Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Port Forward Failing

I am working with a potential customer.  I need to do a port forward rule on his ASA 5505.  I have done this numerous times and actually have it working on my own ASA.  There is something within his config that is causing this to not work.  I need to forward UDP 5008 from the outside to an inside server 12.4.14.17.

We have tried Packet Tracer to see where it is failing as well.  I do believe it is one of the NAT rules.  Below is the config he sent me. I know he has created a number of network objects that are the same, we are going to clean that up, but for now just need to see what I can do to get this to work. Any help will be greatly appreciated.

 

 Saved

:

ASA Version 8.3(2)

!

hostname ciscoasa

enable password IyuqcUIHRBPhCMFO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 speed 10

 duplex full

 nameif SouthernLight_Outside

 security-level 0

 ip address 69.x.x.x 255.255.255.248

!

interface Ethernet0/1

 nameif Intrado_Inside

 security-level 100

 ip address 10.4.15.250 255.255.240.0

!

interface Ethernet0/2

 nameif inside2

 security-level 100

 ip address 10.5.15.254 255.255.240.0

!

interface Ethernet0/3

 nameif Enroute_Inside

 security-level 100

 ip address 12.4.14.250 255.255.255.0

!

interface Management0/0

 shutdown

 nameif management

 security-level 100

 ip address dhcp setroute

 management-only

!

boot system disk0:/asa832-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

object network any_inside

 subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.10.10.0_24

 subnet 10.10.10.0 255.255.255.0

object network NETWORK_OBJ_10.30.30.0_24

 subnet 10.30.30.0 255.255.255.0

object network Inside_Net

 subnet 10.4.0.0 255.255.0.0

object network RIP_server

 host 10.4.1.33

object service 9517_TCP

 service tcp source eq 9517

object service 9517_UDP

 service udp source eq 9517

object service 9519_TCP

 service tcp source eq 9519

object service 9519_UDP

 service udp source eq 9519

object network Enroute_Network

 subnet 12.4.14.0 255.255.255.0

object network Enroute_VPN_Pool

 subnet 12.12.12.0 255.255.255.0

object network A_69.x.x.x

 host 69.x.x.x

object network netmotion_private

 host 12.4.14.17

object network netmotion_public

 host 12.4.14.250

object service 5008_UDP

 service udp source eq 5008

object network Netmotion_Server

 host 12.4.14.17

object network nms

 host 12.4.14.17

object network nms1

 host 12.4.14.17

object network NetMotion

 host 12.4.14.17

access-list SRC_splitTunnelAcl standard permit 10.4.0.0 255.255.0.0

access-list SRC_splitTunnelAcl standard permit 12.4.14.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any object RIP_server eq 9517

access-list outside_access_in extended permit tcp any object RIP_server eq 9519

access-list outside_access_in extended permit udp any object RIP_server eq 9517

access-list outside_access_in extended permit udp any object RIP_server eq 9519

access-list outside_access_in extended permit udp any object netmotion_private eq 5008

access-list Enroute_Inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu SouthernLight_Outside 1500

mtu Intrado_Inside 1500

mtu inside2 1500

mtu Enroute_Inside 1500

mtu management 1500

ip local pool VPN_Pool 10.10.10.2-10.10.10.254 mask 255.255.255.0

ip local pool Enroute_VPN_Pool 12.12.12.2-12.12.12.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

nat (Intrado_Inside,SouthernLight_Outside) source static Inside_Net Inside_Net destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24

nat (Intrado_Inside,SouthernLight_Outside) source static RIP_server interface service 9519_TCP 9519_TCP

nat (Intrado_Inside,SouthernLight_Outside) source static RIP_server interface service 9519_UDP 9519_UDP

nat (Intrado_Inside,SouthernLight_Outside) source static RIP_server interface service 9517_TCP 9517_TCP

nat (Intrado_Inside,SouthernLight_Outside) source static RIP_server interface service 9517_UDP 9517_UDP

nat (inside2,SouthernLight_Outside) source static Inside_Net Inside_Net destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24

nat (Enroute_Inside,SouthernLight_Outside) source static Enroute_Network Enroute_Network destination static Enroute_Network Enroute_Network

nat (Enroute_Inside,SouthernLight_Outside) source static Enroute_Network Enroute_Network destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24

!

object network any_inside

 nat (any,SouthernLight_Outside) dynamic interface

object network NetMotion

 nat (Enroute_Inside,SouthernLight_Outside) static interface service udp 5008 5008

access-group outside_access_in in interface SouthernLight_Outside

access-group inside_access_in in interface Intrado_Inside

access-group Enroute_Inside_access_in in interface Enroute_Inside

route SouthernLight_Outside 0.0.0.0 0.0.0.0 69.85.255.89 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

3 REPLIES

Here's a how to video on

Here's a how to video on YouTube using ASDM

https://www.youtube.com/watch?v=MW2_Rc9vj3o

Here is a pretty good link for CLI or ASDM config as well

https://rowell.dionicio.net/configuring-nat-for-a-public-server-using-same-outside-interface/

New Member

Thanks Michael.

Thanks Michael.  Unfortunately that is basically the same process we used.  In the configuration, we basically have NAT(INSIDE,OUTSIDE) static interface service UDP 5008 5008 and the ACL in place.  I am thinking some other NAT is causing this to fail. Could this be what is causing the issue:  nat (any,SouthernLight_Outside) dynamic interface

What did the output of packet

What did the output of packet tracer show? Here is a good doc if you need any clarification on it

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

66
Views
0
Helpful
3
Replies