Port-forwarding rule on Cisco ASA not working - “Drop-reason: (acl-drop) Flow is denied by configured rule”

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).



Here is the output of my packet-trace test in the CLI:



 MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc9bdf80, priority=111, domain=permit, deny=true
hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=inside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MyASA(config)#


Here is my (sanitized) "show run" - Much thanks, everyone



 Type help or '?' for a list of available commands.
MyLabASA> enable
Password: *********
MyLabASA# show run
: Saved
:
: Serial Number:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyLabASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
dhcprelay information trusted
!
interface Vlan2
description CenturyLink 100 Mbps fiber
nameif outside
security-level 0
pppoe client vpdn group LabzGroup
ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
domain-name Labz.local
object network Work_Corp_WAN
host 72.165.30.162
description Work corporate network
object network Dell-Precision
host 192.168.3.38
description Dell-Precision
object network obj-Work_Corp_WAN
object service RDP-TCP
service tcp source eq 3389 destination eq 3389
description Win_RDP_port-3389
object network Dell-Optiplex
host 192.168.3.133
description Dell-Optiplex
object service SSL
service tcp source eq https destination eq https
description SSL
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
object network Pub_IP_Oct4
host (Inside_Public_IP)
description CtLink Pub IP - Oct 4, 2018
object network Allow_inbound_SSL
host 192.168.3.133
description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
access-list from_outside extended permit icmp object Work_Corp_WAN any
access-list from_outside extended permit icmp any object Work_Corp_WAN
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic any interface
nat (inside,outside) source static Dell-Optiplex interface service any SSL
!
object network Dell-Optiplex
nat (inside,outside) static interface
access-group Inbound_SSL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname
vpdn group LabzGroup ppp authentication chap
vpdn username password ********** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
!
dhcprelay server 192.168.3.4 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username LabAdmin password encrypted privilege 15
username LabAdmin attributes
service-type admin
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
: end
MyLabASA#









share|improve this question



























    up vote
    1
    down vote

    favorite












    New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).



    Here is the output of my packet-trace test in the CLI:



     MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443

    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: Resolve Egress Interface
    Result: ALLOW
    Config:
    Additional Information:
    in 192.168.3.0 255.255.255.0 inside

    Phase: 2
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xcc9bdf80, priority=111, domain=permit, deny=true
    hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=inside

    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule

    MyASA(config)#


    Here is my (sanitized) "show run" - Much thanks, everyone



     Type help or '?' for a list of available commands.
    MyLabASA> enable
    Password: *********
    MyLabASA# show run
    : Saved
    :
    : Serial Number:
    : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
    :
    ASA Version 9.2(3)
    !
    hostname MyLabASA
    domain-name Labz.local
    enable password encrypted
    names
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.3.1 255.255.255.0
    dhcprelay information trusted
    !
    interface Vlan2
    description CenturyLink 100 Mbps fiber
    nameif outside
    security-level 0
    pppoe client vpdn group LabzGroup
    ip address pppoe setroute
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name Labz.local
    object network Work_Corp_WAN
    host 72.165.30.162
    description Work corporate network
    object network Dell-Precision
    host 192.168.3.38
    description Dell-Precision
    object network obj-Work_Corp_WAN
    object service RDP-TCP
    service tcp source eq 3389 destination eq 3389
    description Win_RDP_port-3389
    object network Dell-Optiplex
    host 192.168.3.133
    description Dell-Optiplex
    object service SSL
    service tcp source eq https destination eq https
    description SSL
    object network inside-subnet
    subnet 192.168.0.0 255.255.255.0
    object network Pub_IP_Oct4
    host (Inside_Public_IP)
    description CtLink Pub IP - Oct 4, 2018
    object network Allow_inbound_SSL
    host 192.168.3.133
    description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
    access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
    access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
    access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
    access-list from_outside extended permit icmp object Work_Corp_WAN any
    access-list from_outside extended permit icmp any object Work_Corp_WAN
    access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
    access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
    access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp deny any echo-reply outside
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (any,outside) source dynamic any interface
    nat (inside,outside) source static Dell-Optiplex interface service any SSL
    !
    object network Dell-Optiplex
    nat (inside,outside) static interface
    access-group Inbound_SSL in interface outside
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    aaa authorization command LOCAL
    aaa authorization exec LOCAL
    http server enable
    http 192.168.3.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    no ssh stricthostkeycheck
    ssh 192.168.3.0 255.255.255.0 inside
    ssh timeout 60
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    vpdn group LabzGroup request dialout pppoe
    vpdn group LabzGroup localname
    vpdn group LabzGroup ppp authentication chap
    vpdn username password ********** store-local

    dhcpd dns 1.1.1.1 8.8.8.8
    dhcpd domain Labz.local
    !
    dhcpd address 192.168.3.30-192.168.3.90 inside
    dhcpd dns 1.1.1.1 8.8.8.8 interface inside
    !
    dhcprelay server 192.168.3.4 inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username LabAdmin password encrypted privilege 15
    username LabAdmin attributes
    service-type admin
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect icmp error
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email callhome@cisco.com
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
    : end
    MyLabASA#









    share|improve this question

























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).



