RV042 Port Forwarding bypassing ACL

Similar Messages

• RVS4000; Port Forwards bypass IP ACL; How to filter

  I am using a RVS4000.  I am forwarding several ports to a specific host on the LAN.  Nonetheless, I wish the IP ACL in the firewall to block incoming traffic from the WAN unless the IP ACL allows.  However, it seems that any port which is forwarded happens prior to and bypasses the ACL rules.  How do I block traffic from "bad" addresses when the destination port is in the forwarding table?

  By George, I think I've got it!  (Well, I've narrowed it down anyway.)  So, I've got an RVS4000 with firmware version V2.0.0.3 and I've been trying to do a similar thing:  I have a NAS sitting on my local LAN with a horribly insecure FTP server on it.  I would like my mainframe to send files to that server.  But I don't want the rest of the friggin Internet beating on it.
  So, I set up a Single Port Forward and two ACL rules, as described by tekliu above.  Alas, just like michaelrach above, every address in the Internet was able to get through the firewall on port 21.
  I read all the posts, asked all the experts, swore a lot, wailed and gnashed my teeth.  Then I set up a test and banged away for a while.
  First, I took Tekliu exactly at his word and try adding (#2) a Deny for everybody and (#1) an Allow for the single IP address I want in.  That worked!  The right host can get in and the wrong host can't.  I'm ready to turn out the lights and go home. 
  But I wanted to figure out why my initial attempt (and those of the others who posted here) didn't work and this one did.  After much guessing, I discovered that if you specify an Allow range of x.y.4.2 thru x.y.4.254, it works correctly.
  If you specify an Allow range of x.y.1.1 thru x.(y+1).1.1 it lets everybody through.
  x.y.4.2 thru x.y.128.254 works correctly.
  x.y.4.2 thru x.y.200.254 lets evrybody through.
  It's the binary difference between the start and end address!  I didn't feel like narrowing it down farther.  But to someone who understand this stuff, this has to be a real good clue as to why it's failing.

• RV042 Port forwarding stops working when Firewall is enabled

  Hey all,
  I have a RV042 router on a single WAN and an internal LAN. I have configured port forwarding as follows:
  HTTP[TCP/80~80]->10.0.0.6
  HTTPS[TCP/443~443]->10.0.0.6
  IMAP[TCP/143~143]->10.0.0.5
  IMAP SSL[TCP/993~993]->10.0.0.5
  SMTP SSL[TCP/587~587]->10.0.0.5
  Everything works just fine when I have the firewall DISABLED. However, when I enable it the behaviour is erratic. 1 out of 10 attempts to connect to ANY port forwarded works. Almost all attempts time out.
  Notice that this happens even if using only the default firewall rules (which should be bypassed by the port forwarding as I read in other posts).
  My second try was to create firewall rules manually, overriding the default ones. I tried adding rules from source WAN1 (where my connection is) to ANY and to SINGLE IP's on every port. Nothing seems to work.
  I don't know what I'm doing wrong, this is really bugging me. I had to turn the firewall off so we can access our servers from outside the office. This shouldn't have to be done.
  Do you know anything I could try?
  Best regards,
  Theo
  EDIT:
  Just found out that my firewall is getting LOTS and LOTS of Blocked - SYN Flood entries. I think this is why we are having trouble with the firewall. Could this be the problem? I have no idea where all these SYN packets are coming from since they appear with spoofed IPs or come from different bots all over.

  Hi Theo, if you want to over ride the default state table, you need to first make firewall rules to block all access then make your permission rules.
  Such an example would be-
  Action Deny
  Service All
  Source interface WAN
  Source IP any
  Destination IP any
  Save
  Action Permit
  Service RDP
  Source interface WAN
  Source IP -xx.xx.xx.xx
  Destination IP - xx.xx.xx.xx
  Save
  As for your concern about the syn flood, it can be a likely cause of your problems. Does the logging facility of the router give any indications?
  -Tom
  Please mark answered for helpful posts

