Port-forwarding rule on Cisco ASA not working - âDrop-reason: (acl-drop) Flow is denied by configured ruleâ
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).
Here is the output of my packet-trace test in the CLI:
MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc9bdf80, priority=111, domain=permit, deny=true
hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=inside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
MyASA(config)#
Here is my (sanitized) "show run" - Much thanks, everyone
Type help or '?' for a list of available commands.
MyLabASA> enable
Password: *********
MyLabASA# show run
: Saved
:
: Serial Number:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyLabASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
dhcprelay information trusted
!
interface Vlan2
description CenturyLink 100 Mbps fiber
nameif outside
security-level 0
pppoe client vpdn group LabzGroup
ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
domain-name Labz.local
object network Work_Corp_WAN
host 72.165.30.162
description Work corporate network
object network Dell-Precision
host 192.168.3.38
description Dell-Precision
object network obj-Work_Corp_WAN
object service RDP-TCP
service tcp source eq 3389 destination eq 3389
description Win_RDP_port-3389
object network Dell-Optiplex
host 192.168.3.133
description Dell-Optiplex
object service SSL
service tcp source eq https destination eq https
description SSL
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
object network Pub_IP_Oct4
host (Inside_Public_IP)
description CtLink Pub IP - Oct 4, 2018
object network Allow_inbound_SSL
host 192.168.3.133
description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
access-list from_outside extended permit icmp object Work_Corp_WAN any
access-list from_outside extended permit icmp any object Work_Corp_WAN
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic any interface
nat (inside,outside) source static Dell-Optiplex interface service any SSL
!
object network Dell-Optiplex
nat (inside,outside) static interface
access-group Inbound_SSL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname
vpdn group LabzGroup ppp authentication chap
vpdn username password ********** store-local
dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
!
dhcprelay server 192.168.3.4 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username LabAdmin password encrypted privilege 15
username LabAdmin attributes
service-type admin
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
: end
MyLabASA#
cisco-asa nat port-forwarding
add a comment |Â
up vote
1
down vote
favorite
New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).
Here is the output of my packet-trace test in the CLI:
MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc9bdf80, priority=111, domain=permit, deny=true
hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=inside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
MyASA(config)#
Here is my (sanitized) "show run" - Much thanks, everyone
Type help or '?' for a list of available commands.
MyLabASA> enable
Password: *********
MyLabASA# show run
: Saved
:
: Serial Number:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyLabASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
dhcprelay information trusted
!
interface Vlan2
description CenturyLink 100 Mbps fiber
nameif outside
security-level 0
pppoe client vpdn group LabzGroup
ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
domain-name Labz.local
object network Work_Corp_WAN
host 72.165.30.162
description Work corporate network
object network Dell-Precision
host 192.168.3.38
description Dell-Precision
object network obj-Work_Corp_WAN
object service RDP-TCP
service tcp source eq 3389 destination eq 3389
description Win_RDP_port-3389
object network Dell-Optiplex
host 192.168.3.133
description Dell-Optiplex
object service SSL
service tcp source eq https destination eq https
description SSL
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
object network Pub_IP_Oct4
host (Inside_Public_IP)
description CtLink Pub IP - Oct 4, 2018
object network Allow_inbound_SSL
host 192.168.3.133
description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
access-list from_outside extended permit icmp object Work_Corp_WAN any
access-list from_outside extended permit icmp any object Work_Corp_WAN
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic any interface
nat (inside,outside) source static Dell-Optiplex interface service any SSL
!
object network Dell-Optiplex
nat (inside,outside) static interface
access-group Inbound_SSL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname
vpdn group LabzGroup ppp authentication chap
vpdn username password ********** store-local
dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
!
dhcprelay server 192.168.3.4 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username LabAdmin password encrypted privilege 15
username LabAdmin attributes
service-type admin
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
: end
MyLabASA#
cisco-asa nat port-forwarding
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).
Here is the output of my packet-trace test in the CLI:
MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc9bdf80, priority=111, domain=permit, deny=true
hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=inside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
MyASA(config)#
Here is my (sanitized) "show run" - Much thanks, everyone
Type help or '?' for a list of available commands.