      Here is the output of my packet-trace test in the CLI:



       MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443

      Phase: 1
      Type: ROUTE-LOOKUP
      Subtype: Resolve Egress Interface
      Result: ALLOW
      Config:
      Additional Information:
      in 192.168.3.0 255.255.255.0 inside

      Phase: 2
      Type: ACCESS-LIST
      Subtype:
      Result: DROP
      Config:
      Implicit Rule
      Additional Information:
      Forward Flow based lookup yields rule:
      in id=0xcc9bdf80, priority=111, domain=permit, deny=true
      hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=inside, output_ifc=inside

      Result:
      input-interface: inside
      input-status: up
      input-line-status: up
      output-interface: inside
      output-status: up
      output-line-status: up
      Action: drop
      Drop-reason: (acl-drop) Flow is denied by configured rule

      MyASA(config)#


      Here is my (sanitized) "show run" - Much thanks, everyone



       Type help or '?' for a list of available commands.
      MyLabASA> enable
      Password: *********
      MyLabASA# show run
      : Saved
      :
      : Serial Number:
      : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
      :
      ASA Version 9.2(3)
      !
      hostname MyLabASA
      domain-name Labz.local
      enable password encrypted
      names
      !
      interface Ethernet0/0
      switchport access vlan 2
      !
      interface Ethernet0/1
      !
      interface Ethernet0/2
      !
      interface Ethernet0/3
      !
      interface Ethernet0/4
      !
      interface Ethernet0/5
      !
      interface Ethernet0/6
      !
      interface Ethernet0/7
      !
      interface Vlan1
      nameif inside
      security-level 100
      ip address 192.168.3.1 255.255.255.0
      dhcprelay information trusted
      !
      interface Vlan2
      description CenturyLink 100 Mbps fiber
      nameif outside
      security-level 0
      pppoe client vpdn group LabzGroup
      ip address pppoe setroute
      !
      ftp mode passive
      dns server-group DefaultDNS
      domain-name Labz.local
      object network Work_Corp_WAN
      host 72.165.30.162
      description Work corporate network
      object network Dell-Precision
      host 192.168.3.38
      description Dell-Precision
      object network obj-Work_Corp_WAN
      object service RDP-TCP
      service tcp source eq 3389 destination eq 3389
      description Win_RDP_port-3389
      object network Dell-Optiplex
      host 192.168.3.133
      description Dell-Optiplex
      object service SSL
      service tcp source eq https destination eq https
      description SSL
      object network inside-subnet
      subnet 192.168.0.0 255.255.255.0
      object network Pub_IP_Oct4
      host (Inside_Public_IP)
      description CtLink Pub IP - Oct 4, 2018
      object network Allow_inbound_SSL
      host 192.168.3.133
      description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
      access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
      access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
      access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
      access-list from_outside extended permit icmp object Work_Corp_WAN any
      access-list from_outside extended permit icmp any object Work_Corp_WAN
      access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
      access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
      access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
      pager lines 24
      logging enable
      logging asdm informational
      mtu inside 1500
      mtu outside 1500
      icmp unreachable rate-limit 1 burst-size 1
      icmp deny any echo-reply outside
      no asdm history enable
      arp timeout 14400
      no arp permit-nonconnected
      nat (any,outside) source dynamic any interface
      nat (inside,outside) source static Dell-Optiplex interface service any SSL
      !
      object network Dell-Optiplex
      nat (inside,outside) static interface
      access-group Inbound_SSL in interface outside
      timeout xlate 3:00:00
      timeout pat-xlate 0:00:30
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
      timeout tcp-proxy-reassembly 0:01:00
      timeout floating-conn 0:00:00
      dynamic-access-policy-record DfltAccessPolicy
      user-identity default-domain LOCAL
      aaa authentication http console LOCAL
      aaa authentication serial console LOCAL
      aaa authentication ssh console LOCAL
      aaa authentication enable console LOCAL
      aaa authorization command LOCAL
      aaa authorization exec LOCAL
      http server enable
      http 192.168.3.0 255.255.255.0 inside
      no snmp-server location
      no snmp-server contact
      crypto ipsec security-association pmtu-aging infinite
      crypto ca trustpool policy
      telnet timeout 5
      no ssh stricthostkeycheck
      ssh 192.168.3.0 255.255.255.0 inside
      ssh timeout 60
      ssh version 2
      ssh key-exchange group dh-group1-sha1
      console timeout 0
      vpdn group LabzGroup request dialout pppoe
      vpdn group LabzGroup localname
      vpdn group LabzGroup ppp authentication chap
      vpdn username password ********** store-local

