Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

port forwarding not working , possible ACL issue

Greetins All - hopefullly you can help me. I'm trying to port forward some ports to my internal mail server, namely smtp , www and http/https.  It looks like nat does work but its possible the firewall blocks it.

-cus-fw-01(config)# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static mailserver interface   service tcp smtp smtp

    translate_hits = 1, untranslate_hits = 6   <-------  this happens when i try to telnet  <mydomain.com>  25 , from an outside host

2 (inside) to (outside) source dynamic obj-10.10.10.0 interface

    translate_hits = 8435, untranslate_hits = 673

my access list

elg-cus-fw-01(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list outside_access_in; 4 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit tcp any object mailserver eq smtp (hitcnt=0) 0x029b8a79

  access-list outside_access_in line 1 extended permit tcp any host 10.10.10.31 eq smtp (hitcnt=0) 0x029b8a79

access-list outside_access_in line 2 extended permit tcp any object securewebmail eq https (hitcnt=0) 0xc7e21171

  access-list outside_access_in line 2 extended permit tcp any host 10.10.10.31 eq https (hitcnt=0) 0xc7e21171

access-list outside_access_in line 3 extended permit tcp any object webmail eq www (hitcnt=0) 0xa3e2340f

  access-list outside_access_in line 3 extended permit tcp any host 10.10.10.31 eq www (hitcnt=0) 0xa3e2340f

access-list outside_access_in line 4 extended permit tcp any object webserverpop3 eq pop3 (hitcnt=0) 0x5386a581

  access-list outside_access_in line 4 extended permit tcp any host 10.10.10.31 eq pop3 (hitcnt=0) 0x5386a581

my packet tracer

lg-cus-fw-01(config)# packet-tracer input  outside tcp fqdn google.com smtp 1$

Mapping FQDN google.com to IP address 74.125.225.72

(More IP addresses resolved. Please run "show dns-host" to check.)

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.10.10.0      255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

does anyone know where is the rule? Is this something by defautl?

3 REPLIES

port forwarding not working , possible ACL issue

Hello Alex,

Can you provide us the following information:

Sh run object network ( Want to see the one for that host)

Sh run nat ( the one used by that host)

Sh run access-group

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

port forwarding not working , possible ACL issue

sh run object

object network mailserver

host 10.10.10.31

object network webmail

host 10.10.10.31

object network securewebmail

host 10.10.10.31

object network webserverpop3

host 10.10.10.31

object network mailserver

nat (inside,outside) static interface service tcp smtp smtp

i have not configured access-group... could this be it?

Alex

port forwarding not working , possible ACL issue

Hello Alex.

Yes, that is

Access-group  outside_access_in in interface outside

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
519
Views
0
Helpful
3
Replies
CreatePlease to create content