• RV042 port forwarding / routing

  Hello folks,
  I'm having a really hard time tring to set up port forwarding to my LAN. Let me explain a bit of how my enviroment is set up.
  RV042 -> MS-TMG (former ISA Server) -> LAN
  RV042 WAN IP: Public IP (Does not matter)
  RV042 LAN IP: 10.31.11.1
  TMG WAN: 10.31.11.2
  TMG LAN: 10.3.1.2
  I've set up a port forwarding directing port 3002/TCP to 10.31.11.2 (TMGWAN) so that TMG can redirect to my LAN, but when I look at TMG Log, I see that the packages have the destination address of TMG WAN (10.31.11.2).
  I don't know why RV042 is changing the destination address of the packages and for the TMG it seens that the packet is coming for him (wich is not true and it's not allowed).
  I can't port forward to my lan (10.31.1.x directly bacause of the webinterface does not allow this).
  I've also tried DMZ but the behavior is the same.
  I've also tried uPnP but the packages are not arriving at TMG...
  Here is the route table of RV042
  200.XXX
  255.255.255.255
  186..XXX
  40
  ppp0
  200..XXX
  255.255.255.255
  186..XXX
  40
  ppp0
  186..XXX
  255.255.255.255
  40
  ppp0
  186..XXX
  255.255.255.255
  45
  ipsec1
  189.XXX
  255.255.255.255
  40
  ppp0
  189.XXX
  255.255.255.255
  45
  ipsec1
  10.31.11.0
  255.255.255.0
  50
  ixp0
  10.31.3.0
  255.255.255.0
  186.213.76.1
  10
  ipsec1
  10.31.2.0
  255.255.255.0
  186.213.76.1
  10
  ipsec1
  10.31.1.0
  255.255.255.0
  10.31.11.2
  2
  ixp0
  10.31.1.0
  255.255.255.0
  50
  ixp0
  default
  0.0.0.0
  186.XXX
  40
  ppp0
  Does anyone have a clue how can I get this thing working?

  Hi Eric, the default state table may be the problem.
  Try to make an access rule something like-
  Action Deny
  Service All
  Source interface WAN
  Source IP any
  Destination IP any
  Save
  Action Permit
  Service RDP
  Source interface WAN
  Source IP -xx.xx.xx.xx
  Destination IP - xx.xx.xx.xx
  Save
  -Tom
  Please mark answered for helpful posts

• RV042 - Port forward/translation from ext to int

  Hy,
  I recently buy a CSRV042-EU. I need to make a translation port to acces remote some of my server on lan.
  I use a primary WAN with static IP 83.166.XXX.XXX .The LAN has aprox. 30 clients.
  I want to acces remote one of the computer from LAN, as example:
  83.166.xxx.xxx:10101 -> 192.168.10.10, using 10101 as external port and 3389 as internal port for remote on 192.168.10.10 machine
  83.166.xxx.xxx:10102 -> 192.168.10.11, using 10102 as external port and 3389 as internal port for remote on 192.168.10.11 machine
  I don't konw how to do this forward because in Port Forward i cannot find the option to enter teh ext port and the int port.
  Could you please help me with an example, how ca i make this forward?
  Thank you !

  I know it's been this long post, but I have the following question ...
  I have several external IPs and would like to designate for each type of service.
  eg:
  200.0.0.1 => http => 10.0.0.2
  200.0.0.2 => https => 10.0.0.1
  How could this setting in RV?
  Today I have two models in the network-to-VPN Gw Gw the RV016 and 042.
  Regards,

• RV042 Port Forwarding

  Router has latest firmware.  WAN1 connected, WAN2 not connected
  RDP 3389 & 3390 are forwarded and functioning correctly.  Port 8080 functions correctly when configured for Remote Management.  I have Port 8081 functioning as Remote Management currently.  I forward Port 8080 and it still remains blocked at the router?  I have tried all HTTP/HTTPS ports and they are blocked at the rounter as well

  Hello,
  Thank you for your reply,
  As a first step i am glad to know that what is done is enough and there is no step(s) missed.
  On my first comment, i mentioned that i am using the Linksys router on dual mode and not DMZ mode; does that have any relation with the current problem?
  Concerning firewall, firstly i disable the firewall on the Linksys router.
  Second, i configured a laptop with the application Xerver to act as a webserver on port 80. i tested accessing this laptop through a lan switch and test was ok.
  i tried the same test through the Linksys router where i connected this webserver laptop to a one of the lan ports of the Linksys router, and with the same config of port forwarding on the Linksys (i just modified ip address of the webserver to be the ip of the laptop) and tried to open http access through internet explorer to the ip of the Linksys router and test was negative. Test failed.
  So the problem is not related to a misconfig on the isa(firewall,..)
  So this indicates that there is a problem specifically in forwarding traffic from wan interface to lan interfaces. but i am not able to identify where this problem is.
  What do you advise?
  note: when i do enable remote mgt for the rv router, i get to the authentication screen of the rv router where i should enter username and password.
  thank you again,

• RV042 port forwarding issue

  I have a RV042 using (for now), just the single WAN interface. I am trying to forward all packets to port 9000 from the WAN to a single IP address on the network.  I've set up both forwarding rules under Setup -> Forwarding and under the Firewall -> Access Rules.
  I cannot connect to my device from the outside world, however.  Is there something I'm missing?

