Port-forwarding rule on Cisco ASA not working - “Drop-reason: (acl-drop) Flow is denied by configured rule”

Clash Royale CLAN TAG#URR8PPP

up vote
1
down vote

favorite

New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).

Here is the output of my packet-trace test in the CLI:

 MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xcc9bdf80, priority=111, domain=permit, deny=true
 hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
 input_ifc=inside, output_ifc=inside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MyASA(config)#

Here is my (sanitized) "show run" - Much thanks, everyone

 Type help or '?' for a list of available commands.
MyLabASA> enable
Password: *********
MyLabASA# show run
: Saved
:
: Serial Number: 
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyLabASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
 dhcprelay information trusted
!
interface Vlan2
 description CenturyLink 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group LabzGroup
 ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Labz.local
object network Work_Corp_WAN
 host 72.165.30.162
 description Work corporate network
object network Dell-Precision
 host 192.168.3.38
 description Dell-Precision
object network obj-Work_Corp_WAN
object service RDP-TCP
 service tcp source eq 3389 destination eq 3389
 description Win_RDP_port-3389
object network Dell-Optiplex
 host 192.168.3.133
 description Dell-Optiplex
object service SSL
 service tcp source eq https destination eq https
 description SSL
object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
object network Pub_IP_Oct4
 host (Inside_Public_IP)
 description CtLink Pub IP - Oct 4, 2018
object network Allow_inbound_SSL
 host 192.168.3.133
 description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
access-list from_outside extended permit icmp object Work_Corp_WAN any
access-list from_outside extended permit icmp any object Work_Corp_WAN
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic any interface
nat (inside,outside) source static Dell-Optiplex interface service any SSL
!
object network Dell-Optiplex
 nat (inside,outside) static interface
access-group Inbound_SSL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname 
vpdn group LabzGroup ppp authentication chap
vpdn username password ********** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
!
dhcprelay server 192.168.3.4 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username LabAdmin password encrypted privilege 15
username LabAdmin attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny
 inspect sunrpc
 inspect xdmcp
 inspect sip
 inspect netbios
 inspect tftp
 inspect ip-options
 inspect icmp
 inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
: end
MyLabASA#

cisco-asa nat port-forwarding

share|improve this question

edited 3 hours ago

asked 4 hours ago

SamAndrew81

1084

add a comment | 

up vote
1
down vote

favorite

New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).

Here is the output of my packet-trace test in the CLI:

 MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xcc9bdf80, priority=111, domain=permit, deny=true
 hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
 input_ifc=inside, output_ifc=inside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MyASA(config)#

Here is my (sanitized) "show run" - Much thanks, everyone

 Type help or '?' for a list of available commands.
MyLabASA> enable
Password: *********
MyLabASA# show run
: Saved
:
: Serial Number: 
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyLabASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
 dhcprelay information trusted
!
interface Vlan2
 description CenturyLink 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group LabzGroup
 ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Labz.local
object network Work_Corp_WAN
 host 72.165.30.162
 description Work corporate network
object network Dell-Precision
 host 192.168.3.38
 description Dell-Precision
object network obj-Work_Corp_WAN
object service RDP-TCP
 service tcp source eq 3389 destination eq 3389
 description Win_RDP_port-3389
object network Dell-Optiplex
 host 192.168.3.133
 description Dell-Optiplex
object service SSL
 service tcp source eq https destination eq https
 description SSL
object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
object network Pub_IP_Oct4
 host (Inside_Public_IP)
 description CtLink Pub IP - Oct 4, 2018
object network Allow_inbound_SSL
 host 192.168.3.133
 description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
access-list from_outside extended permit icmp object Work_Corp_WAN any
access-list from_outside extended permit icmp any object Work_Corp_WAN
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic any interface
nat (inside,outside) source static Dell-Optiplex interface service any SSL
!
object network Dell-Optiplex
 nat (inside,outside) static interface
access-group Inbound_SSL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname 
vpdn group LabzGroup ppp authentication chap
vpdn username password ********** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
!
dhcprelay server 192.168.3.4 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username LabAdmin password encrypted privilege 15
username LabAdmin attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny
 inspect sunrpc
 inspect xdmcp
 inspect sip
 inspect netbios
 inspect tftp
 inspect ip-options
 inspect icmp
 inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
: end
MyLabASA#

cisco-asa nat port-forwarding

share|improve this question

edited 3 hours ago

asked 4 hours ago

SamAndrew81

1084

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).

