Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 8.4 Static NAT (Port Forwarding Issue)

Dear Colleagues,

 

Please help me to solve NAT translation issue. I have ASA v.8.4(5) image.

I need to implement static port forwarding translation (to forward packets from Internet to DMZ server when connecting on custom port TCP/17887)

Server in DMZ has IP address 172.23.255.3/24. I used Cisco ASDM for port forwarding configuration .

 

Under Edit Network Object  (NAT Section) I did:


1. Chose Add Automatic Address Translation Rules


2. Type is set to "Static"


3. Translate Addr (I will use my outside interface)


Then I pressed Advenced button and did:


1) I chose in Interface section: source interface (my DMZ interface), destination Interface (my outside interface)

2) I choose in service section: Protocol (TCP), Real port  (17887), Mapped Port (17887).

 

After  I applied configuration, added access rule on outside interface ( any ---> Real Server IP --->tcp17887--->permit) and did attempt to connect from Internet to my public interface (my outside IP address).

Connection was not successful. I see a in ASDM Log Viewer:

TCP request discarded from 213.111.83.151/57976 to outside:77.222.x.x/17887

(Explanation from ASDM -

%ASA-7-710005: {TCP|UDP} request discarded from 
source_address/source_port to interface_name:dest_address/service

The ASA does not have a UDP server that services the UDP request. Also, a TCP packet that does not belong to any session on the ASA may have been discarded. In addition, this message appears (with the SNMP service) when the ASA receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is SNMP, this message occurs a maximum of once every 10 seconds so that the log receiver is not overwhelmed.)

Please Help me to solve this problem. Did i do something wrong?

 

Best Regard,

Maxim

 

 

I added a file with Packet Tracer output where we can see that for some reason traffic was droped 

8 REPLIES
Bronze

i'm not very familiar with

i'm not very familiar with ASDM, so can you share the config?

New Member

Hello,My config is huge. May

Hello,

My config is huge. May be I can show you a some part of it?  

interface GigabitEthernet0/2.11
 description ===== Socar Test =====
 vlan 11
 nameif Socar_Test
 security-level 0
 ip address 172.23.255.1 255.255.255.0 standby 172.23.255.2

interface GigabitEthernet0/3
 description ===== External Internet Connection =====
 nameif outside
 security-level 0
 ip address 77.222.x.x 255.255.255.248 standby 77.222.x.x
 ospf cost 10


object network Socar_test_SRV
 host 172.23.255.3

object network Socar_test_SRV
 nat (Socar_Test,outside) static interface service tcp 17887 17887

access-list Socar_Test_access_in extended deny ip any any (ACL for interface GigabitEthernet0/2.11)

access-list FromOutside extended permit tcp any object Socar_test_SRV eq 17887 (ACL for interface GigabitEthernet0/3)

 

If I need to show some additional part of config, let me know please. 

Silver

Hello,As per NAT

Hello,

As per NAT configuration, its correct.

Both your external interface and DMZ interface have same security level=0, check your config that same security traffic must be permitted between interfaces.

By default, these same security interfaces cannot communicate with one another. In order to work around this, the same-security-traffic permit inter-interface command was introduced. This command allows for communication between interfaces of the same security level.

"Please rate helpful posts"

New Member

Hello,

Hello,

 

Still not working. The same syslog message:

%ASA-7-710005: {TCP|UDP} request discarded from 
source_address/source_port to interface_name:dest_address/service

The ASA does not have a UDP server that services the UDP request. Also, a TCP packet that does not belong to any session on the ASA may have been discarded. In addition, this message appears (with the SNMP service) when the ASA receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is SNMP, this message occurs a maximum of once every 10 seconds so that the log receiver is not overwhelmed.     

Silver

Hello,Check the  access-list

Hello,

Check the  access-list Socar_Test_access_in , in which direction it is applied ,as well as if possible try to do logging on console while attempting to connect, see whether traffic is denied by any ACL.

New Member

access-group Socar_Test

access-group Socar_Test_access_in in interface Socar_Test

 

asa1/act# show running-config access-list Socar_Test_access_in
access-list Socar_Test_access_in extended deny ip any any

 

Should I open something? 

 

 

Silver

This access-group shows that

This access-group shows that any traffic trying to enter DMZ will be denied. Either remove this acl if not specifically applied or permit your source IP/port to destination/port.

New Member

asa1/act# show running-config

asa1/act# show running-config access-list Socar_Test_access_in
access-list Socar_Test_access_in extended permit ip any any
access-list Socar_Test_access_in extended deny ip any any

 

 I added permit any any but still does not working 

776
Views
0
Helpful
8
Replies