  Scott,
  Can you please let me know if you are able to access the device via the local Lan IP Address with the required port number? Also, can you please let me know what firmware version you are running on the device?
  Thanks,
  Blake Mereby

• Port Forwarding with Port Translation RV042, RV016, RV082

  This is a feature request for the Linksys RV series Routers.  Currently, it appears that the Cisco/Linksys RV042, RV082, and RV016 only support port forwarding and 1-to-1 Nat.  One item that I find very helpful with customers is port forwarding with port translation.  I am requesting that this feature be included with a future firmware relase for these RV series routers.
  Here is an example of the request.
  Take an incoming service request on a TCP or UDP destination port and forward it to an internal IP on a different TCP or UDP port.  For example, customer A wants to allow different machines on the internal network to receive Windows RDP connections inbound.  To make PC maintenance identical between the internal machines, the customer does not want to change the listening port for RDP on the individual PC workstations through the Windows Registry.  The customer also does not want to dedicate separate IP's to each machine in a 1-to-1 NAT setup.  The only option is to have remote connections to each of these PC's to use a different destination port.  So, for example, PC one could be reached on TCP port 5151, PC two on TCP port 5152, and PC three on port 5153.  This requres a firewall that is able to translate each of these connection requests to a different internal IP on the default RDP port (TCP 3389).  So, the following setup is required:
  Port Forwarding with Port Translation:
  Router External IP on TCP port 5151 ---> forwarded to PC One's internal IP on TCP 3389
  Router External IP on TCP port 5152 ---> forwarded to PC Two's internal IP on TCP 3389
  Router External IP on TCP port 5153 ---> forwarded to PC Three's internal IP on TCP 3389
  There are several comparable "small business" class router competitors to the RV042, RV082, and RV016 that will perform this port forwarding with port translation process without incident.  Unfortunately, these Cisco/Linksys small business routers will not accomplish this task currently.
  Please implement this feature in a future firmware release.
  Thanks!

  Excellent.  I see this now.  None of our customers actually use the UPNP feature, so we never realized that Port Forwarding with Port Translation features existed on this page along with the ability to enable or disable UPNP.
  Perhaps, in the future, this functionality could be moved to and incorporated into the port forwarding page which seems to be a more logical location.
  In either case I'm very happy to know that this feature is available on the RV's.
  Thanks for your assistance.

• RV042 vpn&port forwarding problems

  Hello,
  I spent a few days trying to configure  the RV042 router but I messed up. I need this router for VPN access on my  site and Port Forwarding to an internal web server. Apparently very  simple task, isn't it?
  So:
  1. PPTP is working fine but I need more than 5 concurrent accesses.
  2.  Quickvpn does not work when the DHCP server is checked  and I can't  access any computer from my lan. I have a DHCP server in my LAN but when  I'm conected through Quickvpn I never reach it. In the log file there  are messages like:
  Connection refused - Policy violation TCP 169.254.x.x->192.168.1.2 (DHCP server from my lan)
  3.  On Setup > Forwarding I added a Port Range Forwarding for HTTP port  80 to an internal IP address (192.168.1.x). I although added a firewall  access rule to allow traffic to Port 80 from any source interface and  any source IP to 192.168.1.x.
  From the internal LAN, using the WAN IP of the router,  the Port forwarding works but not form the outside, though in the log file of the router it appears to work:
  Connection Accepted TCP 208.64.252.230:33027->192.168.1.x:80 on ixp1
  What could I have done wrong?
  The  router is configured with a static address as a gateway and it has the  latest firmware 1.3.12.19-tm. The access rules are the default ones and  the one I added.
  Any help would be much apreciated.
  Thanks.

  Can't answer as to why QVPN fails when you enable DHCP on the router, but concidering your requirements it seems to be a moot point. So, you have a DHCP server on your network which I will guess is also running your Web service. If this is a Windows server does your current configuration allow you to enable PPTP on it? If so, that would solve the five user limit. You will need to turn off the PPTP server on the router and then forward port 1723 TCP to your server and you are done. As for your http access, remove any rule that you have in reference to "allow" port 80 connectivity to your web server. Not sure why but this tends to confuse the poor little things. Once you have verified that port 80 is active on the server via the LAN (which you already have) then you are done. If you are still not successful with the connection to the server from the WAN you may want to default the router and start over (lame I know).
  *** SORRY, just noticed that you stated that you added a "port range" forwarding rule. Remove that, and configure a UPnP rule for the same server instead. Do not know why they call it that, they just do. This is the same as configuring a single port forward they just call it something different. So just port forward 80 tcp to your server on 192.168.1.x and you are done.

• RV042 Firewall & Port Forwarding

  I am installing a RV042 on a client SBS network.  In the configuration, I notice that there is a place for port forwarding where I guess I could open the ports for smtp, http, https, ...
  But there are also access rules in the firewall section which seem to be the same except that you can schedule them.
  Question is, do I need to configure both, or if only one of them, which one?
  Thanks in advance for the advice.
  Bob Showalter, Packer International

  Bob,
  You only need to configure port forwarding, unless you want to specify a source and destination that the packet is allowed or denied; then you would use both.
  hope this helps,
  Jasbryan

• Port forwarding Cisco RV042 / RV042G

  Hi,
  we use three Cisco RV042 small Business Routers.
  The problem:
  We want to forward HTTPS on Wan-side to an other port than 443 on Lan-side.
  For example: Wan 217.44.55.66 port 443 to 192.168.0.5 port 5001
  There is only this option in RV042 : Forwarding -> Service HTTPS [TCP/443~443] to "IP-Adress" (also Port 443)
  but we need something like this:
  Forwarding -> Service HTTPS [TCP/443~443] to 192.168.0.5:5001
  How can I configure it ?
  Greetings from Germany
  Goetz Hartwig, ITUC GmbH

  Hi Ituconsult1
  My name is Mehdi from Cisco Technical Support, yes with RV042 we can translate the port 
  Please follow this steps:
  1. Please remove the rule of the port forwarding 
  2. Go to Setup under UPnP , service management and you will see external port and internal port so please configure external port to 443 and internal to 5001 and click add, please do not enable UPnP
  3. on the same page please choose the service you created and put the internal IP of the server server
  Please rate the post or mark it as answered to help other Cisco customers
  Greeting 
  Regards
  Mehdi

• Cannot Port Forward RV042 in "Router" Mode

  I use an RV042 exclusively as our VPN host to our main network for branch office connectivity. The RV042 is configured in Router Mode and does not provide Internet / NAT access to the LAN. I would like to add an additional role to this unit by having it Port Forward web requests to an internal Web Server. It appears that the router cannot do Port Forwarding while configured in Router mode; can you confirm this to be true? Is there a work around or an alternate configuration that would allow me to port forward web requests from the Internet to my Internal Web Server and still keep the RV042 in Router only mode?
  Thanks

  Mike,
  The port forwarding feature only works in the context of NAT. This is true for all small business routers.

• Port Forwarding for RDP 3389 is not working

  Hi,
  I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20).  I have made sure it is not an issue with the servers firewall, its just the cisco.  I highlighted in red to what i thought I need in my config to get this  to work.  I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
  TAMSATR1#show run
  Building configuration...
  Current configuration : 11082 bytes
  version 15.2
  no service pad
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname TAMSATR1
  boot-start-marker
  boot system flash:/c880data-universalk9-mz.152-1.T.bin
  boot-end-marker
  logging count
  logging buffered 16384
  enable secret
  aaa new-model
  aaa authentication login default local
  aaa authentication login ipsec-vpn local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization console
  aaa authorization exec default local
  aaa authorization network groupauthor local
  aaa session-id common
  memory-size iomem 10
  clock timezone CST -6 0
  clock summer-time CDT recurring
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-1879941380
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1879941380
  revocation-check none
  rsakeypair TP-self-signed-1879941380
  crypto pki certificate chain TP-self-signed-1879941380
  certificate self-signed 01
    3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
    32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
    34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
    ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
    88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
    E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
    542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
  ip dhcp excluded-address 10.20.30.1 10.20.30.99
  ip dhcp excluded-address 10.20.30.201 10.20.30.254
  ip dhcp excluded-address 10.20.30.250
  ip dhcp pool tamDHCPpool
  import all
  network 10.20.30.0 255.255.255.0
  default-router 10.20.30.1
  domain-name domain.com
  dns-server 10.20.30.20 8.8.8.8
  ip domain name domain.com
  ip name-server 10.20.30.20
  ip cef
  no ipv6 cef
  license udi pid CISCO881W-GN-A-K9 sn
  crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
  ip tftp source-interface Vlan1
  class-map type inspect match-all CCP_SSLVPN
  match access-group name CCP_IP
  policy-map type inspect ccp-sslvpn-pol
  class type inspect CCP_SSLVPN
    pass
  zone security sslvpn-zone
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp policy 20
  encr aes 192
  authentication pre-share
  group 2
  crypto isakmp key password
  crypto isakmp client configuration group ipsec-ra
  key password
  dns 10.20.30.20
  domain tamgmt.com
  pool sat-ipsec-vpn-pool
  netmask 255.255.255.0
  crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
  crypto ipsec transform-set TSET esp-aes esp-sha-hmac
  crypto ipsec profile VTI
  set security-association replay window-size 512
  set transform-set TSET
  crypto dynamic-map dynmap 10
  set transform-set ipsec-ra
  reverse-route
  crypto map clientmap client authentication list ipsec-vpn
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  interface Loopback0
  ip address 10.20.250.1 255.255.255.252
  ip nat inside
  ip virtual-reassembly in
  interface Tunnel0
  description To AUS
  ip address 192.168.10.1 255.255.255.252
  load-interval 30
  tunnel source
  tunnel mode ipsec ipv4
  tunnel destination
  tunnel protection ipsec profile VTI
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  ip address 1.2.3.4
  ip access-group INTERNET_IN in
  ip access-group INTERNET_OUT out
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache cef
  ip route-cache policy
  ip policy route-map IPSEC-RA-ROUTE-MAP
  duplex auto
  speed auto
  crypto map clientmap
  interface Virtual-Template1
  ip unnumbered Vlan1
  zone-member security sslvpn-zone
  interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered Vlan1
  arp timeout 0
  interface Wlan-GigabitEthernet0
  description Internal switch interface connecting to the embedded AP
  switchport mode trunk
  no ip address
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 10.20.30.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
  ip default-gateway 71.41.20.129
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns server
  ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
  ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
  ip nat inside source static 10.20.30.20 (public ip)
  ip route 0.0.0.0 0.0.0.0 public ip
  ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
  ip access-list extended ACL-POLICY-NAT
  deny   ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
  deny   ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
  deny   ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
  permit ip 10.20.30.0 0.0.0.255 any
  permit ip 10.20.31.208 0.0.0.15 any
  ip access-list extended CCP_IP
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended INTERNET_IN
  permit icmp any any echo
  permit icmp any any echo-reply
  permit icmp any any unreachable
  permit icmp any any time-exceeded
  permit esp host 24.153. host 66.196
  permit udp host 24.153 host 71.41.eq isakmp
  permit tcp host 70.123. host 71.41 eq 22
  permit tcp host 72.177. host 71.41 eq 22
  permit tcp host 70.123. host 71.41. eq 22
  permit tcp any host 71..134 eq 443
  permit tcp host 70.123. host 71.41 eq 443
  permit tcp host 72.177. host 71.41. eq 443
  permit udp host 198.82. host 71.41 eq ntp
  permit udp any host 71.41. eq isakmp
  permit udp any host 71.41eq non500-isakmp
  permit tcp host 192.223. host 71.41. eq 4022
  permit tcp host 155.199. host 71.41 eq 4022
  permit tcp host 155.199. host 71.41. eq 4022
  permit udp host 192.223. host 71.41. eq 4022
  permit udp host 155.199. host 71.41. eq 4022
  permit udp host 155.199. host 71.41. eq 4022
  permit tcp any host 10.20.30.20 eq 3389
  evaluate INTERNET_REFLECTED
  deny   ip any any
  ip access-list extended INTERNET_OUT
  permit ip any any reflect INTERNET_REFLECTED timeout 300
  ip access-list extended IPSEC-RA-ROUTE-MAP
  deny   ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
  deny   ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
  deny   ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
  deny   ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
  deny   ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
  deny   ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
  permit ip 10.20.30.208 0.0.0.15 any
  deny   ip any any
  access-list 23 permit 70.123.
  access-list 23 permit 10.20.30.0 0.0.0.255
  access-list 24 permit 72.177.
  no cdp run
  route-map IPSEC-RA-ROUTE-MAP permit 10
  match ip address IPSEC-RA-ROUTE-MAP
  set ip next-hop 10.20.250.2
  banner motd ^C
  UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
  You must have explicit permission to access or configure this device.  All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
  ^C
  line con 0
  logging synchronous
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  line vty 0
  access-class 23 in
  privilege level 15
  logging synchronous
  transport input telnet ssh
  line vty 1 4
  access-class 23 in
  exec-timeout 5 0
  privilege level 15
  logging synchronous
  transport input telnet ssh
  scheduler max-task-time 5000
  ntp server 198.82.1.201
  webvpn gateway gateway_1
  ip address 71.41. port 443
  http-redirect port 80
  ssl encryption rc4-md5
  ssl trustpoint TP-self-signed-1879941380
  inservice
  webvpn context TAM-SSL-VPN
  title "title"
  logo file titleist_logo.jpg
  secondary-color white
  title-color #CCCC66
  text-color black
  login-message "RESTRICTED ACCESS"
  policy group policy_1
     functions svc-enabled
     svc address-pool "sat-ipsec-vpn-pool"
     svc default-domain "domain.com"
     svc keep-client-installed
     svc split dns "domain.com"
     svc split include 10.0.0.0 255.0.0.0
     svc split include 192.168.0.0 255.255.0.0
     svc split include 172.16.0.0 255.240.0.0
     svc dns-server primary 10.20.30.20
     svc dns-server secondary 66.196.216.10
  default-group-policy policy_1
  aaa authentication list ciscocp_vpn_xauth_ml_1
  gateway gateway_1
  ssl authenticate verify all
  inservice
  end