Here is the output of my packet-trace test in the CLI:

 MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xcc9bdf80, priority=111, domain=permit, deny=true
 hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
 input_ifc=inside, output_ifc=inside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MyASA(config)#

Here is my (sanitized) "show run" - Much thanks, everyone

 Type help or '?' for a list of available commands.
MyLabASA> enable
Password: *********
MyLabASA# show run
: Saved
:
: Serial Number: 
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyLabASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
 dhcprelay information trusted
!
interface Vlan2
 description CenturyLink 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group LabzGroup
 ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Labz.local
object network Work_Corp_WAN
 host 72.165.30.162
 description Work corporate network
object network Dell-Precision
 host 192.168.3.38
 description Dell-Precision
object network obj-Work_Corp_WAN
object service RDP-TCP
 service tcp source eq 3389 destination eq 3389
 description Win_RDP_port-3389
object network Dell-Optiplex
 host 192.168.3.133
 description Dell-Optiplex
object service SSL
 service tcp source eq https destination eq https
 description SSL
object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
object network Pub_IP_Oct4
 host (Inside_Public_IP)
 description CtLink Pub IP - Oct 4, 2018
object network Allow_inbound_SSL
 host 192.168.3.133
 description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
access-list from_outside extended permit icmp object Work_Corp_WAN any
access-list from_outside extended permit icmp any object Work_Corp_WAN
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic any interface
nat (inside,outside) source static Dell-Optiplex interface service any SSL
!
object network Dell-Optiplex
 nat (inside,outside) static interface
access-group Inbound_SSL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname 
vpdn group LabzGroup ppp authentication chap
vpdn username password ********** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
!
dhcprelay server 192.168.3.4 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username LabAdmin password encrypted privilege 15
username LabAdmin attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny
 inspect sunrpc
 inspect xdmcp
 inspect sip
 inspect netbios
 inspect tftp
 inspect ip-options
 inspect icmp
 inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
: end
MyLabASA#

cisco-asa nat port-forwarding

share|improve this question

edited 3 hours ago

asked 4 hours ago

SamAndrew81

1084

New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).

Here is the output of my packet-trace test in the CLI:

 MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0xcc9bdf80, priority=111, domain=permit, deny=true
 hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
 input_ifc=inside, output_ifc=inside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MyASA(config)#

Here is my (sanitized) "show run" - Much thanks, everyone

 Type help or '?' for a list of available commands.
MyLabASA> enable
Password: *********
MyLabASA# show run
: Saved
:
: Serial Number: 
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyLabASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
 dhcprelay information trusted
!
interface Vlan2
 description CenturyLink 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group LabzGroup
 ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Labz.local
object network Work_Corp_WAN
 host 72.165.30.162
 description Work corporate network
object network Dell-Precision
 host 192.168.3.38
 description Dell-Precision
object network obj-Work_Corp_WAN
object service RDP-TCP
 service tcp source eq 3389 destination eq 3389
 description Win_RDP_port-3389
object network Dell-Optiplex
 host 192.168.3.133
 description Dell-Optiplex
object service SSL
 service tcp source eq https destination eq https
 description SSL
object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
object network Pub_IP_Oct4
 host (Inside_Public_IP)
 description CtLink Pub IP - Oct 4, 2018
object network Allow_inbound_SSL
 host 192.168.3.133
 description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
access-list from_outside extended permit icmp object Work_Corp_WAN any
access-list from_outside extended permit icmp any object Work_Corp_WAN
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic any interface
nat (inside,outside) source static Dell-Optiplex interface service any SSL
!
object network Dell-Optiplex
 nat (inside,outside) static interface
access-group Inbound_SSL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname 
vpdn group LabzGroup ppp authentication chap
vpdn username password ********** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
!
dhcprelay server 192.168.3.4 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username LabAdmin password encrypted privilege 15
username LabAdmin attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny
 inspect sunrpc
 inspect xdmcp
 inspect sip
 inspect netbios
 inspect tftp
 inspect ip-options
 inspect icmp
 inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
: end
MyLabASA#

