03-10-2012 06:05 AM - edited 03-11-2019 03:40 PM
I'm trying to configure basic port forwarding. TCP port 51088 needs to be forwarded from the outside interface to inside host 192.168.69.100 Piece of cake, right? What I'm trying should be incredibly easy and I'm embarassed to say that I cannot figure out where I'm going wrong. The packet-trace output says the ACL is denying it but I don't see how.
access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 192.168.69.100 eq 51088
access-group aclDAVE-SERVER in interface outside
asa5505# packet-trace input outside tcp 8.8.8.8 51088 74.125.224.34 51088
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
03-12-2012 02:15 PM
Hi Jeremy ,
Please configure the asa this way :
no nat (inside) 1 access-list aclDAVE-SERVER
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
!
static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255
!
access-l acl-outside extended permit tcp any any eq 51088
!
access-group acl-outside in interface outside
!
end
clear xlate
Dan
03-10-2012 07:07 AM
what does your NAT configuration looks like. its difficult to tell from the configurations you have provided.
access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 192.168.69.100 eq 51088
access-group aclDAVE-SERVER in interface outside
asa5505# packet-trace input outside tcp 8.8.8.8 51088 74.125.224.34 51088
What is 192.168.69.100 ??and what is 74.125.224.34??
regards,
03-10-2012 07:27 AM
Sorry about that; I forgot to post the NAT config.
global (outside) 1 interface
nat (inside) 1 access-list aclDAVE-SERVER
nat (inside) 1 0.0.0.0 0.0.0.0
192.168.69.100 is a Linux server on the inside that will be receiving the connection on TCP port 51088
74.125.224.34 is the current outside DHCP address (let me know if there is some voodoo to use that dynamically rather than looking it up and specifying the IP)
I was originally trying to do this with object-groups in the ACL but when it wasn't working I removed them from the equation, at least until I figure out what I did wrong.
Thanks for the help!
03-10-2012 09:09 AM
Hi Jeremy ,
Drop-reason: (acl-drop) Flow is denied by configured rule
The issue is the access-list applied on the outside.
access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 192.168.69.100 eq 51088
it should be
access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 74.125.224.34 eq 51088
Also in order to have connections initiated from outside you should configure a static nat
static (inside,outside) tcp interface 51088 192.168.69.100 51088
Dan
03-10-2012 11:04 AM
Ah, I see. On incoming packets the destination will not be the inside address, so the destination should be the outside address in the ACL.
I corrected the ACL and added the Static NAT, but unfortunately it's still not letting it through. I tried both before and after removing the Policy NAT statement referencing the ACL, but the packet-trace results were the same either way.
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255
access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 74.125.224.34 eq 51088
access-group aclDAVE-SERVER in interface outside
Because the outside is on DHCP I also tried this access-list which would be better for me, but it didn't work either:
access-list aclDAVE-SERVER extended permit tcp any eq 51088 interface outside eq 51088
I even went so far as to replace the bold with any and still could not get through.
03-10-2012 12:33 PM
Hi Jeremy ,
If the IP of the outside is via DHCP , there is no static dhcp pool , it is better to use any as destination.
But you will have to know when the IP changes in order to access the application
Do you have inspection enabled ? > show service-policy
What kind of application is this TCP 51088 ?
Dan
03-10-2012 07:46 PM
Thanks Dan,
A DynDNS account is being maintained to keep track of the dynamic IP so no worries there. TCP 51088 is being used for SSH, because, well, it's Dave's server and that's the port he wants to use
show service-policy returned nothing so it looks good there.
All I can think is that I need to do something different with NAT because it shows outside as both the input and output interfaces in the packet-trace.
03-11-2012 01:51 AM
Hi Jeremy,
The problem is the nat. Please changed as below :
no static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255
static (inside,outside) tcp 74.125.224.34 51088 192.168.69.100 51088 netmask 255.255.255.255
Also the access-list :
access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 74.125.224.34 eq 51088
should not have as a source port 51088.
Let's see how it goes.
Dan
03-11-2012 07:15 AM
Dang, it didn't like that either.
static (inside,outside) tcp 72.193.250.115 51088 192.168.69.100 51088 netmask 255.255.255.255
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
So I tried this:
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255
access-list aclDAVE-SERVER extended permit tcp any any eq 51088
Same packet-trace result.
UPDATE: I tweaked things a bit and have a tiny bit of progress. It's at least trying to use the inside interface as the output interface now.
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 192.168.69.100 51088 access-list aclDAVE-SERVER
access-list aclDAVE-SERVER extended permit tcp any eq 51088 host 192.168.69.100 eq 51088
access-group aclDAVE-SERVER in interface outside
asa5505(config)# show nat
NAT policies on Interface inside:
match tcp inside any eq 51088 outside host 192.168.69.100 eq 51088
static translation to 192.168.69.100/51088
translate_hits = 0, untranslate_hits = 4
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
dynamic translation to pool 1 (72.193.250.115 [Interface PAT])
translate_hits = 84146, untranslate_hits = 127669
match ip inside any _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
asa5505(config)# packet-trace input outside tcp 8.8.8.8 51088 72.193.250.115 51088 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp 192.168.69.100 51088 access-list aclDAVE-SERVER
match tcp inside any eq 51088 outside host 192.168.69.100 eq 51088
static translation to 192.168.69.100/51088
translate_hits = 0, untranslate_hits = 7
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.69.100/51088 to 0.0.0.0/51088 using netmask 0.0.0.0
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 72.193.250.115 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95e6108, priority=0, domain=permit, deny=true
hits=14678, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Message was edited by: Jeremy Camera
03-12-2012 02:15 PM
Hi Jeremy ,
Please configure the asa this way :
no nat (inside) 1 access-list aclDAVE-SERVER
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
!
static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255
!
access-l acl-outside extended permit tcp any any eq 51088
!
access-group acl-outside in interface outside
!
end
clear xlate
Dan
03-12-2012 02:49 PM
*in my best "Borat" voice*: GREAT SUCCESS!
That last one did the trick perfectly. Marking your post as the correct answer. Thanks so much for all of your time and patience with me Dan, I really appreciate it!
It's almost 3 PM here and I still haven't grabbed lunch yet so my eyes are crossing. I'll have to review everything we tried so I can figure out all the different things I did wrong, but that will come with time.
Just for the sake of contrast against the failed packet-trace, here is what a successful one looks like:
packet-trace input outside tcp 8.8.8.8 51088 72.193.250.115 51088
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255
match tcp inside host 192.168.69.100 eq 51088 outside any
static translation to 72.193.250.115/51088
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 72.193.250.115/51088 to 192.168.69.100/51088 using netmask 255.255.255.255
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl-outside in interface outside
access-list acl-outside extended permit tcp any any eq 51088
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255
match tcp inside host 192.168.69.100 eq 51088 outside any
static translation to 72.193.250.115/51088
translate_hits = 0, untranslate_hits = 1
Additional Information:
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface 51088 192.168.69.100 51088 netmask 255.255.255.255
match tcp inside host 192.168.69.100 eq 51088 outside any
static translation to 72.193.250.115/51088
translate_hits = 0, untranslate_hits = 1
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5577, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
03-12-2012 03:27 PM
No problem Jeremy. I'm glad that everything is ok, now.
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide