Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trouble with Access Rules

Ok, I have an ASA 5515. 8.6.(1)5

ASDM 7.1(5)

I am trying to re-forward some ports.

 

I clicked or did something wrong and now my forward on port 8082 is not working anymore. 

I am trying to do this with the ASDM. 

I have 2 simple web servers for users to access. One is on port 8080 and the other is on 8082. I created an object for each and then created an access rule for each. 


The only differences between the 2 are:

a. the internal IP
b. the port 

Internally I can go to 192.168.x.x:8080 and it works. I can also go to 192.168.x.x:8082 and it works.

Externally, I can view 8080 without any issues. But I cannot see 8082 at all. This is driving me nuts.

1 ACCEPTED SOLUTION

Accepted Solutions

Ok the problem is with the

Ok the problem is with the order of the NAT statements in this new version of Cisco asa IOS. I will send you the email reply from my personal email on how to fix it.

For other people with same problem, please refer to :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html#anc6

Manish

10 REPLIES

copy paste the related

copy paste the related configuration for both Nat and ACL before anyone can provide you with any help.

Just double check you have created a hole in your ACL for port 8082.

Manish
 

New Member

: Saved:ASA Version 8.6(1)5 

: Saved
:
ASA Version 8.6(1)5 
!

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 98.172.XXX.XXX 255.255.255.240 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.0.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 0
 no ip address
 management-only
!
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
 domain-name mydomain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 192.168.0.190
 host 192.168.0.190
object network 192.168.0.4
 host 192.168.0.4
object network 192.168.0.5
 host 192.168.0.5
object network 192.168.0.213
 host 192.168.0.213
object network inside-network
 subnet 192.168.0.0 255.255.0.0
object network 192.168.0.190-2001
 host 192.168.0.190
object network 192.168.0.4-1723
 host 192.168.0.4
object network 192.168.0.5-rdp
 host 192.168.0.5
object network 192.168.0.213-http
 host 192.168.0.213
object network insideclient
 subnet 192.168.1.0 255.255.255.0
object network SpiceworksServer
 host 192.168.0.4
 description Spiceworks Server
object network 192.168.0.5-https
 host 192.168.0.5
 description SSL On AgmServer
object network 192.168.0.13smtp
 host 192.168.0.13
 description Barracuda SPAM Filter
object network 192.168.0.5smtp
 host 192.168.0.5
 description AGM Server SMTP
object network STATIC-PAT
object network FacilitiesSpiceworks
 host 192.168.0.132
 description FacilitiesSpiceworks
object-group network DM_INLINE_NETWORK_1
 network-object object 192.168.0.13smtp
 network-object object 192.168.0.5smtp
object-group service SpiceWorks tcp
 description Spiceworks
 port-object eq 8080
object-group service SpiceworksFacilities tcp
 description Spiceworks for Facilities
 port-object eq 8082
access-list outside_access_in extended permit tcp any object 192.168.0.5-rdp eq 3389 
access-list outside_access_in extended permit tcp any object 192.168.0.213 eq www 
access-list outside_access_in extended permit tcp any object 192.168.0.190 eq 2001 
access-list outside_access_in extended permit tcp any object 192.168.0.4 eq pptp 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit tcp any object SpiceworksServer object-group SpiceWorks 
access-list outside_access_in extended permit tcp any object 192.168.0.5-https eq https 
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq smtp 
access-list outside_access_in extended permit tcp any object FacilitiesSpiceworks object-group SpiceworksFacilities 
access-list insideclient_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list insideclient_access_in extended permit ip 192.168.1.0 255.255.255.0 any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool AnyConnect 192.168.3.0-192.168.3.255 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network 192.168.0.5
 nat (any,outside) static interface
object network inside-network
 nat (inside,outside) dynamic interface
object network 192.168.0.190-2001
 nat (inside,outside) static interface service tcp 2001 2001 
object network 192.168.0.4-1723
 nat (inside,outside) static interface service tcp pptp pptp 
object network 192.168.0.5-rdp
 nat (inside,outside) static interface service tcp 3389 3389 
object network 192.168.0.213-http
 nat (inside,outside) static interface service tcp www www 
object network SpiceworksServer
 nat (inside,outside) static interface service tcp 8080 8080 
object network 192.168.0.5-https
 nat (any,outside) static interface
object network 192.168.0.13smtp
 nat (any,outside) static interface service tcp smtp smtp 
object network 192.168.0.5smtp
 nat (any,outside) static interface service tcp smtp smtp 
object network FacilitiesSpiceworks
 nat (inside,outside) static interface service tcp 8082 8082 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 98.172.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 management
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

