port forwarding not working , possible ACL issue

Alex Mendez · ‎06-01-2012

Greetins All - hopefullly you can help me. I'm trying to port forward some ports to my internal mail server, namely smtp , www and http/https. It looks like nat does work but its possible the firewall blocks it.

-cus-fw-01(config)# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static mailserver interface service tcp smtp smtp

translate_hits = 1, untranslate_hits = 6 <------- this happens when i try to telnet <mydomain.com> 25 , from an outside host

2 (inside) to (outside) source dynamic obj-10.10.10.0 interface

translate_hits = 8435, untranslate_hits = 673

my access list

elg-cus-fw-01(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside_access_in; 4 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit tcp any object mailserver eq smtp (hitcnt=0) 0x029b8a79

access-list outside_access_in line 1 extended permit tcp any host 10.10.10.31 eq smtp (hitcnt=0) 0x029b8a79

access-list outside_access_in line 2 extended permit tcp any object securewebmail eq https (hitcnt=0) 0xc7e21171

access-list outside_access_in line 2 extended permit tcp any host 10.10.10.31 eq https (hitcnt=0) 0xc7e21171

access-list outside_access_in line 3 extended permit tcp any object webmail eq www (hitcnt=0) 0xa3e2340f

access-list outside_access_in line 3 extended permit tcp any host 10.10.10.31 eq www (hitcnt=0) 0xa3e2340f

access-list outside_access_in line 4 extended permit tcp any object webserverpop3 eq pop3 (hitcnt=0) 0x5386a581

access-list outside_access_in line 4 extended permit tcp any host 10.10.10.31 eq pop3 (hitcnt=0) 0x5386a581

my packet tracer

lg-cus-fw-01(config)# packet-tracer input outside tcp fqdn google.com smtp 1$

Mapping FQDN google.com to IP address 74.125.225.72

(More IP addresses resolved. Please run "show dns-host" to check.)

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.10.10.0 255.255.255.0 inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

does anyone know where is the rule? Is this something by defautl?

Julio Carvajal · ‎06-01-2012

Hello Alex,

Can you provide us the following information:

Sh run object network ( Want to see the one for that host)

Sh run nat ( the one used by that host)

Sh run access-group

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Alex Mendez · ‎06-01-2012

sh run object

object network mailserver

host 10.10.10.31

object network webmail

host 10.10.10.31

object network securewebmail

host 10.10.10.31

object network webserverpop3

host 10.10.10.31

object network mailserver

nat (inside,outside) static interface service tcp smtp smtp

i have not configured access-group... could this be it?

Alex

Julio Carvajal · ‎06-01-2012

Hello Alex.

Yes, that is

Access-group outside_access_in in interface outside

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC