Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Resolving DROP during port forwarding

I am attempting to port-forward on an ASA 5500 to internal host .100. The outside interface recieves its IP via DHCP. Packets are being denied so I ran packet-tracer and get the following error from outside to ssh port on internal host.

Any tips on why this might be occuring?

#packet-tracer input outside tcp 79.x.x.x 1025 71.x.x.x ssh

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   71.x.x.x   255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

# sh run nat

nat (inside,outside) source static any any destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup

nat (outside,outside) source dynamic VPN_NETWORK interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network VM

nat (inside,outside) static interface service tcp ssh ssh

# sh running-config object

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network VPN_NETWORK

subnet 192.168.1.0 255.255.255.192

object network VM

host 172.16.0.100

# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static any any   destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup

    translate_hits = 0, untranslate_hits = 0

2 (outside) to (outside) source dynamic VPN_NETWORK interface

    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static VM interface   service tcp ssh ssh

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source dynamic obj_any interface

    translate_hits = 61918, untranslate_hits = 8178

# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list dynamic-filter_acl; 1 elements; name hash: 0xdb693454

access-list dynamic-filter_acl line 1 extended permit ip any any (hitcnt=77285) 0xe1bfda1d

access-list VM-IN; 1 elements; name hash: 0x57079372

access-list VM-IN line 1 extended permit tcp any host 172.16.1.100 eq ssh (hitcnt=5) 0x5dc27602

Everyone's tags (4)
7 REPLIES

Re: rfp-check results in DROP during port forwarding

Can you post the full packet tracer output ?

You should been doing it to the outside interface of your ASA Ip address, can you confirm it ?

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

rfp-check results in DROP during port forwarding

Updated the orginal question with the full packet-trace.

rfp-check results in DROP during port forwarding

Hello Vindemiatrix,

As I said on the previous post, the packet-tracer is wrong.

The packet created from host  74.207.x.x will need to go on port 22 to the outside interface of the ASA witch I think is not

172.16.1.100.

Please do the packet tracer like this and everything should work as you have  this properly configured.

packet-tracer input outside tcp 74.207.x.x 1025 x.x.x.x(Outside interface) 22

If this post helps you, do rate it!!!

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Resolving DROP during port forwarding

Updated question for claified response.

Resolving DROP during port forwarding

Hello,

Can you share the show run access-group?

Also just to confirm  71.x.x.x is the outside interface ip address right?

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Resolving DROP during port forwarding

The problem was with:

(outside) to (outside) source dynamic VPN_NETWORK interface

per:

https://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html

(outside) to (outside) after-auto source dynamic VPN_NETWORK interface

Resolving DROP during port forwarding

Hello,

So now everything is working.

Good to hear that,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
1680
Views
0
Helpful
7
Replies
CreatePlease login to create content