topic Re: Can't point a public IP to my Internal server IP in Network Security

Can't point a public IP to my Internal server IP

newbie2018 — Fri, 21 Feb 2020 15:30:26 GMT

Hi everyone,

I am Junior network admin and I am tasked to configure our office ASA 5506-X to so that one of the IP amongst our public IP range points to our webserver internal IP then which would allow users to access the website on the outside world. The problem is the following configuration(I will post below) worked before and when we switched to a new ISP therefore switching a new public IP block, and changing the public IP representing the website on the outside world, the webpage times out and nothing comes up. Locally, we can access the webserver adding port 8080 to it: http://10.10.1.30:8080, but nothing is displayed on the outside network. Note that when we remove the :8080 just typing the following locally it doesn't go through either; http://10.10.1.30. TIMES OUT...

note the old public IP was 111.111.222.226, 255.255.255.224 new public IP selected within the IP block is 222.222.222.228 255.255.255.224 internal webserver IP 10.10.1.30

Previous config that worked with old public IP pointing to the local webserver box and IP

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network webserver-external-ip

host 111.111.222.226

object network webserver-internal-ip

host 10.10.1.30

object network internal-subnet

subnet 10.10.1.30 255.255.255.0

object-group network company-HQ

network-object 111.111.222.224 255.255.255.224

access-list outside-in remark Allow traffic from public IP to companysite.com

access-list outside-in extended permit tcp any object webserver-internal-ip eq www

access-list outside-in remark Allow traffic from public IP to companysite.com

access-list outside-in extended permit tcp any object webserver-internal-ip eq https

access-list outside-in remark Test ICMP (ping) from inside to outside

access-list outside-in extended deny ip any any

access-list inside-in extended permit ip any any

access-list DefaultRAGroup_splitTunnelAcl standard permit any

nat (inside,outside) source static internal-subnet internal-subnet destination static xxx xxx no-proxy-arp route-lookup

object network obj_any

nat (inside,outside) dynamic interface

nat (inside,outside) after-auto source dynamic any interface

access-group outside-in in interface outside

So, when we got a new IP block from the same ISP provider selected one usable IP within the block and replaced the host in this Object network webserver-external-ip with the new ip as such:

object-group network company-HQ

network-object 222.222.222.226 255.255.255.224

Object network webserver-external ip

host 222.222.222.228

after I've done that I thought things will keep work as before but no luck! the website is down. the new public IP was updated with the domain registrar as well.

All help will be greatly appreciated please! I hope I explained clearly if not please let me know.

Re: Can't point a public IP to my Internal server IP

Ajay Saini — Tue, 13 Mar 2018 04:25:16 GMT

Hello,

3 things to rule out the issue:

1. take a packet-tracer output to verify if the NAT and access rule is in effect:

packet-tracer input outside tcp 4.2.2.2 3344 222.222.222.228 80 detail

2. take a packet-capture on outside interface:

capture capo interface outside match tcp any host 222.222.222.228

show cap capo

3. Are you able to access the website just by the ip address and not name. If not, then the routing of the ip address is a concern for which ISP might be able to help.

Please attach syslogs apart from above outputs, we can analyze them.

HTH

Re: Can't point a public IP to my Internal server IP

newbie2018 — Tue, 13 Mar 2018 14:46:19 GMT

Hi Ajay,

these are the outputs for the specified commands:

asa# packet-tracer input outside tcp 4.2.2.2 3344 222.222.222.228 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 222.222.222.228 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed22b14c50, priority=111, domain=permit, deny=true
hits=769, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=outside

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

2) For the below command, nothing displays, nothing came up after running the command:

asa# capture capo interface outside match tcp any host 222.222.222.228

asa#

asa# show cap capo

0 packet captured

0 packet shown

4) I am not able to access the website either by the ip address nor by name. I will contact the ISP and ask them about the routing of that specific IP.

From the first command you advised to run, i noticed that there is a drop. and it looks like something is being blocked. I am not sure what.

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

I am not sure how to interprete this in depth.

Thanks for your quick response and help.

