Having trouble configuring port forwarding on ASA 5505
Once upon a time I programmed maybe a half dozen ASA series devices for fairly simple port forwarding and VPN functions. But I just got my first 9.0-era device and I'm having a hell of a time trying to get traffic to pass correctly. I feel like I must be close, but not quite there. Any ASA-xperts that can help me figure out why traffic isn't passing coming in?
My config is this:
My config is this:
Result of the command: "sh config"
: Saved
: Written by enable_15 at 22:11:32.527 UTC Thu Jan 29 2015
!
ASA Version 9.0(1)
!
hostname ciscoasa
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.137.50.50 255.255.255.224
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 69.51.76.26
name-server 69.51.76.36
name-server 8.8.8.8
name-server 208.67.220.220
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service Camera10_TCP
service tcp source eq 8089 destination eq 8089
object service Camera10_UDP
service udp source eq 8089 destination eq 8089
object service Camera1_TCP
service tcp source eq 8090 destination eq 8090
object service Camera1_UDP
service udp source eq 8090 destination eq 8090
object service Camera2_TCP
service tcp source eq 8081 destination eq 8081
object service Camera2_UDP
service udp source eq 8081 destination eq 8081
object service Camera3_TCP
service tcp source eq 8082 destination eq 8082
object service Camera3_UDP
service udp source eq 8082 destination eq 8082
object service Camera4_TCP
service tcp source eq 8083 destination eq 8083
object service Camera4_UDP
service udp source eq 8083 destination eq 8083
object service Camera5_TCP
service tcp source eq 8084 destination eq 8084
object service Camera5_UDP
service udp source eq 8084 destination eq 8084
object service Camera6_TCP
service tcp source eq 8085 destination eq 8085
object service Camera6_UDP
service udp source eq 8085 destination eq 8085
object service Camera7_TCP
service tcp source eq 8086 destination eq 8086
object service Camera7_UDP
service udp source eq 8086 destination eq 8086
object service Camera8_TCP
service tcp source eq 8087 destination eq 8087
object service Camera8_UDP
service udp source eq 8087 destination eq 8087
object service Camera9_TCP
service tcp source eq 8088 destination eq 8088
object service Camera9_UDP
service udp source eq 8088 destination eq 8088
object service Crestron_TCP
service tcp source range 41781 41795 destination range 41781 41795
object service Crestron_UDP
service udp source range 41781 41795 destination range 41781 41795
object service NVR_22608_TCP
service tcp source eq 22608 destination eq 22608
object service NVR_22608_UDP
service udp source eq 22608 destination eq 22608
object service NVR_22609_TCP
service tcp source eq 22609 destination eq 22609
object service NVR_22609_UDP
service udp source eq 22609 destination eq 22609
object service Company_Web_TCP
service tcp destination eq 987
object service Terminal_Services
service tcp destination eq 3389
object service SMTP
service tcp source eq smtp destination eq smtp
description SMTP
object network SBS_Server
host 192.168.1.10
object network SBS_Server_3389_TCP
host 192.168.15.10
object network SBS_Server_25_TCP
host 192.168.15.10
object network SBS_Server_443_TCP
host 192.168.15.10
object network SBS_Server_80_TCP
host 192.168.15.10
object network NVR
host 192.168.15.250
object network Camera1
host 192.168.15.180
object network Camera10
host 192.168.15.189
object network Camera2
host 192.168.15.181
object network Camera3
host 192.168.15.182
object network Camera4
host 192.168.15.183
object network Camera5
host 192.168.15.184
object network Camera6
host 192.168.15.185
object network Camera7
host 192.168.15.186
object network Camera8
host 192.168.15.187
object network Camera9
host 192.168.15.188
object network Crestron
host 192.168.15.100
object network SBS_Server_987_TCP
host 192.168.15.10
object network Camera1_8090_TCP
host 192.168.15.180
object network Camera1_8090_UDP
host 192.168.15.180
object network Camera2_8081_TCP
host 192.168.15.181
object network Camera2_8081_UDP
host 192.168.15.181
object network Camera3_8082_TCP
host 192.168.15.182
object network Camera3_8082_UDP
host 192.168.15.182
object network Camera4_8083_TCP
host 192.168.15.183
object network Camera4_8083_UDP
host 192.168.15.183
object network Camera5_8084_TCP
host 192.168.15.184
object network Camera5_8084_UDP
host 192.168.15.184
object network Camera6_8085_TCP
host 192.168.15.185
object network Camera6_8085_UDP
host 192.168.15.185
object network Camera7_8086_UDP
host 192.168.15.186
object network Camera7_8086_TCP
host 192.168.15.186
object network Camera8_8087_TCP
host 192.168.15.187
object network Camera8_8087_UDP
host 192.168.15.187
object network Camera9_8088_UDP
host 192.168.15.188
object network Camera9_8088_TCP
host 192.168.15.188
object network Camera10_8089_TCP
host 192.168.15.189
object network Camera10_8089_UDP
host 192.168.15.189
object network NVR_TCP_22608
host 192.168.15.250
object network NVR_TCP_22609
host 192.168.15.250
object network NVR_UDP_22609
host 192.168.15.250
object network NVR_UDP_22608
host 192.168.15.250
object network Crestron_Pro_TCP
host 192.168.15.100
object network Crestron_Pro_UDP
host 192.168.15.100
object-group service Camera10_Services
service-object object Camera10_TCP
service-object object Camera10_UDP
object-group service Camera1_Services
service-object object Camera1_TCP
service-object object Camera1_UDP
object-group service Camera2_Services
service-object object Camera2_TCP
service-object object Camera2_UDP
object-group service Camera3_Services
service-object object Camera3_TCP
service-object object Camera3_UDP
object-group service Camera4_Services
service-object object Camera4_TCP
service-object object Camera4_UDP
object-group service Camera5_Services
service-object object Camera5_TCP
service-object object Camera5_UDP
object-group service Camera6_Services
service-object object Camera6_TCP
service-object object Camera6_UDP
object-group service Camera7_Services
service-object object Camera7_TCP
service-object object Camera7_UDP
object-group service Camera8_Services
service-object object Camera8_TCP
service-object object Camera8_UDP
object-group service Camera9_Services
service-object object Camera9_TCP
service-object object Camera9_UDP
object-group service Crestron_Services
service-object object Crestron_TCP
service-object object Crestron_UDP
object-group service NVR_Services
service-object object NVR_22608_TCP
service-object object NVR_22608_UDP
service-object object NVR_22609_TCP
service-object object NVR_22609_UDP
object-group service SBS_Server_Services
service-object object Company_Web_TCP
service-object object Terminal_Services
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq www
access-list outside_access_in_1 extended permit tcp object SBS_Server any eq smtp
access-list SBS_Server_3389_TCP_In extended permit tcp any host 192.168.15.10 eq 3389
access-list SBS_Server_25_TCP_In extended permit tcp any host 192.168.15.10 eq smtp
access-list SBS_Server_443_TCP_In extended permit tcp any host 192.168.15.10 eq https
access-list SBS_Server_80_TCP_In extended permit object-group SBS_Server_Services any object SBS_Server
access-list SBS_Server_80_TCP_In extended permit object-group NVR_Services any object NVR
access-list SBS_Server_80_TCP_In extended permit object-group Camera1_Services any object Camera1