cisco-asa nat port-forwarding

cisco-asa nat port-forwarding

share|improve this question

edited 3 hours ago

asked 4 hours ago

SamAndrew81

1084

share|improve this question

edited 3 hours ago

asked 4 hours ago

SamAndrew81

1084

share|improve this question

share|improve this question

edited 3 hours ago

edited 3 hours ago

edited 3 hours ago

asked 4 hours ago

SamAndrew81

1084

asked 4 hours ago

SamAndrew81

1084

asked 4 hours ago

SamAndrew81

1084

1084

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

up vote
3
down vote

object service SSL
 service tcp source eq https destination eq https

nat (inside,outside) source static Dell-Optiplex interface service any SSL

Is this your Static PAT rule? If so, it is misconfigured.

You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex and a port of any should be translated to the interface IP address and have both their source and destination ports changed to 443.

NAT on the ASA is very flexible. This article will teach you everything you need to know.

Specifically, to configure a Port Translation, this is the configuration syntax to follow:

Given that, something like this should work (assuming I guessed your webserver's object correctly):

object network Dell-Optiplex
 host 192.168.3.133

object service SRC-HTTPS
 service tcp source eq https

nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS

This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.

---

Edit, comments weren't enough room:

Also, it seems you're ACL is incorrect:

access-group Inbound_SSL in interface outside
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https

The first line applies the Inbound_SSL ACL to the outside interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.

The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).

It should be something like this:

access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https

This allows traffic from any source, to the destination of your webserver, over port 443.

share|improve this answer

edited 48 mins ago

answered 3 hours ago

Eddie

8,74612155

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
  – SamAndrew81
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
  – Eddie
  48 mins ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53766%2fport-forwarding-rule-on-cisco-asa-not-working-drop-reason-acl-drop-flow-is%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote

object service SSL
 service tcp source eq https destination eq https

nat (inside,outside) source static Dell-Optiplex interface service any SSL

Is this your Static PAT rule? If so, it is misconfigured.

You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex and a port of any should be translated to the interface IP address and have both their source and destination ports changed to 443.

NAT on the ASA is very flexible. This article will teach you everything you need to know.

Specifically, to configure a Port Translation, this is the configuration syntax to follow:

Given that, something like this should work (assuming I guessed your webserver's object correctly):

object network Dell-Optiplex
 host 192.168.3.133

object service SRC-HTTPS
 service tcp source eq https

nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS

This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.

---

Edit, comments weren't enough room:

Also, it seems you're ACL is incorrect:

access-group Inbound_SSL in interface outside
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https

The first line applies the Inbound_SSL ACL to the outside interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.

The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).

It should be something like this:

access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https

This allows traffic from any source, to the destination of your webserver, over port 443.

share|improve this answer

edited 48 mins ago

answered 3 hours ago

Eddie

8,74612155

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
  – SamAndrew81
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
  – Eddie
  48 mins ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

object service SSL
 service tcp source eq https destination eq https

nat (inside,outside) source static Dell-Optiplex interface service any SSL

Is this your Static PAT rule? If so, it is misconfigured.

You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex and a port of any should be translated to the interface IP address and have both their source and destination ports changed to 443.

NAT on the ASA is very flexible. This article will teach you everything you need to know.