To add to the above findings. I initiated another capture... and i have the following:

asa# show cap capo

10:19:37.360516 4.2.2.2.3344 > 222.222.222.228.80: S 376539812:376539812(0) win 8192
2: 10:21:48.221485 4.2.2.2.3344 > 222.222.222.228.80: S 1503435714:1503435714(0) win 8192
3: 10:21:57.814548 4.2.2.2.3344 > 222.222.222.228.80: S 1603185936:1603185936(0) win 8192
4: 10:23:17.618803 4.2.2.2.3344 > 222.222.222.228.80: S 2107421198:2107421198(0) win 8192
5: 10:34:28.315123 4.2.2.2.3344 > 222.222.222.228.80: S 1696172604:1696172604(0) win 8192
6: 10:35:09.930554 4.2.2.2.3344 > 222.222.222.228.80: S 443932954:443932954(0) win 8192
7: 10:36:39.636655 4.2.2.2.3344 > 222.222.222.228.80: S 1041436200:1041436200(0) win 8192

Re: Can't point a public IP to my Internal server IP

Ajay Saini — Tue, 13 Mar 2018 14:41:58 GMT

Strange, we don't see the NAT being hit for incoming traffic. Could you please share the NAT statement for the server in question. Also, lets make sure there is no other NAT higher in order related to the same public ip address or real ip address.

sh xlate | in 10.10.1.30

Also, can you try to add the NAT statement in manual NAT section.

HTH

Re: Can't point a public IP to my Internal server IP

newbie2018 — Tue, 13 Mar 2018 15:09:36 GMT

This is the NAT for the server:

object network webserver-internal-ip

nat (inside,outside) static webserver-external-ip service tcp www www

This NAT is no longer in the ASA config and everytime i add it then save the config, and do a sh run, it's still not within the config table.

Not sure why!

I realized that there is another NAT than could be the problem. when i try to remove that it says the following:

-asa(config)# object network webserver-external-ip
-asa(config-network-object)# no nat (inside,outside) static webserver-internal-ip service tcp www 8080
ERROR: NAT configuration not found for object webserver-external-ip

The show xlate for the internal server IP:

asa# show xlate | in 10.10.1.30
TCP PAT from inside:222.222.222.228 80-80 to outside:10.10.1.30 8080-8080

It is strange because it is considering the public IP as the inside IP and the local server IP the outside IP..

I think the above NAT is what is causing the show xlate | in 10.10.1.30 to display the TCP PAT above...

Re: Can't point a public IP to my Internal server IP

newbie2018 — Tue, 13 Mar 2018 17:26:03 GMT

Manual NAT:

show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static internal-network destination static Mount_Pearl Mount_Pearl no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static webserver-external-ip webserver-internal-ip service tcp www 8080
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 42769, untranslate_hits = 50

Manual NAT Policies (Section 3)
1 (visitors) to (outside) source dynamic any interface
translate_hits = 4395535, untranslate_hits = 28531
2 (inside) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
.... I am still trying to rearrange the NAT policies...

Re: Can't point a public IP to my Internal server IP

newbie2018 — Tue, 13 Mar 2018 17:20:55 GMT

I though i would post the following so you guys can review it:

1) show packet-tracer....

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed23a082f0, priority=13, domain=capture, deny=false
hits=9313059, user_data=0x7fed23a31f00, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed22b11860, priority=1, domain=permit, deny=false
hits=140382464, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network webserver-internal-ip
nat (inside,outside) static webserver-external-ip service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate 222.222.222.228/80 to 10.10.1.30/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit tcp any object webserver-internal-ip eq www
access-list outside-in remark Allow traffic from public IP to companysite.com website
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed22be9ad0, priority=13, domain=permit, deny=false
hits=74, user_data=0x7fed1cd183c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.10.1.30, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed220a38a0, priority=0, domain=nat-per-session, deny=false
hits=2499493, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed22b19d20, priority=0, domain=inspect-ip-options, deny=true
hits=5104929, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed232d5cb0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=50394, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network webserver-internal-ip
nat (inside,outside) static webserver-external-ip service tcp www www
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fed22cdade0, priority=6, domain=nat-reverse, deny=false
hits=32, user_data=0x7fed2331bc10, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.10.1.30, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fed220a38a0, priority=0, domain=nat-per-session, deny=false
hits=2499495, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fed22b74560, priority=0, domain=inspect-ip-options, deny=true
hits=708338, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5139763, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