access-list SBS_Server_80_TCP_In extended permit object-group Camera2_Services any object Camera2
access-list SBS_Server_80_TCP_In extended permit object-group Camera3_Services any object Camera3
access-list SBS_Server_80_TCP_In extended permit object-group Camera4_Services any object Camera4
access-list SBS_Server_80_TCP_In extended permit object-group Camera5_Services any object Camera5
access-list SBS_Server_80_TCP_In extended permit object-group Camera6_Services any object Camera6
access-list SBS_Server_80_TCP_In extended permit object-group Camera7_Services any object Camera7
access-list SBS_Server_80_TCP_In extended permit object-group Camera8_Services any object Camera8
access-list SBS_Server_80_TCP_In extended permit object-group Camera9_Services any object Camera9
access-list SBS_Server_80_TCP_In extended permit object-group Camera10_Services any object Camera10
access-list SBS_Server_80_TCP_In extended permit object-group Crestron_Services any object Crestron
access-list SBS_Server_80_TCP_In extended permit tcp any host 192.168.15.10 eq www
access-list SBS_Server_3389_In extended permit tcp any host 192.168.15.10 eq 3389
access-list SBS_Server_987_In extended permit tcp any host 192.168.15.10 eq 987
access-list Camera1_8090_TCP_In extended permit tcp any host 192.168.15.180 eq 8090
access-list Camera1_8090_UDP_In extended permit udp any host 192.168.15.180 eq 8090
access-list Camera2_8081_TCP_In extended permit tcp any host 192.168.15.181 eq 8081
access-list Camera2_8081_UDP_In extended permit udp any host 192.168.15.181 eq 8081
access-list Camera3_8082_TCP_In extended permit tcp any host 192.168.15.182 eq 8082
access-list Camera3_8082_UDP_In extended permit udp any host 192.168.15.182 eq 8082
access-list Camera4_8083_TCP_In extended permit udp any host 192.168.15.183 eq 8083
access-list Camera4_8083_UDP_In extended permit udp any host 192.168.15.183 eq 8083
access-list Camera5_8084_TCP_In extended permit tcp any host 192.168.15.184 eq 8084
access-list Camera5_8084_UDP_In extended permit udp any host 192.168.15.184 eq 8084
access-list Camera6_8085_TCP_In extended permit tcp any host 192.168.15.185 eq 8085
access-list Camera6_8085_UDP_In extended permit udp any host 192.168.15.185 eq 8085
access-list Camera7_8086_UDP_In extended permit udp any host 192.168.15.186 eq 8086
access-list Camera7_8086_TCP_In extended permit tcp any host 192.168.15.186 eq 8086
access-list Camera8_8087_TCP_In extended permit tcp any host 192.168.15.187 eq 8087
access-list Camera8_8087_UDP_In extended permit udp any host 192.168.15.187 eq 8087
access-list Camera9_8088_UDP_In extended permit udp any host 192.168.15.188 eq 8088
access-list Camera9_8088_TCP_In extended permit tcp any host 192.168.15.188 eq 8088
access-list SBS_Server_987_TCP_In extended permit tcp any host 192.168.15.10 eq 987
access-list Camera10_8089_TCP_In extended permit tcp any host 192.168.15.189 eq 8089
access-list Camera10_8089_UDP_In extended permit udp any host 192.168.15.189 eq 8089
access-list NVR_TCP_22608_In extended permit tcp any host 192.168.15.250 eq 22608
access-list NVR_TCP_22609_In extended permit tcp any host 192.168.15.250 eq 22609
access-list NVR_UDP_22609_In extended permit udp any host 192.168.15.250 eq 22609
access-list NVR_UDP_22608_In extended permit udp any host 192.168.15.250 eq 22608
access-list Crestron_Pro_TCP_In extended permit tcp any host 192.168.15.100 range 41781 41795
access-list Crestron_Pro_UDP_In extended permit udp any host 192.168.15.100 range 41781 41795
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static interface Crestron_Pro_TCP service Crestron_TCP Crestron_TCP
nat (inside,outside) source static any any destination static interface Crestron_Pro_UDP service Crestron_UDP Crestron_UDP
!
