Cisco ASA NAT/Access Rules issue

L

LoStMaTt

2[H]4U
Joined
Feb 26, 2003
Messages
3,180
I have a server with various services running on it that need to have some ports forwarded.

So far I've got RDP working and that is it.

If I try to forward any additional ports to the server they do not work.

Specifically ports 443, 4282 (Crashplan backup)

Even if I delete the RDP NAT/ACL rules and add only the Crashplan rules it still does not work.

I have no idea what to do.

Packet tracer says that it should be going through. Logs say otherwise.

4 Nov 02 2011 15:03:13 x.x.x.x 1485 192.168.21.11 4282 Deny tcp src outside:x.x.x.x/1485 dst inside:x.x.x.x/4282 by access-group "outside_access_in" [0x0, 0x0]
 
make sure your ACL is allowing the proper protocol, and it's not being blocked by a higher line ACL entry.

You could have put a proper ACL permit, but getting blocked by a line higher, once a deny is reached the packet is dropped and no further ACL processing is performed.


Looks here from the logs you're getting an ACL hit. The access-list outside_access_in is denying a packet destined to tcp port 4282.

Also, make sure you aren't DENYing the source IP address inbound. It could be not so much "permitting to" something, you could be "denying from" something.


Agreed posting your config would help. Or if you're worried about privacy, PM me offline and I'll assist. It's probably something simple.

src: CCIE Security, 8 years.


BD

p.s. Make sure your static translation for that service is also the proper protocol (TCP/ or UDP) When you do a port static, you need to specify if it's TCP or UDP. you may have inadvertantly specified the wrong protocol in your static, or your ACL.
 
Make sure you NAT the entire IP and not just a port forward on it. I'm guessing you forwarded 3389 and not the entire IP.

Like this:
static (inside,outside) publicIP lanIP netmask 255.255.255.255

Instead of this:
static (inside,outside) tcp publicIP 3389 lanIP 3389 netmask 255.255.255.255
 
@proto...


either will work fine. Port forwarding vs. static natting is fine, so long as your Protocol types match what you're trying to do, and you have an ACL for that service.

Rookies run into issues when they don't pay attention to whether an app is UDP or TCP, and whether there is a corresponding ACL.



OP, you can test whether your app is getting denied via an ACL by putting an ACL at line 1 with a wide open permit for the src host.

If it's allowed, you have a deny somewhere down the ACL somewhere, if it's still denied, you have a translation issue, or something else.


You can also use the command "sh xlate local <private IP of server> debug"


to see if the host is actually being translated to the IP you think it' supposed to.

ALSO, unless you're running asa 8.3 or greater, the ACL facing the world (your outside_in) should specify the PUB ip as the ACL entry.

e.g. if your 10.10.10.10 server is mapped to 192.55.66.77, then your acl would be

access-list outside_in permit tcp any host 192.55.66.77 eq http

Which would allow http to hit that host 10.10.10.10 on pub IP 192.55.66.77
 
You must log in or register to reply here.
Back
Top