Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510_Ver 8.3 can not forward port

ASA is 5510, ver 8.3(1), I can't forward ports (www, ftp) from outside to DMZ.

My configuration:

outside:  IP Public (X.X.X.X)
DMZ:  10.10.10.0/24

access-list outside-in extended permit tcp any interface outside eq www
access-group outside-in in interface outside

nat (DMZ,outside) source dynamic DMZ interface

object network WEB
  host 10.10.10.5
  nat (DMZ,outside) static interface service tcp www www


asa#sh xlate type static
TCP PAT from DMZ:10.10.10.5 80-80 to outside:X.X.X.X 80-80

asa#sh nat
  (DMZ) to (outside) source static WEB interface service tcp www www
    translate_hits = 0, untranslate_hits = 0

asa#sh access-list
access-list outside-in line 2 extended permit tcp any interface outside eq www (hitcnt=0) 0xacb645cb

******************************************************************

Syslog: ASA-3-710003: TCP access denied by ACL from Y.Y.Y.Y/64141 to outside:X.X.X.X/80

******************************************************************
ASA# packet-tracer input outside tcp X.X.X.X 80 10.10.10.5 80 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.10.0     255.255.255.0   DMZ

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xa88943e0, priority=500, domain=permit, deny=true
        hits=11, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=X.X.X.X, mask=255.255.255.255, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

*************************************************

In access-list, I've changed destination to real IP (10.10.10.5) or public IP, the result was the same.

I don't know which mistake in my configuration. Could anyone help me?

Thank you very much for your help.

 

8 REPLIES
VIP Purple

The destination address in

The destination address in the ACL has to be the real IP of the server. And upgrade the ASA to something newer. 8.3(1) was probably the worst version ever on the ASA.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Dear Karsten Iwen,Yes, I've

Dear Karsten Iwen,

Yes, I've replaced Real IP in ACL, but everything is still the same as before.

I think port forwarding is normally on every firewall, should I upgrade the ASA to newer version ?

VIP Purple

Show your actual config (at

Show your actual config (at least NAT/ACL). And yes, you should upgrade.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Dear Karsten IwenASA's ACL

Dear Karsten Iwen

ASA's ACL/NAT:

ASA Version 8.3(1)

interface Ethernet0/0
 description WAN1
 duplex full
 nameif outside
 security-level 0
 pppoe client vpdn group WAN1
 ip address pppoe
!

interface Ethernet0/2.5
 description DMZ
 vlan 5
 nameif DMZ
 security-level 50
 ip address 10.10.10.1 255.255.255.0
!

access-list outside-in extended permit tcp any host 10.10.10.5 eq www
access-list outside-in extended permit tcp any host 10.10.10.5 eq ftp

access-group outside-in in interface outside

object network DMZ_NET
 subnet 10.10.10.0 255.255.255.0

nat (DMZ,outside) source dynamic DMZ_NET interface

object network WEB
  host 10.10.10.5
  nat (DMZ,outside) static interface service tcp www www
object network FTP
  host 10.10.10.5
  nat (DMZ,outside) static interface service tcp ftp ftp
*************************************************
I 've checked NAT (show nat detail, show xlate,...), translation is OK. DMZ to internet is OK, Internet can ping to outside.
Show access-list:
  access-list outside-in line 2 extended permit tcp any host 10.10.10.5 eq www (hitcnt=0) 0xacb645cb
  access-list outside-in line 3 extended permit tcp any host 10.10.10.5 eq ftp (hitcnt=0) 0xea857100

Packet-tracer:  Web & FTP were dropped at ACCESS-LIST (phase 2 or 3) with Implicit Rule.
Does Implicit Rule concern about NAT?

Port Forwarding is a basic function of ASA, should I upgrade?
Thanks for your reply.

VIP Purple

You object NAT is fine, but

You object NAT is fine, but the following rule is wrong:

nat (DMZ,outside) source dynamic DMZ_NET interface

That one needs to go to the end of the NAT-List:

no nat (DMZ,outside) source dynamic DMZ_NET interface
nat (DMZ,outside) after-auto source dynamic DMZ_NET interface

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Dear Karsten IwenI 've

Dear Karsten Iwen

I 've configured:  nat (DMZ,outside) after-auto source dynamic DMZ_NET interface

the result was still the same.

VIP Purple

did you remove the old rule?

did you remove the old rule? Please show your complete NAT-config.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Sorry Karsten Iwen, I 've not

Sorry Karsten Iwen, I 've not been at work last time.

Yes, i removed the old rule, show nat detail:

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic LAN_NET interface
    translate_hits = 1214968, untranslate_hits = 115784
   Source - Origin: 192.168.100.0/24, Translated: X.X.X.X/32

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static FTP interface service tcp ftp ftp
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.10.10.5/32, Translated: X.X.X.X/32
    Service - Protocol: tcp Real: ftp Mapped: ftp
2 (DMZ) to (outside) source static WEB interface service tcp www www
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.10.10.5/32, Translated: X.X.X.X/32
    Service - Protocol: tcp Real: www Mapped: www

Manual NAT Policies (Section 3)
1 (DMZ) to (outside) source dynamic DMZ_NET interface
    translate_hits = 2103, untranslate_hits = 8
    Source - Origin: 10.10.10.0/24, Translated: X.X.X.X/32

I've read Syslog, and realized that something is wrong:
WEB: ASA-3-710003: TCP access denied by ACL from 123.17.96.224/64141 to outside:X.X.X.X/80
FTP:  ASA-2-106016: Deny IP spoof from (X.X.X.X) to 10.10.10.5 on interface outside

With WEB: packet was dropped at outside, but FTP: packet  was dropped  behind outside although they were configured with the same ACL/NAT rule.
Do you know which ASA's functions can affect NAT/ACL ?
Thanks for your help.

65
Views
0
Helpful
8
Replies
CreatePlease to create content