      dhcpd dns 1.1.1.1 8.8.8.8
      dhcpd domain Labz.local
      !
      dhcpd address 192.168.3.30-192.168.3.90 inside
      dhcpd dns 1.1.1.1 8.8.8.8 interface inside
      !
      dhcprelay server 192.168.3.4 inside
      threat-detection basic-threat
      threat-detection statistics access-list
      no threat-detection statistics tcp-intercept
      username LabAdmin password encrypted privilege 15
      username LabAdmin attributes
      service-type admin
      !
      class-map inspection_default
      match default-inspection-traffic
      !
      !
      policy-map type inspect dns preset_dns_map
      parameters
      message-length maximum client auto
      message-length maximum 512
      policy-map global_policy
      class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
      inspect icmp error
      !
      service-policy global_policy global
      prompt hostname context
      no call-home reporting anonymous
      call-home
      profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email callhome@cisco.com
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
      Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
      : end
      MyLabASA#









      share|improve this question















      New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).



      Here is the output of my packet-trace test in the CLI:



       MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443

      Phase: 1
      Type: ROUTE-LOOKUP
      Subtype: Resolve Egress Interface
      Result: ALLOW
      Config:
      Additional Information:
      in 192.168.3.0 255.255.255.0 inside

      Phase: 2
      Type: ACCESS-LIST
      Subtype:
      Result: DROP
      Config:
      Implicit Rule
      Additional Information:
      Forward Flow based lookup yields rule:
      in id=0xcc9bdf80, priority=111, domain=permit, deny=true
      hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=inside, output_ifc=inside

      Result:
      input-interface: inside
      input-status: up
      input-line-status: up
      output-interface: inside
      output-status: up
      output-line-status: up
      Action: drop
      Drop-reason: (acl-drop) Flow is denied by configured rule

      MyASA(config)#


      Here is my (sanitized) "show run" - Much thanks, everyone



       Type help or '?' for a list of available commands.
      MyLabASA> enable
      Password: *********
      MyLabASA# show run
      : Saved
      :
      : Serial Number:
      : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
      :
      ASA Version 9.2(3)
      !
      hostname MyLabASA
      domain-name Labz.local
      enable password encrypted
      names
      !
      interface Ethernet0/0
      switchport access vlan 2
      !
      interface Ethernet0/1
      !
      interface Ethernet0/2
      !
      interface Ethernet0/3
      !
      interface Ethernet0/4
      !
      interface Ethernet0/5
      !
      interface Ethernet0/6
      !
      interface Ethernet0/7
      !
      interface Vlan1
      nameif inside
      security-level 100
      ip address 192.168.3.1 255.255.255.0
      dhcprelay information trusted
      !
      interface Vlan2
      description CenturyLink 100 Mbps fiber
      nameif outside
      security-level 0
      pppoe client vpdn group LabzGroup
      ip address pppoe setroute
      !
      ftp mode passive
      dns server-group DefaultDNS
      domain-name Labz.local
      object network Work_Corp_WAN
      host 72.165.30.162
      description Work corporate network
      object network Dell-Precision
      host 192.168.3.38
      description Dell-Precision
      object network obj-Work_Corp_WAN
      object service RDP-TCP
      service tcp source eq 3389 destination eq 3389
      description Win_RDP_port-3389
      object network Dell-Optiplex
      host 192.168.3.133
      description Dell-Optiplex
      object service SSL
      service tcp source eq https destination eq https
      description SSL
      object network inside-subnet
      subnet 192.168.0.0 255.255.255.0
      object network Pub_IP_Oct4
      host (Inside_Public_IP)
      description CtLink Pub IP - Oct 4, 2018
      object network Allow_inbound_SSL
      host 192.168.3.133
      description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
      access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
      access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
      access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
      access-list from_outside extended permit icmp object Work_Corp_WAN any
      access-list from_outside extended permit icmp any object Work_Corp_WAN
      access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
      access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
      access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
      pager lines 24
      logging enable
      logging asdm informational
      mtu inside 1500
      mtu outside 1500
      icmp unreachable rate-limit 1 burst-size 1
      icmp deny any echo-reply outside
      no asdm history enable
      arp timeout 14400
      no arp permit-nonconnected
      nat (any,outside) source dynamic any interface
      nat (inside,outside) source static Dell-Optiplex interface service any SSL
      !
      object network Dell-Optiplex
      nat (inside,outside) static interface
      access-group Inbound_SSL in interface outside
      timeout xlate 3:00:00
      timeout pat-xlate 0:00:30
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
      timeout tcp-proxy-reassembly 0:01:00
      timeout floating-conn 0:00:00
      dynamic-access-policy-record DfltAccessPolicy
      user-identity default-domain LOCAL
      aaa authentication http console LOCAL
      aaa authentication serial console LOCAL
      aaa authentication ssh console LOCAL
      aaa authentication enable console LOCAL
      aaa authorization command LOCAL
      aaa authorization exec LOCAL
      http server enable
      http 192.168.3.0 255.255.255.0 inside
      no snmp-server location
      no snmp-server contact
      crypto ipsec security-association pmtu-aging infinite
      crypto ca trustpool policy
      telnet timeout 5
      no ssh stricthostkeycheck
      ssh 192.168.3.0 255.255.255.0 inside
      ssh timeout 60
      ssh version 2
      ssh key-exchange group dh-group1-sha1
      console timeout 0
      vpdn group LabzGroup request dialout pppoe
      vpdn group LabzGroup localname
      vpdn group LabzGroup ppp authentication chap
      vpdn username password ********** store-local