object network SBS_Server_3389_TCP
nat (inside,outside) static interface service tcp 3389 3389
object network SBS_Server_25_TCP
nat (inside,outside) static interface service tcp smtp smtp
object network SBS_Server_443_TCP
nat (inside,outside) static interface service tcp https https
object network SBS_Server_80_TCP
nat (inside,outside) static interface service tcp www www
object network SBS_Server_987_TCP
nat (inside,outside) static interface service tcp 987 987
object network Camera1_8090_TCP
nat (inside,outside) static interface service tcp 8090 8090
object network Camera1_8090_UDP
nat (inside,outside) static interface service udp 8090 8090
object network Camera2_8081_TCP
nat (inside,outside) static interface service tcp 8081 8081
object network Camera2_8081_UDP
nat (inside,outside) static interface service udp 8081 8081
object network Camera3_8082_TCP
nat (inside,outside) static interface service tcp 8082 8082
object network Camera3_8082_UDP
nat (inside,outside) static interface service udp 8082 8082
object network Camera4_8083_TCP
nat (inside,outside) static interface service tcp 8083 8083
object network Camera4_8083_UDP
nat (inside,outside) static interface service udp 8083 8083
object network Camera5_8084_TCP
nat (inside,outside) static interface service tcp 8084 8084
object network Camera5_8084_UDP
nat (inside,outside) static interface service udp 8084 8084
object network Camera6_8085_TCP
nat (inside,outside) static interface service tcp 8085 8085
object network Camera6_8085_UDP
nat (inside,outside) static interface service udp 8085 8085
object network Camera7_8086_UDP
nat (inside,outside) static interface service udp 8086 8086
object network Camera7_8086_TCP
nat (inside,outside) static interface service tcp 8086 8086
object network Camera8_8087_TCP
nat (inside,outside) static interface service tcp 8087 8087
object network Camera8_8087_UDP
nat (inside,outside) static interface service udp 8087 8087
object network Camera9_8088_UDP
nat (inside,outside) static interface service udp 8088 8088
object network Camera9_8088_TCP
nat (inside,outside) static interface service tcp 8088 8088
object network Camera10_8089_TCP
nat (inside,outside) static interface service tcp 8089 8089
object network Camera10_8089_UDP
nat (inside,outside) static interface service udp 8089 8089
object network NVR_TCP_22608
nat (inside,outside) static interface service tcp 22608 22608
object network NVR_TCP_22609
nat (inside,outside) static interface service tcp 22609 22609
object network NVR_UDP_22609
nat (inside,outside) static interface service udp 22609 22609
object network NVR_UDP_22608
nat (inside,outside) static interface service udp 22608 22608
!
nat (inside,outside) after-auto source dynamic any interface
access-group Crestron_Pro_UDP_In in interface outside
route outside 0.0.0.0 0.0.0.0 209.137.240.30 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.15.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 300
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:49cadc4a728baa9cc9d4ac15187ea411
You NAT configuration seems fine, but your ACL configuration from the "outside" interface needs work.
Also, noticed this odd looking NAT statement
access-list Crestron_Pro_TCP_In extended permit tcp any host 192.168.15.100 range 41781 41795
access-list Crestron_Pro_UDP_In extended permit udp any host 192.168.15.100 range 41781 41795
!
access-group Crestron_Pro_UDP_In in interface outside
I would rather just name the ACL a default name which is more descriptive of its purpose "outside_access_in"
You've created multiple named ACL:
access-list SBS_Server_80_TCP_In
access-list Camera1_8090_TCP_In
access-list Crestron_Pro_UDP_In
etc..
but you can only apply one on the interface, hence only "Crestron_Pro_UDP_In" was being allowed.
access-list SBS_Server_80_TCP_In
access-list Camera1_8090_TCP_In
access-list Crestron_Pro_UDP_In
etc..
but you can only apply one on the interface, hence only "Crestron_Pro_UDP_In" was being allowed.
Below is the correct application of the access control list (ACL) to your outside interface.
!access-list outside_access_in extended permit tcp any host 192.168.1.10 eq www
!access-list outside_access_in_1 extended permit tcp object SBS_Server any eq smtp
!
