- Posts: 8
- Thank you received: 0
ASA 5505 "portforward" problem. Port 80 works but
14 years 7 months ago #34113
by Linus
Replied by Linus on topic Re: ASA 5505 "portforward" problem. Port 80 works but
here it go:
PAT Global xx.xx.88.248(25) Local 192.168.1.22(25)
PAT Global xx.xx.88.248(443) Local 192.168.1.22(443)
PAT Global xx.xx.88.248(46353) Local 192.168.1.31(46353)
PAT Global xx.xx.88.248(6112) Local 10.10.10.11(6112)
PAT Global xx.xx.88.248(27015) Local 10.10.10.14(27015)
PAT Global xx.xx.88.248(27016) Local 10.10.10.14(27016)
PAT Global xx.xx.88.248(80) Local 10.10.10.11(80)
PAT Global xx.xx.88.248(18121) Local 10.10.10.11(18121)
PAT Global xx.xx.88.248(18126) Local 10.10.10.11(18126)
PAT Global xx.xx.88.248(18126) Local 10.10.10.11(18126)
PAT Global xx.xx.88.248(13505) Local 10.10.10.11(13505)
PAT Global xx.xx.88.248(2766) Local 10.10.10.11(33038)
PAT Global xx.xx.88.248(2760) Local 192.168.1.26(49838)
PAT Global xx.xx.88.248(2759) Local 192.168.1.26(49836)
PAT Global xx.xx.88.248(2758) Local 192.168.1.26(49835)
PAT Global xx.xx.88.248(2757) Local 192.168.1.26(49834)
PAT Global xx.xx.88.248(2756) Local 192.168.1.26(49833)
PAT Global xx.xx.88.248(2755) Local 192.168.1.26(49828)
PAT Global xx.xx.88.248(2754) Local 192.168.1.26(49826)
PAT Global xx.xx.88.248(2753) Local 192.168.1.26(49824)
PAT Global xx.xx.88.248(2102) Local 192.168.1.26(49300)
PAT Global xx.xx.88.248(948) Local 192.168.1.28 ICMP id 1
PAT Global xx.xx.88.248(2765) Local 192.168.1.3(64353)
and
access-list outside_access_in; 23 elements
access-list outside_access_in line 1 extended permit tcp any interface outside eq smtp (hitcnt=1) 0x5a49ed8a
access-list outside_access_in line 2 extended permit tcp any interface outside eq https (hitcnt=88) 0xb78265a9
access-list outside_access_in line 3 remark Albin Games
access-list outside_access_in line 4 extended permit object-group TCPUDP any interface outside eq 27015 0xa0d4cdd1
access-list outside_access_in line 4 extended permit udp any interface outside eq 27015 (hitcnt=0) 0x947d6a95
access-list outside_access_in line 4 extended permit tcp any interface outside eq 27015 (hitcnt=0) 0x63bd97
access-list outside_access_in line 5 extended permit object-group TCPUDP any interface outside eq 27015 0xa0d4cdd1
access-list outside_access_in line 5 extended permit udp any interface outside eq 27015 (hitcnt=0) 0x947d6a95
access-list outside_access_in line 5 extended permit tcp any interface outside eq 27015 (hitcnt=0) 0x63bd97
access-list outside_access_in line 6 remark Albin Games
access-list outside_access_in line 7 extended permit tcp any interface outside eq 27016 (hitcnt=0) 0x96fbd7e
access-list outside_access_in line 8 remark Albin Games
access-list outside_access_in line 9 extended permit udp any interface outside eq 27016 (hitcnt=0) 0x5f7570e4
access-list outside_access_in line 10 extended permit tcp any interface outside eq 46353 (hitcnt=0) 0x2fb5cc6d
access-list outside_access_in line 11 remark Albin Games
access-list outside_access_in line 12 extended permit tcp any interface outside eq 6112 (hitcnt=0) 0x67f48163
access-list outside_access_in line 13 extended permit tcp any interface outside eq www (hitcnt=0) 0xf8a43354
access-list outside_access_in line 14 extended permit tcp any interface outside eq 18121 (hitcnt=0) 0xa3f5c520
access-list outside_access_in line 15 extended permit tcp any interface outside eq 18126 (hitcnt=0) 0x6106c2fb