MyLabASA> enable
Password: *********
MyLabASA# show run
: Saved
:
: Serial Number:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyLabASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
dhcprelay information trusted
!
interface Vlan2
description CenturyLink 100 Mbps fiber
nameif outside
security-level 0
pppoe client vpdn group LabzGroup
ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
domain-name Labz.local
object network Work_Corp_WAN
host 72.165.30.162
description Work corporate network
object network Dell-Precision
host 192.168.3.38
description Dell-Precision
object network obj-Work_Corp_WAN
object service RDP-TCP
service tcp source eq 3389 destination eq 3389
description Win_RDP_port-3389
object network Dell-Optiplex
host 192.168.3.133
description Dell-Optiplex
object service SSL
service tcp source eq https destination eq https
description SSL
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
object network Pub_IP_Oct4
host (Inside_Public_IP)
description CtLink Pub IP - Oct 4, 2018
object network Allow_inbound_SSL
host 192.168.3.133
description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
access-list from_outside extended permit icmp object Work_Corp_WAN any
access-list from_outside extended permit icmp any object Work_Corp_WAN
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic any interface
nat (inside,outside) source static Dell-Optiplex interface service any SSL
!
object network Dell-Optiplex
nat (inside,outside) static interface
access-group Inbound_SSL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname
vpdn group LabzGroup ppp authentication chap
vpdn username password ********** store-local
dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
!
dhcprelay server 192.168.3.4 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username LabAdmin password encrypted privilege 15
username LabAdmin attributes
service-type admin
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
: end
MyLabASA#
cisco-asa nat port-forwarding
New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).
Here is the output of my packet-trace test in the CLI:
MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc9bdf80, priority=111, domain=permit, deny=true
hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=inside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
MyASA(config)#
Here is my (sanitized) "show run" - Much thanks, everyone
Type help or '?' for a list of available commands.
MyLabASA> enable
Password: *********
MyLabASA# show run
: Saved
:
: Serial Number:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyLabASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
dhcprelay information trusted
!
interface Vlan2
description CenturyLink 100 Mbps fiber
nameif outside
security-level 0
pppoe client vpdn group LabzGroup
ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
domain-name Labz.local
object network Work_Corp_WAN
host 72.165.30.162
description Work corporate network
object network Dell-Precision
host 192.168.3.38
description Dell-Precision
object network obj-Work_Corp_WAN
object service RDP-TCP
service tcp source eq 3389 destination eq 3389
description Win_RDP_port-3389
object network Dell-Optiplex
host 192.168.3.133
description Dell-Optiplex
object service SSL
service tcp source eq https destination eq https
description SSL
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
object network Pub_IP_Oct4
host (Inside_Public_IP)
description CtLink Pub IP - Oct 4, 2018
object network Allow_inbound_SSL
host 192.168.3.133
description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
access-list from_outside extended permit icmp object Work_Corp_WAN any
access-list from_outside extended permit icmp any object Work_Corp_WAN
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic any interface
nat (inside,outside) source static Dell-Optiplex interface service any SSL
!
object network Dell-Optiplex
nat (inside,outside) static interface
access-group Inbound_SSL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname
vpdn group LabzGroup ppp authentication chap
vpdn username password ********** store-local
dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
!
dhcprelay server 192.168.3.4 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username LabAdmin password encrypted privilege 15
username LabAdmin attributes
service-type admin
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
: end
MyLabASA#
cisco-asa nat port-forwarding
cisco-asa nat port-forwarding
edited 3 hours ago
asked 4 hours ago
SamAndrew81
1084
1084
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
3
down vote
object service SSL
service tcp source eq https destination eq https
nat (inside,outside) source static Dell-Optiplex interface service any SSL
Is this your Static PAT rule? If so, it is misconfigured.
You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex
and a port of any
should be translated to the interface
IP address and have both their source and destination ports changed to 443.
NAT on the ASA is very flexible. This article will teach you everything you need to know.
Specifically, to configure a Port Translation, this is the configuration syntax to follow:
Given that, something like this should work (assuming I guessed your webserver's object correctly):
object network Dell-Optiplex
host 192.168.3.133
object service SRC-HTTPS
service tcp source eq https
nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS
This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.
Edit, comments weren't enough room:
Also, it seems you're ACL is incorrect:
access-group Inbound_SSL in interface outside
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
The first line applies the Inbound_SSL
ACL to the outside
interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.
The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).
It should be something like this:
access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https
This allows traffic from any
source, to the destination of your webserver, over port 443.
Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
â SamAndrew81
2 hours ago
@SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
â Eddie
48 mins ago
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
object service SSL
service tcp source eq https destination eq https
nat (inside,outside) source static Dell-Optiplex interface service any SSL
Is this your Static PAT rule? If so, it is misconfigured.
