Some weeks ago, I mentioned having had some trouble trying to figure out why a Cisco ASA would allow traffic TO the interface (ie, for using SSH) and not THROUGH the interface (to reach a server on the LAN, from the outside). I also mentioned the solution there: when permitting traffic through the outside-interface, always mention "interface" in the static-statement instead of the IP-address.
Today, I ran into this problem again. But, slightly different this time (of course). The previous time, we were dealing with a single public IP address setup in a SOHO office. So, the customer had only one public IP address. My conclusion after troubleshooting that setup was, that you cannot use the exact public IP but have to use the "interface"-keyword instead.
This time, this customer does really have a business internet setup, with a routed subnet on the outside. Because I have multiple static's in this config, I decided to use the real public IP address in the static-statement, for reasons of clarity and readability. But that DOES NOT WORK.
Remember this: when using a Cisco ASA firewall, and using port forwarding to configure inbound traffic, ALWAYS (always!!) use the "interface"-keyword in the static-statement. So, something like:
- static (inside,outside) tcp interface [port] [private IP] [port]