UDP PAT from inside:10.10.1.126/8933 to outside:222.222.222.226/8933 flags ri idle 0:16:03 timeout 0:00:30
UDP PAT from inside:10.10.1.123/8933 to outside:222.222.222.226/15737 flags ri idle 0:20:57 timeout 0:00:30
UDP PAT from inside:10.10.1.211/38267 to outside:222.222.222.226/38267 flags ri idle 0:00:02 timeout 0:00:30
UDP PAT from inside:10.10.1.211/38219 to outside:222.222.222.226/38219 flags ri idle 0:01:41 timeout 0:00:30
UDP PAT from inside:10.10.1.203/34993 to outside:222.222.222.226/34993 flags ri idle 0:01:41 timeout 0:00:30
UDP PAT from inside:10.10.1.121/8933 to outside:222.222.222.226/12065 flags ri idle 0:02:44 timeout 0:00:30
TCP PAT from inside:10.10.1.144/53000 to outside:222.222.222.226/53000 flags ri idle 0:00:07 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52999 to outside:222.222.222.226/52999 flags ri idle 0:00:25 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52998 to outside:222.222.222.226/52998 flags ri idle 0:00:28 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52997 to outside:222.222.222.226/52997 flags ri idle 0:00:38 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52996 to outside:222.222.222.226/52996 flags ri idle 0:00:38 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52995 to outside:222.222.222.226/52995 flags ri idle 0:00:44 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52991 to outside:222.222.222.226/52991 flags ri idle 0:01:33 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52990 to outside:222.222.222.226/52990 flags ri idle 0:01:33 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52944 to outside:222.222.222.226/52944 flags ri idle 0:02:36 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52910 to outside:222.222.222.226/52910 flags ri idle 0:12:41 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52861 to outside:222.222.222.226/52861 flags ri idle 0:15:45 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52862 to outside:222.222.222.226/9374 flags ri idle 0:15:45 timeout 0:00:30
TCP PAT from inside:10.10.1.144/52842 to outside:222.222.222.226/61009 flags ri idle 0:44:15 timeout 0:00:30
UDP PAT from inside:10.10.1.143/8933 to outside:222.222.222.226/20467 flags ri idle 0:03:52 timeout 0:00:30
UDP PAT from inside:10.10.1.142/8933 to outside:222.222.222.226/6214 flags ri idle 0:17:51 timeout 0:00:30
UDP PAT from inside:10.10.1.129/8933 to outside:222.222.222.226/56286 flags ri idle 0:05:56 timeout 0:00:30
UDP PAT from inside:10.10.1.209/45408 to outside:222.222.222.226/45408 flags ri idle 0:01:20 timeout 0:00:30
UDP PAT from inside:10.10.1.209/33033 to outside:222.222.222.226/33033 flags ri idle 0:01:29 timeout 0:00:30
UDP PAT from inside:10.10.1.128/8933 to outside:222.222.222.226/39331 flags ri idle 0:20:49 timeout 0:00:30
UDP PAT from inside:10.10.1.130/8933 to outside:222.222.222.226/1390 flags ri idle 0:14:05 timeout 0:00:30
UDP PAT from inside:10.10.1.210/47085 to outside:222.222.222.226/47085 flags ri idle 0:00:55 timeout 0:00:30
UDP PAT from inside:10.10.1.124/8933 to outside:222.222.222.226/30801 flags ri idle 0:19:49 timeout 0:00:30
UDP PAT from inside:10.10.1.125/8933 to outside:222.222.222.226/63054 flags ri idle 0:19:17 timeout 0:00:30
TCP PAT from inside:10.10.1.186/57478 to outside:222.222.222.226/57478 flags ri idle 0:27:02 timeout 0:00:30
TCP PAT from inside:10.10.1.186/57403 to outside:222.222.222.226/57403 flags ri idle 0:35:59 timeout 0:00:30
TCP PAT from inside:10.10.1.186/57342 to outside:222.222.222.226/57342 flags ri idle 0:41:28 timeout 0:00:30
UDP PAT from inside:10.10.1.186/62441 to outside:222.222.222.226/62441 flags ri idle 0:47:09 timeout 0:00:30

Thanks!

input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

2) ASA# show caputre capo

Re: Can't point a public IP to my Internal server IP

Ajay Saini — Wed, 14 Mar 2018 04:19:16 GMT

The last packet-tracer output looks good. Is it still not working?

Also, you mentioned that port 80 does not work for inside either. Could you try the config of NAT on port80 on public ip address and port 8080 for real server and try.

HTH
AJ

Re: Can't point a public IP to my Internal server IP

newbie2018 — Thu, 15 Mar 2018 13:08:08 GMT

Hi Ajay,
I've tried changing NAT statements/adding others, still no luck. I'am not sure where else to look for answers. Can you provide a sample config on how you would configure NAT on port 80 on public IP and port 8080 for real server?

Thank you much for your assistance.

Re: Can't point a public IP to my Internal server IP

newbie2018 — Thu, 15 Mar 2018 18:49:42 GMT

I figured it out!

The issue was the web server box itself.

I am up and running.

Thanks for your feedback Ajay!

Re: Can't point a public IP to my Internal server IP

Ajay Saini — Sun, 18 Mar 2018 05:53:36 GMT

Thats Great. Happy to help!

Please rate/mark answers as solution if it helped.

-AJ