Specifically, to configure a Port Translation, this is the configuration syntax to follow:

Given that, something like this should work (assuming I guessed your webserver's object correctly):

object network Dell-Optiplex
 host 192.168.3.133

object service SRC-HTTPS
 service tcp source eq https

nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS

This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.

---

Edit, comments weren't enough room:

Also, it seems you're ACL is incorrect:

access-group Inbound_SSL in interface outside
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https

The first line applies the Inbound_SSL ACL to the outside interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.

The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).

It should be something like this:

access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https

This allows traffic from any source, to the destination of your webserver, over port 443.

share|improve this answer

edited 48 mins ago

answered 3 hours ago

Eddie

8,74612155

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
  – SamAndrew81
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
  – Eddie
  48 mins ago
  

  
  
  
  

add a comment | 

up vote
3
down vote

up vote
3
down vote

object service SSL
 service tcp source eq https destination eq https

nat (inside,outside) source static Dell-Optiplex interface service any SSL

Is this your Static PAT rule? If so, it is misconfigured.

You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex and a port of any should be translated to the interface IP address and have both their source and destination ports changed to 443.

NAT on the ASA is very flexible. This article will teach you everything you need to know.

Specifically, to configure a Port Translation, this is the configuration syntax to follow:

Given that, something like this should work (assuming I guessed your webserver's object correctly):

object network Dell-Optiplex
 host 192.168.3.133

object service SRC-HTTPS
 service tcp source eq https

nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS

This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.

---

Edit, comments weren't enough room:

Also, it seems you're ACL is incorrect:

access-group Inbound_SSL in interface outside
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https

The first line applies the Inbound_SSL ACL to the outside interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.

The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).

It should be something like this:

access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https

This allows traffic from any source, to the destination of your webserver, over port 443.

share|improve this answer

edited 48 mins ago

answered 3 hours ago

Eddie

8,74612155

object service SSL
 service tcp source eq https destination eq https

nat (inside,outside) source static Dell-Optiplex interface service any SSL

Is this your Static PAT rule? If so, it is misconfigured.

You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex and a port of any should be translated to the interface IP address and have both their source and destination ports changed to 443.

NAT on the ASA is very flexible. This article will teach you everything you need to know.

Specifically, to configure a Port Translation, this is the configuration syntax to follow:

Given that, something like this should work (assuming I guessed your webserver's object correctly):

object network Dell-Optiplex
 host 192.168.3.133

object service SRC-HTTPS
 service tcp source eq https

nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS

This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.

---

Edit, comments weren't enough room:

Also, it seems you're ACL is incorrect:

access-group Inbound_SSL in interface outside
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https

The first line applies the Inbound_SSL ACL to the outside interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.

The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).

It should be something like this:

access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https

This allows traffic from any source, to the destination of your webserver, over port 443.

share|improve this answer

edited 48 mins ago

answered 3 hours ago

Eddie

8,74612155

share|improve this answer

share|improve this answer

edited 48 mins ago

edited 48 mins ago

edited 48 mins ago

answered 3 hours ago

Eddie

8,74612155

answered 3 hours ago

Eddie

8,74612155

answered 3 hours ago

Eddie

8,74612155

8,74612155

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
  – SamAndrew81
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
  – Eddie
  48 mins ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
  – SamAndrew81
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
  – Eddie
  48 mins ago
  

  
  
  
  

Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
– SamAndrew81
2 hours ago

Thank you, Eddie! You did indeed guess my IIS web server correctly. I added the rules you listed here, but it still does not work for some reason. I think there is something wrong with my default or "implicit" access rules...? Here is what I get when I try the packet-tracer command, still the same: Phase: 2, Type: ACCESS_LIST, Result: DROP
– SamAndrew81
2 hours ago

@SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
– Eddie
48 mins ago

@SamAndrew81 I updated the answer, it looks like the ACL entry is slightly off as well.
– Eddie
48 mins ago

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f53766%2fport-forwarding-rule-on-cisco-asa-not-working-drop-reason-acl-drop-flow-is%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email