Skip to main content

ASA 5505 "portforward" problem. Port 80 works but

More
14 years 7 months ago #34113 by Linus
here it go:
PAT Global xx.xx.88.248(25) Local 192.168.1.22(25)
PAT Global xx.xx.88.248(443) Local 192.168.1.22(443)
PAT Global xx.xx.88.248(46353) Local 192.168.1.31(46353)
PAT Global xx.xx.88.248(6112) Local 10.10.10.11(6112)
PAT Global xx.xx.88.248(27015) Local 10.10.10.14(27015)
PAT Global xx.xx.88.248(27016) Local 10.10.10.14(27016)
PAT Global xx.xx.88.248(80) Local 10.10.10.11(80)
PAT Global xx.xx.88.248(18121) Local 10.10.10.11(18121)
PAT Global xx.xx.88.248(18126) Local 10.10.10.11(18126)
PAT Global xx.xx.88.248(18126) Local 10.10.10.11(18126)
PAT Global xx.xx.88.248(13505) Local 10.10.10.11(13505)
PAT Global xx.xx.88.248(2766) Local 10.10.10.11(33038)
PAT Global xx.xx.88.248(2760) Local 192.168.1.26(49838)
PAT Global xx.xx.88.248(2759) Local 192.168.1.26(49836)
PAT Global xx.xx.88.248(2758) Local 192.168.1.26(49835)
PAT Global xx.xx.88.248(2757) Local 192.168.1.26(49834)
PAT Global xx.xx.88.248(2756) Local 192.168.1.26(49833)
PAT Global xx.xx.88.248(2755) Local 192.168.1.26(49828)
PAT Global xx.xx.88.248(2754) Local 192.168.1.26(49826)
PAT Global xx.xx.88.248(2753) Local 192.168.1.26(49824)
PAT Global xx.xx.88.248(2102) Local 192.168.1.26(49300)
PAT Global xx.xx.88.248(948) Local 192.168.1.28 ICMP id 1
PAT Global xx.xx.88.248(2765) Local 192.168.1.3(64353)

and
access-list outside_access_in; 23 elements
access-list outside_access_in line 1 extended permit tcp any interface outside eq smtp (hitcnt=1) 0x5a49ed8a
access-list outside_access_in line 2 extended permit tcp any interface outside eq https (hitcnt=88) 0xb78265a9
access-list outside_access_in line 3 remark Albin Games
access-list outside_access_in line 4 extended permit object-group TCPUDP any interface outside eq 27015 0xa0d4cdd1
access-list outside_access_in line 4 extended permit udp any interface outside eq 27015 (hitcnt=0) 0x947d6a95
access-list outside_access_in line 4 extended permit tcp any interface outside eq 27015 (hitcnt=0) 0x63bd97
access-list outside_access_in line 5 extended permit object-group TCPUDP any interface outside eq 27015 0xa0d4cdd1
access-list outside_access_in line 5 extended permit udp any interface outside eq 27015 (hitcnt=0) 0x947d6a95
access-list outside_access_in line 5 extended permit tcp any interface outside eq 27015 (hitcnt=0) 0x63bd97
access-list outside_access_in line 6 remark Albin Games
access-list outside_access_in line 7 extended permit tcp any interface outside eq 27016 (hitcnt=0) 0x96fbd7e
access-list outside_access_in line 8 remark Albin Games
access-list outside_access_in line 9 extended permit udp any interface outside eq 27016 (hitcnt=0) 0x5f7570e4
access-list outside_access_in line 10 extended permit tcp any interface outside eq 46353 (hitcnt=0) 0x2fb5cc6d
access-list outside_access_in line 11 remark Albin Games
access-list outside_access_in line 12 extended permit tcp any interface outside eq 6112 (hitcnt=0) 0x67f48163
access-list outside_access_in line 13 extended permit tcp any interface outside eq www (hitcnt=0) 0xf8a43354
access-list outside_access_in line 14 extended permit tcp any interface outside eq 18121 (hitcnt=0) 0xa3f5c520
access-list outside_access_in line 15 extended permit tcp any interface outside eq 18126 (hitcnt=0) 0x6106c2fb
access-list outside_access_in line 16 extended permit tcp any interface outside eq 13505 (hitcnt=0) 0x80bd7fa
access-list outside_access_in line 17 extended permit udp any interface outside eq 18126 (hitcnt=0) 0x8751294d
access-list outside_access_in line 18 extended permit udp any interface outside object-group EAGamesUDP inactive (inactive) 0x908e95de
access-list outside_access_in line 18 extended permit udp any interface outside eq 18126 inactive (hitcnt=0) (inactive) 0x8751294d
access-list outside_access_in line 19 extended permit tcp any interface outside object-group EAGamesTCP inactive (inactive) 0x122b1952
access-list outside_access_in line 19 extended permit tcp any interface outside eq 13505 inactive (hitcnt=0) (inactive) 0x80bd7fa
access-list outside_access_in line 19 extended permit tcp any interface outside eq 18121 inactive (hitcnt=0) (inactive) 0xa3f5c520
access-list outside_access_in line 19 extended permit tcp any interface outside eq 18126 inactive (hitcnt=0) (inactive) 0x6106c2fb
access-list outside_access_in line 20 extended permit tcp any interface outside object-group EAGamesTCP 0x122b1952
access-list outside_access_in line 20 extended permit tcp any interface outside eq 13505 (hitcnt=0) 0x80bd7fa
access-list outside_access_in line 20 extended permit tcp any interface outside eq 18121 (hitcnt=0) 0xa3f5c520
access-list outside_access_in line 20 extended permit tcp any interface outside eq 18126 (hitcnt=0) 0x6106c2fb
access-list outside_access_in line 21 extended permit udp any interface outside object-group EAGamesUDP 0x908e95de
access-list outside_access_in line 21 extended permit udp any interface outside eq 18126 (hitcnt=0) 0x8751294d
More
14 years 7 months ago #34114 by Linus
the strange thing is that i get hits on the port, but when i try the online test sites they all show closed.

