Cisco ASA version 9.1 NAT/FIREWALL help

I am wanting to forward 22609 and 8080 to my internal dvr, I have a single static public IP address. I can't seem to get anything to hit my ACL rules, nat doesn't appear to be working. I want any request coming into 1.1.1.1:8080 to go to 192.168.0.100:8080. same for the other port any from the internet to 1.1.1.1:22609 to go to 192.168.0.100:22609.

ASA Version 9.1(5) 
!
hostname FW1

xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny udp any4 any4 eq domain

names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.252 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.15.1.254 255.255.0.0 
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 10.5.1.1 255.255.255.0 
!
interface Ethernet0/3
 nameif Security
 security-level 75
 ip address 192.168.0.1 255.255.255.0 
!
interface Management0/0
 no nameif
 no security-level
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa915-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid

object service exacq-tcp
 service tcp destination eq 22609 
object network Security-Internal
 subnet 192.168.0.0 255.255.255.0
object service alternate-web-port
 service tcp destination eq 8080 
object network Public-IP
 host 1.1.1.1
object network DVR-Private
 host 192.168.0.100
object network STATIC-PAT-INTERFACE-TCP22609
 host 192.168.0.100
object network HOST-192.168.0.100-22609
 host 192.168.0.100
object-group network DEFAULT-PAT-SOURCE
 network-object 192.168.0.0 255.255.255.0
 network-object 10.15.0.0 255.255.0.0
 network-object 10.5.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq 22609 
access-list outside_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu Security 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network STATIC-PAT-INTERFACE-TCP22609
 nat (Security,outside) static interface service tcp 22609 22609 
!
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 10.15.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.15.0.0 255.255.0.0 Inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Inside
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd dns 8.8.8.8 8.8.4.4 interface Inside
dhcpd lease 86400 interface Inside
!
dhcpd address 10.5.1.5-10.5.1.254 DMZ
dhcpd dns 8.8.8.8 8.8.4.4 interface DMZ
dhcpd lease 86400 interface DMZ
dhcpd enable DMZ
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
 anyconnect enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
:end

Open in new window

BluJAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
First get rid of these

no object service exacq-tcp
no object service alternate-web-port
no object network Public-IP
no object network STATIC-PAT-INTERFACE-TCP22609
no access-list outside_access_in extended permit tcp any interface outside eq 22609 

Open in new window

Then add this

object network Internal_Server-22609
host 192.168.0.100
nat (inside,outside) static interface service tcp 22609 22609
!
object network Internal_Server-8080
host 192.168.0.100
nat (inside,outside) static interface service tcp 8080 8080
!
access-list outside_access_in extended permit tcp any object Internal_Server-22609 eq 22609
access-list outside_access_in extended permit tcp any object Internal_Server-8080 eq 8080
!

Open in new window


Pete

See Cisco PIX / ASA Port Forwarding
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BluJAuthor Commented:
I have made the requested changes, I still cannot get the exacq client(dvr) to connect externally. I have had at one point these exact rules.

ASA Version 9.1(5) 
!
hostname FW1
domain-name default.domain.invalid
enable password f1.dbpN3WOaY0kNs encrypted
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.252 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.15.1.254 255.255.0.0 
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 10.5.1.1 255.255.255.0 
!
interface Ethernet0/3
 nameif Security
 security-level 75
 ip address 192.168.0.1 255.255.255.0 
!
interface Management0/0
 no nameif
 no security-level
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa915-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
object network Security-Internal
 subnet 192.168.0.0 255.255.255.0
object network Internal_Server-22609
 host 192.168.0.100
object network Internal_Server-8080
 host 192.168.0.100
object-group service BL_22609
 service-object tcp destination eq 22609 
object-group network DEFAULT-PAT-SOURCE
 network-object 192.168.0.0 255.255.255.0
 network-object 10.15.0.0 255.255.0.0
 network-object 10.5.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any object Internal_Server-22609 eq 22609 
access-list outside_access_in extended permit tcp any object Internal_Server-8080 eq 8080 
access-list outside_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu Security 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,outside) source dynamic PKP-Internal interface inactive
nat (Security,outside) source dynamic Security-Internal interface inactive
nat (DMZ,outside) source dynamic any interface inactive
!
object network Internal_Server-22609
 nat (Security,outside) static interface service tcp 22609 22609 
object network Internal_Server-8080
 nat (Security,outside) static interface service tcp 8080 8080 
!
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 10.15.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.15.0.0 255.255.0.0 Inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Inside
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd dns 8.8.8.8 8.8.4.4 interface Inside
dhcpd lease 86400 interface Inside
!
dhcpd address 10.5.1.5-10.5.1.254 DMZ
dhcpd dns 8.8.8.8 8.8.4.4 interface DMZ
dhcpd lease 86400 interface DMZ
dhcpd enable DMZ
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
 anyconnect enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1fc2e506e1f2fdaa5b87a41663594f6f
: end

Open in new window

0
BluJAuthor Commented:
I am also not seeing any hits on the ACL's at all other than on the permit ip any any
0
Pete LongTechnical ConsultantCommented:
>>access-list outside_access_in extended permit ip any any

Remove that, why disable your firewall for inbound traffic?

Step 1 make sure the servers is listening on those ports internally (you would be surprised)
Step 2 Scan your firewall to check id the port is up.

Make sure you can 'ping' your ASA public IP (in case theres a device in front of it blocking these ports)

The syntax I posted above has worked for me on hundreds of clients for the past few years.

Pete
1
BluJAuthor Commented:
This worked, I had not diabled one of the original nat rules I had marked as inactive after I made the change! Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.