      dhcpd dns 1.1.1.1 8.8.8.8
      dhcpd domain Labz.local
      !
      dhcpd address 192.168.3.30-192.168.3.90 inside
      dhcpd dns 1.1.1.1 8.8.8.8 interface inside
      !
      dhcprelay server 192.168.3.4 inside
      threat-detection basic-threat
      threat-detection statistics access-list
      no threat-detection statistics tcp-intercept
      username LabAdmin password encrypted privilege 15
      username LabAdmin attributes
      service-type admin
      !
      class-map inspection_default
      match default-inspection-traffic
      !
      !
      policy-map type inspect dns preset_dns_map
      parameters
      message-length maximum client auto
      message-length maximum 512
      policy-map global_policy
      class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
      inspect icmp error
      !
      service-policy global_policy global
      prompt hostname context
      no call-home reporting anonymous
      call-home
      profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email callhome@cisco.com
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
      Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
      : end
      MyLabASA#






      cisco-asa nat port-forwarding






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 3 hours ago

























      asked 4 hours ago









      SamAndrew81

      1084




      1084




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote














          object service SSL
          service tcp source eq https destination eq https

          nat (inside,outside) source static Dell-Optiplex interface service any SSL



          Is this your Static PAT rule? If so, it is misconfigured.



          You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex and a port of any should be translated to the interface IP address and have both their source and destination ports changed to 443.



          NAT on the ASA is very flexible. This article will teach you everything you need to know.



          Specifically, to configure a Port Translation, this is the configuration syntax to follow:



          enter image description here



          Given that, something like this should work (assuming I guessed your webserver's object correctly):



          object network Dell-Optiplex
          host 192.168.3.133

          object service SRC-HTTPS
          service tcp source eq https

          nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS


          This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.




          Edit, comments weren't enough room:



          Also, it seems you're ACL is incorrect:




          access-group Inbound_SSL in interface outside
          access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https



          The first line applies the Inbound_SSL ACL to the outside interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.



          The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).



          It should be something like this:



          access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https


          This allows traffic from any source, to the destination of your webserver, over port 443.






          share|improve this answer






















          • Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
            – SamAndrew81
            2 hours ago











          • @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
            – Eddie
            48 mins ago










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "496"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53766%2fport-forwarding-rule-on-cisco-asa-not-working-drop-reason-acl-drop-flow-is%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          3
          down vote














          object service SSL
          service tcp source eq https destination eq https

          nat (inside,outside) source static Dell-Optiplex interface service any SSL



          Is this your Static PAT rule? If so, it is misconfigured.



          You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex and a port of any should be translated to the interface IP address and have both their source and destination ports changed to 443.



          NAT on the ASA is very flexible. This article will teach you everything you need to know.



          Specifically, to configure a Port Translation, this is the configuration syntax to follow:



          enter image description here



          Given that, something like this should work (assuming I guessed your webserver's object correctly):



          object network Dell-Optiplex
          host 192.168.3.133

          object service SRC-HTTPS
          service tcp source eq https

          nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS


          This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.




