Announcement

Collapse
No announcement yet.

cisco asa port forwarding still not working

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco asa port forwarding still not working

    Hi,

    I've tried everything to get the port forwarding on my cisco asa 5505 to work.

    I found this
    http://i.i.com.com/cnwk.1d/i/tr/down..._chapter_5.pdf
    and followed it precisely to get my internet connection going.

    After thet I found this on the cisco web to configure port forwarding for http,https,smtp and rdp

    http://www.cisco.com/en/US/docs/secu...html#wp1102023

    The only thing different here is that my server is on my inside LAN and not in the DMZ. My ISP also provides me with a dynamic IP for my outside interface.

    Still nothing works, this is not the only config I've tried. I hav also tried to do packet tracing, but it does not seem to work properly, it always gives me an error on the config implicit acl.

    Here is the result of the command: "sh run"

    : Saved
    :
    ASA Version 8.0(3)
    !
    hostname ciscoasa
    enable password 1EFTpZ6NvsPgbSpA encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Vlan5
    no forward interface Vlan1
    nameif dmz
    security-level 50
    ip address 192.168.x.x 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    switchport access vlan 5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    dns server-group DefaultDNS
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group service rdp tcp
    port-object eq 3389
    access-list outside_access_in extended permit tcp any eq smtp interface outside eq smtp
    access-list outside_access_in extended permit tcp any eq www interface outside
    access-list outside_access_in extended permit tcp any eq https interface outside eq https
    access-list outside_access_in extended permit tcp any object-group rdp interface outside object-group rdp
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-603.bin
    asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface smtp 192.168.1.x smtp netmask 255.255.255.255
    static (inside,outside) tcp interface www 192.168.1.x www netmask 255.255.255.255
    static (inside,outside) tcp interface https 192.168.1.x https netmask 255.255.255.255
    static (inside,outside) tcp interface 3389 192.168.1.x 3389 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcp-client client-id interface outside
    dhcpd auto_config outside
    !
    dhcpd address 192.168.1.2-192.168.1.129 inside
    !

    threat-detection basic-threat
    threat-detection statistics
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:7fd1a8bf550631c6d569d5d67ef88f15
    : end

  • #2
    Re: cisco asa port forwarding still not working

    IF you're using the ASDM, which the PDF makes it seem like you are, then I'd use the Packet Tracer tool to figure out what rule or Static route is blocking you.

    But to me.. it seems like the rules you are using are applied to the outside interface and then tell it allow access to the outside interface, instead of the inside.


    access-list outside_access_in extended permit tcp any eq smtp interface outside eq smtp
    access-group outside_access_in in interface outside

    So any coming from the outside are permitted to go to SMTP on the outside.

    I think it should be Any from the outside are permitted to go to SMTP on the "interface inside"

    Comment

    Working...
    X