You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex
and a port of any
should be translated to the interface
IP address and have both their source and destination ports changed to 443.
NAT on the ASA is very flexible. This article will teach you everything you need to know.
Specifically, to configure a Port Translation, this is the configuration syntax to follow:
Given that, something like this should work (assuming I guessed your webserver's object correctly):
object network Dell-Optiplex
host 192.168.3.133
object service SRC-HTTPS
service tcp source eq https
nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS
This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.
Edit, comments weren't enough room:
Also, it seems you're ACL is incorrect:
access-group Inbound_SSL in interface outside
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
The first line applies the Inbound_SSL
ACL to the outside
interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.
The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).
It should be something like this:
access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https
This allows traffic from any
source, to the destination of your webserver, over port 443.
Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
â SamAndrew81
2 hours ago
@SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
â Eddie
48 mins ago
add a comment |Â
up vote
3
down vote
object service SSL
service tcp source eq https destination eq https
nat (inside,outside) source static Dell-Optiplex interface service any SSL
Is this your Static PAT rule? If so, it is misconfigured.
You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex
and a port of any
should be translated to the interface
IP address and have both their source and destination ports changed to 443.
NAT on the ASA is very flexible. This article will teach you everything you need to know.
Specifically, to configure a Port Translation, this is the configuration syntax to follow:
Given that, something like this should work (assuming I guessed your webserver's object correctly):
object network Dell-Optiplex
host 192.168.3.133
object service SRC-HTTPS
service tcp source eq https
nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS
This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.
Edit, comments weren't enough room:
Also, it seems you're ACL is incorrect:
access-group Inbound_SSL in interface outside
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
The first line applies the Inbound_SSL
ACL to the outside
interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.
The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).
It should be something like this:
access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https
This allows traffic from any
source, to the destination of your webserver, over port 443.
Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
â SamAndrew81
2 hours ago
@SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
â Eddie
48 mins ago
add a comment |Â
up vote
3
down vote
up vote
3
down vote
object service SSL
service tcp source eq https destination eq https
nat (inside,outside) source static Dell-Optiplex interface service any SSL
Is this your Static PAT rule? If so, it is misconfigured.
You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex
and a port of any
should be translated to the interface
IP address and have both their source and destination ports changed to 443.
NAT on the ASA is very flexible. This article will teach you everything you need to know.
Specifically, to configure a Port Translation, this is the configuration syntax to follow:
Given that, something like this should work (assuming I guessed your webserver's object correctly):
object network Dell-Optiplex
host 192.168.3.133
object service SRC-HTTPS
service tcp source eq https
nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS
This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.
Edit, comments weren't enough room:
Also, it seems you're ACL is incorrect:
access-group Inbound_SSL in interface outside
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
The first line applies the Inbound_SSL
ACL to the outside
interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.
The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).
It should be something like this:
access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https
This allows traffic from any
source, to the destination of your webserver, over port 443.
object service SSL
service tcp source eq https destination eq https
nat (inside,outside) source static Dell-Optiplex interface service any SSL
Is this your Static PAT rule? If so, it is misconfigured.
You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex
and a port of any
should be translated to the interface
IP address and have both their source and destination ports changed to 443.
NAT on the ASA is very flexible. This article will teach you everything you need to know.
Specifically, to configure a Port Translation, this is the configuration syntax to follow:
Given that, something like this should work (assuming I guessed your webserver's object correctly):
object network Dell-Optiplex
host 192.168.3.133
object service SRC-HTTPS
service tcp source eq https
nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS
This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.
Edit, comments weren't enough room:
Also, it seems you're ACL is incorrect:
access-group Inbound_SSL in interface outside
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
The first line applies the Inbound_SSL
ACL to the outside
interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.
The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).
It should be something like this:
access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https
This allows traffic from any
source, to the destination of your webserver, over port 443.
edited 48 mins ago
answered 3 hours ago
Eddie
8,74612155
8,74612155
Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
â SamAndrew81
2 hours ago
@SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
â Eddie
48 mins ago
add a comment |Â
Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
â SamAndrew81
2 hours ago
@SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
â Eddie
48 mins ago
Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
â SamAndrew81
2 hours ago
Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
â SamAndrew81
2 hours ago
@SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
â Eddie
48 mins ago
@SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
â Eddie
48 mins ago
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53766%2fport-forwarding-rule-on-cisco-asa-not-working-drop-reason-acl-drop-flow-is%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password