Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

cannot reach special port from internet

Hi, i've got several problem. The goal is to reach port 8888 from outside to inside my lan.

my config is simple, asa inside : 192.168.1.0/24, outside dhcp by fai.

inside to outside all is ok.

internet ping to outside interface is ok.

But internet to connect to port 8888 is not working.

I try many things and i'm quite sure that my config is shitty now...

So please help me

here it is :

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

mac-address a44c.1156.90b2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 178.250.208.37

name-server 8.8.8.8

domain-name xx

same-security-traffic permit intra-interface

object network obj_any

subnet 192.168.1.0 255.255.255.0

object network server1

host 192.168.1.20

object network NETWORK_OBJ_192.168.1.192_27

subnet 192.168.1.192 255.255.255.224

object network telephone_ip

host 192.168.1.5

object network lan

subnet 192.168.1.0 255.255.255.0

description lan

object network vpn

range 192.168.69.100 192.168.69.110

description vpn

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.69.96_28

subnet 192.168.69.96 255.255.255.240

object service http_8888

service tcp destination eq 8888

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object icmp

protocol-object udp

protocol-object tcp

protocol-object ip

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.69.96_28 any

access-list outside_access_in extended permit object-group TCPUDP any object telephone_ip eq sip

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit object http_8888 any object server1

access-list outside_access_in extended permit tcp any host 192.168.1.20 eq 8888

access-list outside_access_in extended permit tcp any host 192.168.1.20

access-list inside_access_in extended permit ip any any

access-list nonat remark ACL for Nat Bypass

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0

access-list lan standard permit 192.168.1.0 255.255.255.0

access-list SplitTunnel_ACL standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn-pool 192.168.69.100-192.168.69.110 mask 255.255.255.0

ipv6 icmp permit any inside

ipv6 icmp permit any outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source static lan lan destination static vpn vpn

nat (inside,outside) source dynamic lan interface

nat (outside,outside) source dynamic any interface destination static server1 server1 service http_8888 http_8888

!

object network server1

nat (outside,inside) static interface service tcp 8888 8888

!

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

  • Firewalling
21 REPLIES
VIP Purple

Re: cannot reach special port from internet

your NAT-config is probably incorrect. Keep in mind that the NAT-statements are processed top down. And the NAT for the Server has to be changed:

object network server1

  nat (inside,outside) static interface service tcp 8888 8888

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: cannot reach special port from internet

ok so can you tell me how i can correct my nat setup(topdown) ?

Thanks you.

I've got this log always in logging :

%ASA-7-710005: TCP request discarded from MYISPIP/64667 to outside:IPOFTHEOUTSIDEINTERFACE/8888

cannot reach special port from internet

Hello Jonathan,

Lets do it different

object network server1

no  nat (outside,inside) static interface service tcp 8888 8888

object network Internal_host

host  192.168.1.20

object service 8888

Service tcp source eq 8888

nat (inside,outside) source static  Internal_host interface service 8888 8888

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: cannot reach special port from internet

Julio, i try your config but same problem.

Log :

%ASA-7-710005: TCP request discarded from MYISPIP/64667 to outside:IPOFTHEOUTSIDEINTERFACE/8888

Re: cannot reach special port from internet

Please provide the following:

packet-tracer input outside tcp 4.2.2.2 1025 interface_ip eq 8888

Regards,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: cannot reach special port from internet

ok here is the result.

btw now i got new log :

Deny TCP (no connection) from MYISPIP/64842 to ASAOUTSIDEIP/8888 flags FIN PSH ACK  on interface outside

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static Internal_host interface service 8888 8888

Additional Information:

NAT divert to egress interface inside

Untranslate ipoutsideinterface/8888 to 192.168.1.20/8888

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp object obj_any object supernova eq 8888

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static Internal_host interface service 8888 8888

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 4820, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Re: cannot reach special port from internet

Hello Jonathan,

Packet tracer looks good,

Next test:

- capture asp type asp-drop all circular-buffer

Then try to connect to the port 8888 and provide the following outputs:

sh cap asp | include outside_ip

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: cannot reach special port from internet

Ok here is the next:

anyway thx for help

check your pm.

New Member

Re: cannot reach special port from internet

i've do some test, when i push the nat rules at the 1rst place get that :

Deny TCP (no connection) from MYISPIP/64842 to ASAOUTSIDEIP/8888 flags FIN PSH ACK  on interface outside

when i push the nat rules at the last place get that :

%ASA-7-710005: TCP request discarded from MYISPIP/64667 to outside:IPOFTHEOUTSIDEINTERFACE/8888

559
Views
0
Helpful
21
Replies