 crl configure

  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcprelay server 192.168.0.2 inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.113.32.5 source outside
ntp server 64.236.96.53 source outside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
 wins-server none
 dns-server value 192.168.0.2
 vpn-tunnel-protocol ikev2 ssl-client 
 default-domain value mydomain.com
 webvpn
  anyconnect profiles value AnyConnect_client_profile type user
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
 address-pool AnyConnect
 default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
 group-alias AnyConnect enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
 class class-default
  ips inline fail-open sensor vs0
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
call-home
: end
no asdm history enable

I dont see anything wrong in

I dont see anything wrong in your configuration, would you PM me your public IP so I check|nmap from my location if I can reach it or not or what ports are open on it ?

object network SpiceworksServer
 host 192.168.0.4
 description Spiceworks Server

object network FacilitiesSpiceworks
 host 192.168.0.132
 description FacilitiesSpiceworks

object network SpiceworksServer
 nat (inside,outside) static interface service tcp 8080 8080
object network FacilitiesSpiceworks
 nat (inside,outside) static interface service tcp 8082 8082 

access-list outside_access_in extended permit tcp any object SpiceworksServer object-group SpiceWorks
access-list outside_access_in extended permit tcp any object FacilitiesSpiceworks object-group SpiceworksFacilities

access-group outside_access_in in interface outside

You Nat & ACL are configured correctly, just doublecheck if you fat fingered the IP or port. :-)

Thanks

Manish

New Member

I am sorry but I am new to

I am sorry but I am new to these forums, how the heck do I PM someone? I went to your profile and there is no option to do so.

send it to techmediaexperts

send it to techmediaexperts at gmail .

Manish

I don't see 8082 open on the

I don't see 8082 open on the firewall which is strange since you have the configuration present on the ASA and you said internally it works just fine. I would suggest you to remove and reapply the configuration related to 192.168.0.132 IP on the CLI one more time.

Here's Nmap result from external network :

[root@TM-VLX-137 ~]# nmap -sS -P0 X.X.X.X

Starting Nmap 5.51 ( http://nmap.org ) at 2014-05-09 09:31 PDT
Failed to find device eth0 which was referenced in /proc/net/route
Nmap scan report for ws-X-X-X-X (X.X.X.X)
Host is up (0.031s latency).
Not shown: 995 filtered ports
PORT     STATE  SERVICE
25/tcp   open   smtp
443/tcp  open   https
1723/tcp closed pptp
3389/tcp open   ms-term-serv
8080/tcp open   http-proxy

Nmap done: 1 IP address (1 host up) scanned in 4.79 seconds

 

#no access-list outside_access_in extended permit tcp any object FacilitiesSpiceworks object-group SpiceworksFacilities

#no nat (inside,outside) static interface service tcp 8082 8082 

#no object network FacilitiesSpiceworks

and then reapply

#object network FacilitiesSpiceworks

#host 192.168.0.132

#nat (any,outside) static interface service tcp 8082 8082

#access-list outside_access_in extended permit tcp any object FacilitiesSpiceworks eq 8082

Manish

New Member

Thanks for your help Manish.

Thanks for your help Manish. I re-applied the settings and it still doesnt work.

I use my home IP to connect and I found an error in the syslog that might help.

"Deny tcp src outside:myhomip/50193 dst inside:192.168.0.5/8082 by access-group "outside_access_in" [0x0, 0x0].

It seems like it is trying to go to 0.5 instead of 0.132. is there a cache or something i can clear to get this flushed out?

Can you please post the

Can you please post the output of "show nat detail" ? Also, you can use "clear xlate" to clear old NAT translations but be careful with that it might drop and reestablish connection for users as well.

Manish

Please also run the following

Please also run the following command & copy paste the output :

#packet-tracer input outside tcp SOURCE_IP 1234 YOUR_IP 8082

Manish

Ok the problem is with the

Ok the problem is with the order of the NAT statements in this new version of Cisco asa IOS. I will send you the email reply from my personal email on how to fix it.

For other people with same problem, please refer to :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html#anc6

Manish

81
Views
0
Helpful
10
Replies