Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Port forwarding cisco ASA 9.1.2

Hello everyone. I'm having difficulty getting an abnormal port (TCP/8080) forwarded to an internal web server(TCP/80) on a test firewall. I tried using the steps listed in a blog post I found, but haven't been able to actually get to the web server from the outside.

My rules look like this.

object network WebServer

host 192.168.35.150
description Web Server

object network WebServer

nat (inside,outside) static interface service tcp www 8080

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any interface outside eq 8080

I'm also attaching a redacted version of my running config. I have the firewall setup to do VPN hairpinning as well.

Thank you for your help in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Port forwarding cisco ASA 9.1.2

Hi,

The problem is in the interface ACL.

In the new software 8.3 and forward the NAT is processed before the ACLs.

So this both means that you have to allow the traffic to the real IP address and the real port.

So if you change the ACL to

access-list outside_access_in extended permit tcp any interface outside eq 80

Then it should be fine

You can test it also with the "packet-tracer" command

packet-tracer input outside tcp 1.1.1.1 12345 80

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

- Jouni

8 REPLIES
Super Bronze

Port forwarding cisco ASA 9.1.2

Hi,

The problem is in the interface ACL.

In the new software 8.3 and forward the NAT is processed before the ACLs.

So this both means that you have to allow the traffic to the real IP address and the real port.

So if you change the ACL to

access-list outside_access_in extended permit tcp any interface outside eq 80

Then it should be fine

You can test it also with the "packet-tracer" command

packet-tracer input outside tcp 1.1.1.1 12345 80

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

- Jouni

Community Member

Port forwarding cisco ASA 9.1.2

Thank you for the responce Jouni! I'll test this out and let you know.

Community Member

Port forwarding cisco ASA 9.1.2

I changed the access rule to

access-list outside_access_in extended permit tcp any interface outside eq 80

but the traffic is still being blocked. From the packet-tracer it looks like it is being blocked by an implicit rule. I see one global ACL in ASDM that looks like this.

1 any any ipDeny Default [Implicit rule]

Do I need to remove the global deny rule and change it to a deny rule on the outside interface underneth my allow tcp/80 rule? 8.3 and above are a lot different than 8.2

Here are the packet tracer results

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Super Bronze

Port forwarding cisco ASA 9.1.2

Hi,

Did you use the port TCP/8080 in the "packet-tracer" as the destination port?

What global deny rule are you talking about?

- Jouni

Community Member

Port forwarding cisco ASA 9.1.2

Hi,

I used TCP/8080 in the packet-tracer as the destination port.

This is the global rule I was refering to.

Thank you for your help so far!

Super Bronze

Re: Port forwarding cisco ASA 9.1.2

Gah,

Sorry, I have been blind.

The actual ACL is wrong. You were using the "interface outside" as the destination. You need to allow the traffic to the real IP address. For some reason I completely missed that until now.

Also seems I managed to provide the "packet-tracer" command with completely wrong destination port also. (the TCP/80 port earlier)

You need this

access-list outside_access_in extended permit tcp any object Webserver eq 80

After this it should work.

- Jouni

Community Member

Port forwarding cisco ASA 9.1.2

I figured out what it was causing the traffic to be dropped. I had configured the ASA for VPN hairpinning (u-turn) so I could VPN from a public network and be able to browse the internet securly. (more on that here http://nat0.net/cisco-asa-hairpinning/) When I removed the NAT rules I created for the hairpinning the port forwarding worked sorry for the noise.

These are the rules I had for the hairpinning.

nat (inside,outside) source static any any destination static NETWORK_OBJ_VPNpool NETWORK_OBJ_VPNpool no-proxy-arp route-lookup

nat (outside,outside) source dynamic NETWORK_OBJ_VPNpool interface

Community Member

Port forwarding cisco ASA 9.1.2

I got the VPN hairpinning and port forwading working correctly! I used this for VPN hairpinning https://supportforums.cisco.com/docs/DOC-11640

Here are my NAT rules now that everything is working. # are comments I added.

# this rule allows my inside network to talk to my vpn network and visa versa

nat (inside,outside) source static InsideNetwork InsideNetwork destination static VPNNetwork VPNNetwork

!

#Dynamic NAT for inside trafic going out

object network obj_any

nat (inside,outside) dynamic interface

#Dynamic NAT for VPN hairpinning

object network VPNNetwork

nat (outside,outside) dynamic interface

#Static NAT (port forward) for external 8080 to internal 80

object network FTBcloud

nat (inside,outside) static interface service tcp www 8080

Thank you for your help Jouni!

Mike H.

822
Views
0
Helpful
8
Replies
CreatePlease to create content