The inbuild http, and https services works, but not the ones i created my self.

does it has to dowith polices? they all include the inbuild ports, but not the one i created.
More
14 years 7 months ago #34115 by Linus
Replied by Linus on topic ahh now you get the hits also
access-list outside_access_in line 12 extended permit tcp any interface outside eq 6112 (hitcnt=1) 0x67f48163
More
14 years 7 months ago #34116 by r0nni3
Seems like the ASA is doing its work...
Can you try the following command and post the output ?

[code:1]packet-tracer input outside tcp 1.1.1.1 10254 2.2.2.2 6112[/code:1]

1.1.1.1 = the source IP
10254 = random source port

2.2.2.2 = destination IP (your outside interface IP)
6112 = destination port

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
More
14 years 7 months ago #34117 by Linus
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (dmz,outside) tcp interface 6112 10.10.10.11 6112 netmask 255.255.255.255 dns
match tcp dmz host 10.10.10.11 eq 6112 outside any
static translation to 0.0.0.0/6112
translate_hits = 0, untranslate_hits = 2
Additional Information:
NAT divert to egress interface dmz
Untranslate xx.xx.248/6112 to 10.10.10.11/6112 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any interface outside eq 6112
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (dmz,outside) tcp interface 6112 10.10.10.11 6112 netmask 255.255.255.255 dns
match tcp dmz host 10.10.10.11 eq 6112 outside any
static translation to 0.0.0.0/6112
translate_hits = 0, untranslate_hits = 2
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) tcp interface 6112 10.10.10.11 6112 netmask 255.255.255.255 dns
match tcp dmz host 10.10.10.11 eq 6112 outside any
static translation to 0.0.0.0/6112
translate_hits = 0, untranslate_hits = 2
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6040, packet dispatched to next module

Phase: 12
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.11 using egress ifc dmz
adjacency Active
next-hop mac address 0001.4a1d.5ab7 hits 1

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
More
14 years 7 months ago #34118 by r0nni3
The ASA is doing its job.. I suggest trying to look for the problem on the server in the DMZ (unless im missing something wich is very possible X.x only had 2 hours of sleep)

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Time to create page: 0.145 seconds