Thank you for the responce Jouni! I'll test this out and let you know.

I changed the access rule to

access-list outside_access_in extended permit tcp any interface outside eq 80

but the traffic is still being blocked. From the packet-tracer it looks like it is being blocked by an implicit rule. I see one global ACL in ASDM that looks like this.

Do I need to remove the global deny rule and change it to a deny rule on the outside interface underneth my allow tcp/80 rule? 8.3 and above are a lot different than 8.2

Here are the packet tracer results

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Did you use the port TCP/8080 in the "packet-tracer" as the destination port?

What global deny rule are you talking about?

- Jouni

Hi,

I used TCP/8080 in the packet-tracer as the destination port.

This is the global rule I was refering to.

Thank you for your help so far!

Gah,

Sorry, I have been blind.

The actual ACL is wrong. You were using the "interface outside" as the destination. You need to allow the traffic to the real IP address. For some reason I completely missed that until now.

Also seems I managed to provide the "packet-tracer" command with completely wrong destination port also. (the TCP/80 port earlier)

You need this

access-list outside_access_in extended permit tcp any object Webserver eq 80

After this it should work.

- Jouni

I figured out what it was causing the traffic to be dropped. I had configured the ASA for VPN hairpinning (u-turn) so I could VPN from a public network and be able to browse the internet securly. (more on that here http://nat0.net/cisco-asa-hairpinning/) When I removed the NAT rules I created for the hairpinning the port forwarding worked sorry for the noise.

These are the rules I had for the hairpinning.

nat (inside,outside) source static any any destination static NETWORK_OBJ_VPNpool NETWORK_OBJ_VPNpool no-proxy-arp route-lookup

nat (outside,outside) source dynamic NETWORK_OBJ_VPNpool interface

I got the VPN hairpinning and port forwading working correctly! I used this for VPN hairpinning https://supportforums.cisco.com/docs/DOC-11640

Here are my NAT rules now that everything is working. # are comments I added.

# this rule allows my inside network to talk to my vpn network and visa versa

nat (inside,outside) source static InsideNetwork InsideNetwork destination static VPNNetwork VPNNetwork

!

#Dynamic NAT for inside trafic going out

object network obj_any

nat (inside,outside) dynamic interface

#Dynamic NAT for VPN hairpinning

object network VPNNetwork

nat (outside,outside) dynamic interface

#Static NAT (port forward) for external 8080 to internal 80

object network FTBcloud

nat (inside,outside) static interface service tcp www 8080

Thank you for your help Jouni!

Mike H.