          Edit, comments weren't enough room:



          Also, it seems you're ACL is incorrect:




          access-group Inbound_SSL in interface outside
          access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https



          The first line applies the Inbound_SSL ACL to the outside interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.



          The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).



          It should be something like this:



          access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https


          This allows traffic from any source, to the destination of your webserver, over port 443.






          share|improve this answer






















          • Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
            – SamAndrew81
            2 hours ago











          • @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
            – Eddie
            48 mins ago














          up vote
          3
          down vote














          object service SSL
          service tcp source eq https destination eq https

          nat (inside,outside) source static Dell-Optiplex interface service any SSL



          Is this your Static PAT rule? If so, it is misconfigured.



          You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex and a port of any should be translated to the interface IP address and have both their source and destination ports changed to 443.



          NAT on the ASA is very flexible. This article will teach you everything you need to know.



          Specifically, to configure a Port Translation, this is the configuration syntax to follow:



          enter image description here



          Given that, something like this should work (assuming I guessed your webserver's object correctly):



          object network Dell-Optiplex
          host 192.168.3.133

          object service SRC-HTTPS
          service tcp source eq https

          nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS


          This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.




          Edit, comments weren't enough room:



          Also, it seems you're ACL is incorrect:




          access-group Inbound_SSL in interface outside
          access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https



          The first line applies the Inbound_SSL ACL to the outside interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.



          The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).



          It should be something like this:



          access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https


          This allows traffic from any source, to the destination of your webserver, over port 443.






          share|improve this answer






















          • Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
            – SamAndrew81
            2 hours ago











          • @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
            – Eddie
            48 mins ago












          up vote
          3
          down vote










          up vote
          3
          down vote










          object service SSL
          service tcp source eq https destination eq https

          nat (inside,outside) source static Dell-Optiplex interface service any SSL



          Is this your Static PAT rule? If so, it is misconfigured.



          You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex and a port of any should be translated to the interface IP address and have both their source and destination ports changed to 443.



          NAT on the ASA is very flexible. This article will teach you everything you need to know.



          Specifically, to configure a Port Translation, this is the configuration syntax to follow:



          enter image description here



          Given that, something like this should work (assuming I guessed your webserver's object correctly):



          object network Dell-Optiplex
          host 192.168.3.133

          object service SRC-HTTPS
          service tcp source eq https

          nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS


          This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.




          Edit, comments weren't enough room:



          Also, it seems you're ACL is incorrect:




          access-group Inbound_SSL in interface outside
          access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https



          The first line applies the Inbound_SSL ACL to the outside interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.



          The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).



          It should be something like this:



          access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https


          This allows traffic from any source, to the destination of your webserver, over port 443.






          share|improve this answer















          object service SSL
          service tcp source eq https destination eq https

          nat (inside,outside) source static Dell-Optiplex interface service any SSL



          Is this your Static PAT rule? If so, it is misconfigured.



          You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex and a port of any should be translated to the interface IP address and have both their source and destination ports changed to 443.



          NAT on the ASA is very flexible. This article will teach you everything you need to know.



          Specifically, to configure a Port Translation, this is the configuration syntax to follow:



          enter image description here



          Given that, something like this should work (assuming I guessed your webserver's object correctly):



          object network Dell-Optiplex
          host 192.168.3.133

          object service SRC-HTTPS
          service tcp source eq https

          nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS


          This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.




          Edit, comments weren't enough room:



          Also, it seems you're ACL is incorrect:




          access-group Inbound_SSL in interface outside
          access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https



          The first line applies the Inbound_SSL ACL to the outside interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.



          The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).



          It should be something like this:



          access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https


          This allows traffic from any source, to the destination of your webserver, over port 443.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 48 mins ago

























          answered 3 hours ago









          Eddie

          8,74612155




          8,74612155











          • Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
            – SamAndrew81
            2 hours ago











          • @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
            – Eddie
            48 mins ago
















          • Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
            – SamAndrew81
            2 hours ago











          • @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
            – Eddie
            48 mins ago















          Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
          – SamAndrew81
          2 hours ago





          Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
          – SamAndrew81
          2 hours ago













          @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
          – Eddie
          48 mins ago




          @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
          – Eddie
          48 mins ago

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53766%2fport-forwarding-rule-on-cisco-asa-not-working-drop-reason-acl-drop-flow-is%23new-answer', 'question_page');

          );

          Post as a guest













































































          Comments

          Popular posts from this blog

          Long meetings (6-7 hours a day): Being “babysat” by supervisor

          What does second last employer means? [closed]

          One-line joke