Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Incoming port forwards not working

Status
Not open for further replies.
fissure

fissure

ISP
Mar 7, 2003
188
GB
Hi there,

I'm new to the ASA, and have been given this sanitised config from someone's ASA. The machines can get out to the Internet ok (so routing/outbound NAT is ok), but the incoming port forwardings for SMTP etc are not working .

I have used PIXs ok, and basing my knowledge on them, it looks sort of ok:
static commands are there
inbound access-list is there
inbound access-list is applied

192.168.1.x is internal
the external IPs have been replaced with 10.10.10.x

Can anyone suggest what might be wrong?

Thanks.


ASA Version 7.2(2)
!
hostname xxx-fw
domain-name xxx
enable password xxx encrypted
names
dns-guard
!
interface Ethernet0/0
description To xxx LAN
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
!
interface Ethernet0/1
description World Facing to YYY/Internet
nameif outside
security-level 0
ip address 10.10.10.17 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
passwd xxx encrypted
no ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name xxx
access-list inbound extended permit tcp any host 10.10.10.17 eq 3389
access-list inbound extended permit tcp any host 10.10.10.18 eq 3389
access-list inbound extended permit tcp any host 10.10.10.19 eq 3389
access-list inbound extended permit tcp any host 10.10.10.17 eq smtp
access-list inbound extended permit tcp any host 10.10.10.17 eq www
access-list inbound extended permit tcp any host 10.10.10.17 eq https
access-list nat-overload extended permit ip 192.168.1.0 255.255.255.0 any
access-list noNAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 16000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool vpn-roam 172.16.1.1-172.16.1.254
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list noNAT
nat (inside) 1 access-list nat-overload
static (inside,outside) tcp 192.168.1.252 smtp 10.10.10.17 smtp netmask 255.255.255.255
static (inside,outside) tcp 192.168.1.6 3389 10.10.10.17 3389 netmask 255.255.255.255
static (inside,outside) tcp 192.168.1.7 3389 10.10.10.18 3389 netmask 255.255.255.255
static (inside,outside) tcp 192.168.1.251 3389 10.10.10.19 3389 netmask 255.255.255.255
static (inside,outside) tcp 192.168.1.6 255.255.255.255
static (inside,outside) tcp 192.168.1.6 https 10.10.10.17 https netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy roampolicy internal
group-policy roampolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value noNAT
user-authentication disable
username vpn-roam password xxx encrypted
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication secure-http-client
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset-3des esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset-3des
crypto map my-map 40 ipsec-isakmp dynamic dynmap
crypto map my-map interface outside
crypto isakmp enable outside
crypto isakmp policy 3
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group vpn-roam type ipsec-ra
tunnel-group vpn-roam general-attributes
address-pool vpn-roam
authorization-server-group LOCAL
default-group-policy roampolicy
tunnel-group vpn-roam ipsec-attributes
pre-shared-key *
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh xxx 255.255.255.255 outside
ssh xxx 255.255.255.255 outside
ssh timeout 5
console timeout 0
!
class-map HTTP
match port tcp eq www
class-map inspection_default
match default-inspection-traffic
!
!
policy-map SYN-Defence
class HTTP
set connection per-client-max 100 per-client-embryonic-max 50
class class-default
policy-map global-policy
class inspection_default
inspect ftp
!
service-policy global-policy global
 
Sort by date Sort by votes
You flipped your statics.
static (inside,outside) tcp 192.168.1.252 smtp 10.10.10.17 smtp netmask 255.255.255.255
should be...
static (inside,outside) tcp 10.10.10.17 smtp 192.168.1.252 smtp netmask 255.255.255.255

That should do it.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Perfect, not my config, but I completely missed that in reviewing it.

Thanks for your help, Neil.

 
Upvote 0 Downvote
I am having the same issue. I have set up the access rules and the port forward rules.

Trying to forward using one external puplic ip to various different internal ips using different ports.

I have not set up all the access rules yet.

Also, when connected to the vpn, the split tunneling doesn't seem to work. We lose the internet connection on the laptop when we are connected.

Any help would be appreciated. Thanks

ASA Version 7.2(2)
!
hostname AAH
domain-name AAHDOMAIN1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.222.141 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name AAHDOMAIN1
same-security-traffic permit intra-interface
access-list AAH_splitTunnelAcl standard permit host 192.168.100.0
access-list outside_access_in extended permit tcp any host 192.168.100.9 eq 9222
access-list outside_access_in extended permit tcp any host 192.168.100.29 eq 9221
access-list outside_access_in extended permit tcp host xxx.xxx.222.141 host 192.168.100.8 eq 9224
access-list outside_access_in extended permit tcp host xxx.xxx.222.141 host 192.168.100.7 eq 9223
access-list outside_access_in extended permit tcp host xxx.xxx.222.141 host 192.168.100.15 eq 9228
access-list outside_access_in extended permit tcp host xxx.xxx.222.141 host 192.168.100.16 eq 9229
access-list outside_access_in extended permit tcp host xxx.xxx.222.141 host 192.168.100.50 eq 9230
access-list outside_access_in extended permit tcp host xxx.xxx.222.141 host 192.168.100.52 eq 9231
access-list outside_access_in extended permit tcp host xxx.xxx.222.141 host 192.168.100.53 eq 9226
access-list outside_access_in extended permit tcp host xxx.xxx.222.141 host 192.168.100.51 eq 9227
access-list outside_access_in extended permit tcp host xxx.xxx.222.141 host 192.168.100.54 eq 9225
access-list outside_access_in extended permit tcp host xxx.xxx.222.141 host 192.168.100.26 eq 9232
access-list outside_access_in extended permit tcp host xxx.xx.222.141 host 192.168.100.31 eq 9233
access-list outside_access_in extended permit tcp host xxx.xxx.222.141 host 192.168.100.0 eq www
access-list outside_access_in extended permit tcp any host 192.168.100.100 eq smtp
access-list AAH2_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 192.168.101.2-192.168.101.33 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 9222 192.168.100.9 9222 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.100.100 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.93.222.142 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy AAH2 internal
group-policy AAH2 attributes
dns-server value 192.168.100.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AAH2_splitTunnelAcl
default-domain value AAHDOMAIN1.LAN
group-policy AAH internal
group-policy AAH attributes
dns-server value 192.168.100.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
split-tunnel-network-list value AAH_splitTunnelAcl
default-domain value AAHDOMAIN1.LAN
username admin password Qj3Pp7sMnHwX0nfZ encrypted privilege 0
username admin attributes
vpn-group-policy AAH
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group AAH type ipsec-ra
tunnel-group AAH general-attributes
address-pool vpnpool
default-group-policy AAH
tunnel-group AAH ipsec-attributes
pre-shared-key *
tunnel-group AAH2 type ipsec-ra
tunnel-group AAH2 general-attributes
address-pool vpnpool
default-group-policy AAH2
tunnel-group AAH2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e9a92aa49eae6e7d25e3ff41664b4335
: end
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
676
XLNTech1
XLNTech1
disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
247
disturbedone
disturbedone
LonnieJohnson
  • Locked
  • Question
Monitoring incoming threats
Replies
2
Views
228
LonnieJohnson
LonnieJohnson
Impersonator
  • Locked
  • Question
UDP Hacking port 53
Replies
1
Views
334
RodneyMcSnow
RodneyMcSnow
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
211
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top