Port forwarding problem with ASA 7.2

Port forwarding problem with ASA 7.2: Posted by Pseto on April 11th, 2007; Hello there,

I ran onto a funny issue with ASA. I'm trying to make port forwarding where
my NAT inside global address is equal to the one of my outside Interface.
ASA simply rejects any connection attempts on hosts translated on such way.
There is no any logs about denied connections (even with some debugging
used) although I'm getting syslog records about Internet packets denied by
ACL, but these packets aren't related with my static nat problem. I checked
this flow with ASDM Packet Tracer and got info that my connection is denied
by ACL implicit rule!? I double checked this ACL and it seems ok. If I
switch this static onto an IP address (inside global) that I'm not using for
anything other then for this port forwarding - connections are allowed.
Service policy implemented is the one that is default: "global_policy" with
no changes from default config.

Here is the part of my config:
!Address on which I can't connect is 100.100.50.98. I can't connect with any
external TCP ports specified in these statics. Everything works ok when I
configire my statics with for example 100.100.50.99 instead.

static (inside,outside) tcp 100.100.50.98 pcanywhere-data 192.168.117.56
pcanywhere-data netmask 255.255.255.255
static (inside,outside) tcp 100.100.50.98 5389 192.168.117.230 3389 netmask
255.255.255.255
static (inside,outside) udp 100.100.50.98 pcanywhere-status 192.168.117.56
pcanywhere-status netmask 255.255.255.255
static (inside,outside) tcp 100.100.50.98 6389 192.168.117.62 3389 netmask
255.255.255.255
static (inside,outside) tcp 100.100.50.98 59827 192.168.117.1 1433 netmask
255.255.255.255
static (inside,outside) tcp 100.100.50.98 3389 192.168.117.1 3389 netmask
255.255.255.255
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.117.100 255.255.255.0
!
interface Vlan2
description Internet
nameif outside
security-level 0
ip address 100.100.50.98 255.255.255.248
!
access-group 111 in interface outside
!
!this ACL is only an example, so only 3389 port is permited, but in my real
ACL I permited all ports used in statics.

access-list 111 extended permit tcp any host 100.100.50.98 eq 3389
!

nat (inside) 1 192.168.117.0 255.255.255.0
global (outside) 1 interface

Best Regards,
Igor

Similar Posts

PIX 535: port forwarding newb problem (Routers) by douglas.j.watt@googlemail.com
PIX Port Forwarding Problem (Routers) by Cisco Newbie
troubleshoot port forwarding problem (Routers) by Steve Richter
Charter Interenet (CT), port forwarding problem (Modems) by writeson@charter.net
PIX 515 : Problem with port forwarding (Routers) by Renaud