access-list outside_access_in line 16 extended permit tcp any interface outside eq 13505 (hitcnt=0) 0x80bd7fa
access-list outside_access_in line 17 extended permit udp any interface outside eq 18126 (hitcnt=0) 0x8751294d
access-list outside_access_in line 18 extended permit udp any interface outside object-group EAGamesUDP inactive (inactive) 0x908e95de
access-list outside_access_in line 18 extended permit udp any interface outside eq 18126 inactive (hitcnt=0) (inactive) 0x8751294d
access-list outside_access_in line 19 extended permit tcp any interface outside object-group EAGamesTCP inactive (inactive) 0x122b1952
access-list outside_access_in line 19 extended permit tcp any interface outside eq 13505 inactive (hitcnt=0) (inactive) 0x80bd7fa
access-list outside_access_in line 19 extended permit tcp any interface outside eq 18121 inactive (hitcnt=0) (inactive) 0xa3f5c520
access-list outside_access_in line 19 extended permit tcp any interface outside eq 18126 inactive (hitcnt=0) (inactive) 0x6106c2fb
access-list outside_access_in line 20 extended permit tcp any interface outside object-group EAGamesTCP 0x122b1952
access-list outside_access_in line 20 extended permit tcp any interface outside eq 13505 (hitcnt=0) 0x80bd7fa
access-list outside_access_in line 20 extended permit tcp any interface outside eq 18121 (hitcnt=0) 0xa3f5c520
access-list outside_access_in line 20 extended permit tcp any interface outside eq 18126 (hitcnt=0) 0x6106c2fb
access-list outside_access_in line 21 extended permit udp any interface outside object-group EAGamesUDP 0x908e95de
access-list outside_access_in line 21 extended permit udp any interface outside eq 18126 (hitcnt=0) 0x8751294d
PAT Global xx.xx.88.248(25) Local 192.168.1.22(25)
PAT Global xx.xx.88.248(443) Local 192.168.1.22(443)
PAT Global xx.xx.88.248(46353) Local 192.168.1.31(46353)
PAT Global xx.xx.88.248(6112) Local 10.10.10.11(6112)
PAT Global xx.xx.88.248(27015) Local 10.10.10.14(27015)
PAT Global xx.xx.88.248(27016) Local 10.10.10.14(27016)
PAT Global xx.xx.88.248(80) Local 10.10.10.11(80)
PAT Global xx.xx.88.248(18121) Local 10.10.10.11(18121)
PAT Global xx.xx.88.248(18126) Local 10.10.10.11(18126)
PAT Global xx.xx.88.248(18126) Local 10.10.10.11(18126)
PAT Global xx.xx.88.248(13505) Local 10.10.10.11(13505)
PAT Global xx.xx.88.248(2766) Local 10.10.10.11(33038)
PAT Global xx.xx.88.248(2760) Local 192.168.1.26(49838)
PAT Global xx.xx.88.248(2759) Local 192.168.1.26(49836)
PAT Global xx.xx.88.248(2758) Local 192.168.1.26(49835)
PAT Global xx.xx.88.248(2757) Local 192.168.1.26(49834)
PAT Global xx.xx.88.248(2756) Local 192.168.1.26(49833)
PAT Global xx.xx.88.248(2755) Local 192.168.1.26(49828)
PAT Global xx.xx.88.248(2754) Local 192.168.1.26(49826)
PAT Global xx.xx.88.248(2753) Local 192.168.1.26(49824)
PAT Global xx.xx.88.248(2102) Local 192.168.1.26(49300)
PAT Global xx.xx.88.248(948) Local 192.168.1.28 ICMP id 1
PAT Global xx.xx.88.248(2765) Local 192.168.1.3(64353)
and
access-list outside_access_in; 23 elements
access-list outside_access_in line 1 extended permit tcp any interface outside eq smtp (hitcnt=1) 0x5a49ed8a
access-list outside_access_in line 2 extended permit tcp any interface outside eq https (hitcnt=88) 0xb78265a9
access-list outside_access_in line 3 remark Albin Games
access-list outside_access_in line 4 extended permit object-group TCPUDP any interface outside eq 27015 0xa0d4cdd1
access-list outside_access_in line 4 extended permit udp any interface outside eq 27015 (hitcnt=0) 0x947d6a95
access-list outside_access_in line 4 extended permit tcp any interface outside eq 27015 (hitcnt=0) 0x63bd97
access-list outside_access_in line 5 extended permit object-group TCPUDP any interface outside eq 27015 0xa0d4cdd1
access-list outside_access_in line 5 extended permit udp any interface outside eq 27015 (hitcnt=0) 0x947d6a95
access-list outside_access_in line 5 extended permit tcp any interface outside eq 27015 (hitcnt=0) 0x63bd97
access-list outside_access_in line 6 remark Albin Games
access-list outside_access_in line 7 extended permit tcp any interface outside eq 27016 (hitcnt=0) 0x96fbd7e
access-list outside_access_in line 8 remark Albin Games
access-list outside_access_in line 9 extended permit udp any interface outside eq 27016 (hitcnt=0) 0x5f7570e4
access-list outside_access_in line 10 extended permit tcp any interface outside eq 46353 (hitcnt=0) 0x2fb5cc6d
access-list outside_access_in line 11 remark Albin Games
access-list outside_access_in line 12 extended permit tcp any interface outside eq 6112 (hitcnt=0) 0x67f48163
access-list outside_access_in line 13 extended permit tcp any interface outside eq www (hitcnt=0) 0xf8a43354
access-list outside_access_in line 14 extended permit tcp any interface outside eq 18121 (hitcnt=0) 0xa3f5c520
access-list outside_access_in line 15 extended permit tcp any interface outside eq 18126 (hitcnt=0) 0x6106c2fb
access-list outside_access_in line 16 extended permit tcp any interface outside eq 13505 (hitcnt=0) 0x80bd7fa
access-list outside_access_in line 17 extended permit udp any interface outside eq 18126 (hitcnt=0) 0x8751294d
access-list outside_access_in line 18 extended permit udp any interface outside object-group EAGamesUDP inactive (inactive) 0x908e95de
access-list outside_access_in line 18 extended permit udp any interface outside eq 18126 inactive (hitcnt=0) (inactive) 0x8751294d
access-list outside_access_in line 19 extended permit tcp any interface outside object-group EAGamesTCP inactive (inactive) 0x122b1952
access-list outside_access_in line 19 extended permit tcp any interface outside eq 13505 inactive (hitcnt=0) (inactive) 0x80bd7fa
access-list outside_access_in line 19 extended permit tcp any interface outside eq 18121 inactive (hitcnt=0) (inactive) 0xa3f5c520
access-list outside_access_in line 19 extended permit tcp any interface outside eq 18126 inactive (hitcnt=0) (inactive) 0x6106c2fb
access-list outside_access_in line 20 extended permit tcp any interface outside object-group EAGamesTCP 0x122b1952
access-list outside_access_in line 20 extended permit tcp any interface outside eq 13505 (hitcnt=0) 0x80bd7fa
access-list outside_access_in line 20 extended permit tcp any interface outside eq 18121 (hitcnt=0) 0xa3f5c520
access-list outside_access_in line 20 extended permit tcp any interface outside eq 18126 (hitcnt=0) 0x6106c2fb
access-list outside_access_in line 21 extended permit udp any interface outside object-group EAGamesUDP 0x908e95de
access-list outside_access_in line 21 extended permit udp any interface outside eq 18126 (hitcnt=0) 0x8751294d
14 years 7 months ago #34114
by Linus
Replied by Linus on topic Re: ASA 5505 "portforward" problem. Port 80 works but
the strange thing is that i get hits on the port, but when i try the online test sites they all show closed.
The inbuild http, and https services works, but not the ones i created my self.
does it has to dowith polices? they all include the inbuild ports, but not the one i created.
The inbuild http, and https services works, but not the ones i created my self.
does it has to dowith polices? they all include the inbuild ports, but not the one i created.
14 years 7 months ago #34115
by Linus
Replied by Linus on topic ahh now you get the hits also
access-list outside_access_in line 12 extended permit tcp any interface outside eq 6112 (hitcnt=1) 0x67f48163
14 years 7 months ago #34116
by r0nni3
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Replied by r0nni3 on topic Re: ASA 5505 "portforward" problem. Port 80 works but
Seems like the ASA is doing its work...
Can you try the following command and post the output ?
[code:1]packet-tracer input outside tcp 1.1.1.1 10254 2.2.2.2 6112[/code:1]
1.1.1.1 = the source IP
10254 = random source port
2.2.2.2 = destination IP (your outside interface IP)
6112 = destination port
Can you try the following command and post the output ?
[code:1]packet-tracer input outside tcp 1.1.1.1 10254 2.2.2.2 6112[/code:1]
1.1.1.1 = the source IP
10254 = random source port
2.2.2.2 = destination IP (your outside interface IP)
6112 = destination port
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
14 years 7 months ago #34117
by Linus
Replied by Linus on topic Re: ASA 5505 "portforward" problem. Port 80 works but
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (dmz,outside) tcp interface 6112 10.10.10.11 6112 netmask 255.255.255.255 dns
match tcp dmz host 10.10.10.11 eq 6112 outside any
static translation to 0.0.0.0/6112
translate_hits = 0, untranslate_hits = 2
Additional Information:
NAT divert to egress interface dmz
Untranslate xx.xx.248/6112 to 10.10.10.11/6112 using netmask 255.255.255.255
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any interface outside eq 6112
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (dmz,outside) tcp interface 6112 10.10.10.11 6112 netmask 255.255.255.255 dns
match tcp dmz host 10.10.10.11 eq 6112 outside any
static translation to 0.0.0.0/6112
translate_hits = 0, untranslate_hits = 2
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) tcp interface 6112 10.10.10.11 6112 netmask 255.255.255.255 dns
match tcp dmz host 10.10.10.11 eq 6112 outside any
static translation to 0.0.0.0/6112
translate_hits = 0, untranslate_hits = 2
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6040, packet dispatched to next module
Phase: 12
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.11 using egress ifc dmz
adjacency Active
next-hop mac address 0001.4a1d.5ab7 hits 1
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (dmz,outside) tcp interface 6112 10.10.10.11 6112 netmask 255.255.255.255 dns
match tcp dmz host 10.10.10.11 eq 6112 outside any
static translation to 0.0.0.0/6112
translate_hits = 0, untranslate_hits = 2
Additional Information:
NAT divert to egress interface dmz
Untranslate xx.xx.248/6112 to 10.10.10.11/6112 using netmask 255.255.255.255
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any interface outside eq 6112
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (dmz,outside) tcp interface 6112 10.10.10.11 6112 netmask 255.255.255.255 dns
match tcp dmz host 10.10.10.11 eq 6112 outside any
static translation to 0.0.0.0/6112
translate_hits = 0, untranslate_hits = 2
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) tcp interface 6112 10.10.10.11 6112 netmask 255.255.255.255 dns
match tcp dmz host 10.10.10.11 eq 6112 outside any
static translation to 0.0.0.0/6112
translate_hits = 0, untranslate_hits = 2
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6040, packet dispatched to next module
Phase: 12
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.11 using egress ifc dmz
adjacency Active
next-hop mac address 0001.4a1d.5ab7 hits 1
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
14 years 7 months ago #34118
by r0nni3
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Replied by r0nni3 on topic Re: ASA 5505 "portforward" problem. Port 80 works but
The ASA is doing its job.. I suggest trying to look for the problem on the server in the DMZ (unless im missing something wich is very possible X.x only had 2 hours of sleep)
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Time to create page: 0.145 seconds