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq 3389
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq smtp
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq https
access-list outside_access_in extended permit object-group SBS_Server_Services any object SBS_Server
access-list outside_access_in extended permit object-group NVR_Services any object NVR
access-list outside_access_in extended permit object-group Camera1_Services any object Camera1
access-list outside_access_in extended permit object-group Camera2_Services any object Camera2
access-list outside_access_in extended permit object-group Camera3_Services any object Camera3
access-list outside_access_in extended permit object-group Camera4_Services any object Camera4
access-list outside_access_in extended permit object-group Camera5_Services any object Camera5
access-list outside_access_in extended permit object-group Camera6_Services any object Camera6
access-list outside_access_in extended permit object-group Camera7_Services any object Camera7
access-list outside_access_in extended permit object-group Camera8_Services any object Camera8
access-list outside_access_in extended permit object-group Camera9_Services any object Camera9
access-list outside_access_in extended permit object-group Camera10_Services any object Camera10
access-list outside_access_in extended permit object-group Crestron_Services any object Crestron
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq www
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq 3389
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq 987
access-list outside_access_in extended permit tcp any host 192.168.15.180 eq 8090
access-list outside_access_in extended permit udp any host 192.168.15.180 eq 8090
access-list outside_access_in extended permit tcp any host 192.168.15.181 eq 8081
access-list outside_access_in extended permit udp any host 192.168.15.181 eq 8081
access-list outside_access_in extended permit tcp any host 192.168.15.182 eq 8082
access-list outside_access_in extended permit udp any host 192.168.15.182 eq 8082
access-list outside_access_in extended permit udp any host 192.168.15.183 eq 8083
access-list outside_access_in extended permit udp any host 192.168.15.183 eq 8083
access-list outside_access_in extended permit tcp any host 192.168.15.184 eq 8084
access-list outside_access_in extended permit udp any host 192.168.15.184 eq 8084
access-list outside_access_in extended permit tcp any host 192.168.15.185 eq 8085
access-list outside_access_in extended permit udp any host 192.168.15.185 eq 8085
access-list outside_access_in extended permit udp any host 192.168.15.186 eq 8086
access-list outside_access_in extended permit tcp any host 192.168.15.186 eq 8086
access-list outside_access_in extended permit tcp any host 192.168.15.187 eq 8087
access-list outside_access_in extended permit udp any host 192.168.15.187 eq 8087
access-list outside_access_in extended permit udp any host 192.168.15.188 eq 8088
access-list outside_access_in extended permit tcp any host 192.168.15.188 eq 8088
access-list outside_access_in extended permit tcp any host 192.168.15.10 eq 987
access-list outside_access_in extended permit tcp any host 192.168.15.189 eq 8089
access-list outside_access_in extended permit udp any host 192.168.15.189 eq 8089
access-list outside_access_in extended permit tcp any host 192.168.15.250 eq 22608
access-list outside_access_in extended permit tcp any host 192.168.15.250 eq 22609
access-list outside_access_in extended permit udp any host 192.168.15.250 eq 22609
access-list outside_access_in extended permit udp any host 192.168.15.250 eq 22608
access-list outside_access_in extended permit tcp any host 192.168.15.100 range 41781 41795
access-list outside_access_in extended permit udp any host 192.168.15.100 range 41781 41795
!
access-group outside_access_in in interface outside
Not sure what is Line1 for as it pertains to 192.168.1.10 but your network is 192.168.15.x/24
Not sure what is Line2 for, are you trying to allow the SBS_Server access to internet via smtp with this line? This is not needed as you don't have any ACL applied to your inside interface, all traffic coming from inside going out a lower security interface (outside) are allowed by default.
I've assumed the ACL with source: any, you are pertaining to incoming traffic from the internet.
Also, noticed this odd looking NAT statement
nat (inside,outside) source static any any destination static interface Crestron_Pro_TCP service Crestron_TCP Crestron_TCP
nat (inside,outside) source static any any destination static interface Crestron_Pro_UDP service Crestron_UDP Crestron_UDP
This basically means, NAT source from any to any (have the source IP stay the same) and NAT destination interface (outside) --> Crestron_Pro
Not sure what you are going for with this statement
Hopefully this helps, if you have any further questions I'll be glad to help out!
Premium Content
You need an Expert Office subscription to comment.Start Free Trial