASA to something newer. 8.3(1) was probably the worst version ever on the ASA.
09-05-2014 06:28 PM
Dear Karsten Iwen,
Yes, I've replaced Real IP in ACL, but everything is still the same as before.
I think port forwarding is normally on every firewall, should I upgrade the ASA to newer version ?
09-06-2014 12:28 AM
Show your actual config (at least NAT/ACL). And yes, you should upgrade.
09-06-2014 02:35 AM
Dear Karsten Iwen
ASA's ACL/NAT:
ASA Version 8.3(1)
interface Ethernet0/0
description WAN1
duplex full
nameif outside
security-level 0
pppoe client vpdn group WAN1
ip address pppoe
!
interface Ethernet0/2.5
description DMZ
vlan 5
nameif DMZ
security-level 50
ip address 10.10.10.1 255.255.255.0
!
access-list outside-in extended permit tcp any host 10.10.10.5 eq www
access-list outside-in extended permit tcp any host 10.10.10.5 eq ftp
access-group outside-in in interface outside
object network DMZ_NET
subnet 10.10.10.0 255.255.255.0
nat (DMZ,outside) source dynamic DMZ_NET interface
object network WEB
host 10.10.10.5
nat (DMZ,outside) static interface service tcp www www
object network FTP
host 10.10.10.5
nat (DMZ,outside) static interface service tcp ftp ftp
*************************************************
I 've checked NAT (show nat detail, show xlate,...), translation is OK. DMZ to internet is OK, Internet can ping to outside.
Show access-list:
access-list outside-in line 2 extended permit tcp any host 10.10.10.5 eq www (hitcnt=0) 0xacb645cb
access-list outside-in line 3 extended permit tcp any host 10.10.10.5 eq ftp (hitcnt=0) 0xea857100
Packet-tracer: Web & FTP were dropped at ACCESS-LIST (phase 2 or 3) with Implicit Rule.
Does Implicit Rule concern about NAT?
Port Forwarding is a basic function of ASA, should I upgrade?
Thanks for your reply.
09-06-2014 02:42 AM
You object NAT is fine, but the following rule is wrong:
nat (DMZ,outside) source dynamic DMZ_NET interface
That one needs to go to the end of the NAT-List:
no nat (DMZ,outside) source dynamic DMZ_NET interface
nat (DMZ,outside) after-auto source dynamic DMZ_NET interface
09-07-2014 06:46 PM
I 've configured: nat (DMZ,outside) after-auto source dynamic DMZ_NET interface
the result was still the same.
09-08-2014 12:33 AM
did you remove the old rule? Please show your complete NAT-config.
09-08-2014 06:37 PM
Sorry Karsten Iwen, I 've not been at work last time.
Yes, i removed the old rule, show nat detail:
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic LAN_NET interface
translate_hits = 1214968, untranslate_hits = 115784
Source - Origin: 192.168.100.0/24, Translated: X.X.X.X/32
Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static FTP interface service tcp ftp ftp
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.10.5/32, Translated: X.X.X.X/32
Service - Protocol: tcp Real: ftp Mapped: ftp
2 (DMZ) to (outside) source static WEB interface service tcp www www
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.10.5/32, Translated: X.X.X.X/32
Service - Protocol: tcp Real: www Mapped: www
Manual NAT Policies (Section 3)
1 (DMZ) to (outside) source dynamic DMZ_NET interface
translate_hits = 2103, untranslate_hits = 8
Source - Origin: 10.10.10.0/24, Translated: X.X.X.X/32
I've read Syslog, and realized that something is wrong:
WEB: ASA-3-710003: TCP access denied by ACL from 123.17.96.224/64141 to outside:X.X.X.X/80
FTP: ASA-2-106016: Deny IP spoof from (X.X.X.X) to 10.10.10.5 on interface outside
With WEB: packet was dropped at outside, but FTP: packet was dropped behind outside although they were configured with the same ACL/NAT rule.
Do you know which ASA's functions can affect NAT/ACL ?
Thanks for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: