Nat – Port-forwarding rule on Cisco ASA not working – “Drop-reason: (acl-drop) Flow is denied by configured rule”

cisco-asanat;port-forwarding

New to Cisco, so I hope this question isn't too noobish. I am trying to setup a port-forwarding rule to allow "any" SSL traffic in from "Outside" to the web server on my LAN. The problem is apparently with an "implicit rule" that blocks the traffic no matter what I try. I keep trying to add an access rule to fix this, but it either does not work, or it breaks NAT entirely (or both). I have tried used ASDM mostly, and also tried CLI via Putty (but I'm not very comfortable with the commands just yet).

Here is the output of my packet-trace test in the CLI:

    MyASA(config)# packet-tracer input inside tcp 8.8.8.8 443 192.168.3.133 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   192.168.3.0     255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc9bdf80, priority=111, domain=permit, deny=true
        hits=547, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=inside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MyASA(config)#

Here is my (sanitized) "show run" – Much thanks, everyone

    Type help or '?' for a list of available commands.
MyLabASA> enable
Password: *********
MyLabASA# show run
: Saved
:
: Serial Number: 
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyLabASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
 dhcprelay information trusted
!
interface Vlan2
 description CenturyLink 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group LabzGroup
 ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Labz.local
object network Work_Corp_WAN
 host 72.165.30.162
 description Work corporate network
object network Dell-Precision
 host 192.168.3.38
 description Dell-Precision
object network obj-Work_Corp_WAN
object service RDP-TCP
 service tcp source eq 3389 destination eq 3389
 description Win_RDP_port-3389
object network Dell-Optiplex
 host 192.168.3.133
 description Dell-Optiplex
object service SSL
 service tcp source eq https destination eq https
 description SSL
object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
object network Pub_IP_Oct4
 host (Inside_Public_IP)
 description CtLink Pub IP - Oct 4, 2018
object network Allow_inbound_SSL
 host 192.168.3.133
 description Allow inbound SSL to Labnmmon.com IIS site on Dell-Optiplex
access-list OUTSIDE-IN remark Allow HTTPS traffic to Dell-Optiplex
access-list OUTSIDE-IN extended permit tcp any object Dell-Optiplex eq https
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https
access-list from_outside extended permit icmp object Work_Corp_WAN any
access-list from_outside extended permit icmp any object Work_Corp_WAN
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any
access-list OUTSIDE extended permit icmp object Work_Corp_WAN any echo
access-list OUTSIDE extended permit icmp any object Work_Corp_WAN echo
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic any interface
nat (inside,outside) source static Dell-Optiplex interface service any SSL
!
object network Dell-Optiplex
 nat (inside,outside) static interface
access-group Inbound_SSL in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname 
vpdn group LabzGroup ppp authentication chap
vpdn username password ********** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
!
dhcprelay server 192.168.3.4 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username LabAdmin password encrypted privilege 15
username LabAdmin attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86a10aca3e2df8250c81c3f9e89b5663
: end
MyLabASA#

UPDATE
After making the suggested changes in the answer, I am not getting "Result: DROP" at Phase 5 of the packet-trace (it was dropping at Phase 2):

Phase: 5      
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
  Forward Flow based lookup yields rule:
  out id=0xcd49c438, priority=11, domain=permit, deny=true
      hits=1, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=any, output_ifc=inside

Update Feb '19:
I could not figure this out, so I made a new post which addressed and answered my issue:
Still cannot get port-forward working in my ASA 5505 – trying the DMZ port now

Best Answer

object service SSL
 service tcp source eq https destination eq https

nat (inside,outside) source static Dell-Optiplex interface service any SSL

Is this your Static PAT rule? If so, it is misconfigured.

You are telling the ASA that any traffic going from inside to outside, with a source of Dell-Optiplex and a port of any should be translated to the interface IP address and have both their source and destination ports changed to 443.

NAT on the ASA is very flexible. This article will teach you everything you need to know.

Specifically, to configure a Port Translation, this is the configuration syntax to follow:

enter image description here

Given that, something like this should work (assuming I guessed your webserver's object correctly):

object network Dell-Optiplex
 host 192.168.3.133

object service SRC-HTTPS
 service tcp source eq https

nat (inside,outside) source static Dell-Optiplex interface service SRC-HTTPS SRC-HTTPS

This section of the aforementioned article will explain the syntax in detail. It will also explain why you are writing the translation from the perspective of outbound traffic, even though it is technically inbound traffic you are intending to match.

Edit, comments weren't enough room:

Also, it seems you're ACL is incorrect:

access-group Inbound_SSL in interface outside
access-list Inbound_SSL extended permit tcp interface outside object Dell-Optiplex eq https

The first line applies the Inbound_SSL ACL to the outside interface. You can only have one ACL applied to the interface, and you have three others configured. Just pointing that out in case you meant for the others to apply as well.

The second line is the actual ACL. It is allowing traffic from a source of your outside interface IP, to a destination of your Webserver. Unless your own firewall is speaking to your webserver, this won't match the traffic you intend. (which is likely why the Implicit Deny All is dropping the traffic).

It should be something like this:

access-list Inbound_SSL extended permit tcp any object Dell-Optiplex eq https

This allows traffic from any source, to the destination of your webserver, over port 443.

Related Topic