  Hi,
  I didnt see anything marked with red in the above? (Atleast when I was reading)
  I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
  But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
  There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
  - Jouni

• ASA 5505 how to create a port forwarding rule

  ASA 5505 IOS ver 9.2.3
  I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.
  I tried these commands but they didn't work:
  object network NAS
  host 192.168.2.8
  nat (inside,outside) static interface service tcp 21 1545
  access-list NASFTP-in permit tcp any object NAS eq 1545
  conf t
  int vlan 2
  access-group NASFTP-in permit tcp any object NAS eq 1545
  I really appreciate the help everyone.

  try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60  and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"
  object network obj-10.10.50.60-1
  host 10.10.50.60
  nat (inside,outside) static interface service tcp 80 80
  object network INSIDE
  nat (inside,outside) dynamic interface
  object network WWW-SERVER
  nat (inside,outside) static interface service tcp 80 80
  access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80
  access-group Outside_access_in in interface Outside

• ASA 9.2 Port Forward

  Hello,
  i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
  access-list DMZ_in extended permit ip any any
  nat (DMZ,outside) source dynamic obj_any interface
  nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
  nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP
  object network Public_Server
   nat (DMZ,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  access-group DMZ_access_in in interface DMZ
  When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?
  Thank You!

  Yes, of course, i can ping, and also from VPN. And also the web service works from VPN, local. Tha packet-tracer said the same, the implicit deny catch it.:
  packet-tracer input outside tcp 8.8.8.8 http OUTIFIP http det
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
   Forward Flow based lookup yields rule:
   in  id=0xad2a1718, priority=1, domain=permit, deny=false
          hits=89868, user_data=0x0, cs_id=0x0, l3_type=0x8
          src mac=0000.0000.0000, mask=0000.0000.0000
          dst mac=0000.0000.0000, mask=0100.0000.0000
          input_ifc=outside, output_ifc=any
  Phase: 2
  Type: ROUTE-LOOKUP
  Subtype: Resolve Egress Interface
  Result: ALLOW
  Config:
  Additional Information:
  in   OUTIFIP  255.255.255.255 identity
  Phase: 3
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
   Forward Flow based lookup yields rule:
   in  id=0xad071248, priority=1, domain=nat-per-session, deny=true
          hits=1199, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
          input_ifc=any, output_ifc=any
  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
   Forward Flow based lookup yields rule:
   in  id=0xad2a23b8, priority=0, domain=permit, deny=true
          hits=883, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
          input_ifc=outside, output_ifc=any
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule