https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582273#M1088801 <P><STRONG>ciscoasa(config)# packet-tracer input outside tcp 68.78.249.19 1234 x.x.x.x 80&nbsp;<FONT color="#FF0000">detail</FONT>&nbsp;&lt;- this give you&nbsp;which ACL drop the traffic&nbsp;</STRONG></P> Wed, 30 Mar 2022 22:07:34 GMT MHM Cisco World 2022-03-30T22:07:34Z https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582187#M1088791 <P>Hello,</P><P>I am trying to allow web access to an inside host but for some reason it is getting blocked. Packet-tracer hits the implicit rule (deny all) and drops the call. It seems the ACL rule is not being used. Not sure what I may be missing.</P><P>This is what I did:</P><P>object network obj_192.168.1.223<BR />host 192.168.1.223<BR />nat (inside,outside) static interface service tcp http http<BR />access-list inbound permit tcp any object obj_192.168.1.223 eq http</P><P>Thanks for the help!</P><P>&nbsp;</P><P><STRONG>Troubleshooting info:</STRONG></P><P><BR /><STRONG>ciscoasa(config)# packet-tracer input inside tcp 68.78.249.19 1234 192.168.1.223 80</STRONG></P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 192.168.1.223 using egress ifc inside</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>ciscoasa(config)#</P><P>&nbsp;</P><P><BR /><STRONG>ciscoasa(config)# sh access-list</STRONG><BR />access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)<BR />alert-interval 300<BR />access-list inbound; 1 elements; name hash: 0x793e9c88<BR />access-list inbound line 1 extended permit tcp any object obj_192.168.1.223 eq www (hitcnt=0) 0x0d33139f<BR />access-list inbound line 1 extended permit tcp any host 192.168.1.223 eq www (hitcnt=0) 0x0d33139f<BR /><STRONG>ciscoasa(config)# sh nat</STRONG></P><P>Auto NAT Policies (Section 2)<BR />1 (inside) to (outside) source static obj_192.168.1.223 interface service tcp www www<BR />translate_hits = 0, untranslate_hits = 0<BR />2 (inside) to (outside) source dynamic obj_192.168.1.0 interface dns<BR />translate_hits = 1422, untranslate_hits = 21</P><P>Manual NAT Policies (Section 3)<BR />1 (management) to (outside) source dynamic any interface<BR />translate_hits = 0, untranslate_hits = 0<BR />ciscoasa(config)#</P><P>&nbsp;</P> Wed, 30 Mar 2022 19:00:26 GMT https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582187#M1088791 rmunoz10 2022-03-30T19:00:26Z https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582203#M1088793 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1327188">@rmunoz10</a>&nbsp;your packet-tracer is incorrect, you are simulating traffic from outside to inside. So you need to specify the interface as "outside" not inside. Also use the public ip address as the destination not the real/private ip.</P> Wed, 30 Mar 2022 19:46:29 GMT https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582203#M1088793 Rob Ingram 2022-03-30T19:46:29Z https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582232#M1088795 <P>This object NAT so check&nbsp;</P><P>show NAT all,</P><P>see if there is any NAT above it prevent the nat from outside to your inside host server.</P> Wed, 30 Mar 2022 20:37:26 GMT https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582232#M1088795 MHM Cisco World 2022-03-30T20:37:26Z https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582258#M1088800 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>Thanks! packet-tracer went much further this time but still blocked access. Please see results below. Anything else I'm missing? Thanks.</P><P>&nbsp;</P><P><STRONG>ciscoasa(config)# packet-tracer input outside tcp 68.78.249.19 1234 x.x.x.x 80</STRONG></P><P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 2<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />object network obj_192.168.1.223<BR />nat (inside,outside) static interface service tcp www www<BR />Additional Information:<BR />NAT divert to egress interface inside<BR />Untranslate x.x.x.x/80 to 192.168.1.223/80</P><P>Phase: 3<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 4<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>&nbsp;</P><P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>- I don't have sh NAT all. But here is the result of sh nat.</P><P>&nbsp;</P><P><STRONG>ciscoasa(config)# sh nat</STRONG></P><P>Auto NAT Policies (Section 2)<BR />1 (inside) to (outside) source static obj_192.168.1.223 interface service tcp www www<BR />translate_hits = 0, untranslate_hits = 36<BR />2 (inside) to (outside) source dynamic obj_192.168.1.0 interface dns<BR />translate_hits = 8132, untranslate_hits = 126</P><P>Manual NAT Policies (Section 3)<BR />1 (management) to (outside) source dynamic any interface<BR />translate_hits = 0, untranslate_hits = 0<BR />ciscoasa(config)#</P> Wed, 30 Mar 2022 21:34:35 GMT https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582258#M1088800 rmunoz10 2022-03-30T21:34:35Z https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582273#M1088801 <P><STRONG>ciscoasa(config)# packet-tracer input outside tcp 68.78.249.19 1234 x.x.x.x 80&nbsp;<FONT color="#FF0000">detail</FONT>&nbsp;&lt;- this give you&nbsp;which ACL drop the traffic&nbsp;</STRONG></P> Wed, 30 Mar 2022 22:07:34 GMT https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582273#M1088801 MHM Cisco World 2022-03-30T22:07:34Z https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582307#M1088803 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;</P><P>The rule is 'Implicit Rule'. So it seems my ACL is not being used?</P><P>&nbsp;</P><P>ciscoasa(config)# sh run access-list<BR />access-list inbound extended permit tcp any object obj_192.168.1.223 eq www<BR />ciscoasa(config)#</P><P>&nbsp;</P><P>&nbsp;</P><P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR /><FONT color="#FF6600">Implicit Rule</FONT><BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x7f2d1d404330, priority=0, domain=permit, deny=true<BR />hits=4381, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Wed, 30 Mar 2022 22:55:39 GMT https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582307#M1088803 rmunoz10 2022-03-30T22:55:39Z https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582315#M1088804 <P>add to NAT route-lookup.&nbsp;<BR />the NAT may route the traffic to wrong Interface&nbsp;</P> Wed, 30 Mar 2022 23:38:02 GMT https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582315#M1088804 MHM Cisco World 2022-03-30T23:38:02Z https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582796#M1088811 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1327188">@rmunoz10</a> do you actually have that access-list configured inbound on the outside interface? Example:</P> <P>&nbsp;</P> <PRE>access-group inbound in interface outside</PRE> <P>&nbsp;</P> Thu, 31 Mar 2022 06:59:49 GMT https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4582796#M1088811 Rob Ingram 2022-03-31T06:59:49Z https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4583025#M1088822 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>I had missed that.</P><PRE>access-group inbound in interface outside</PRE><P>Thank you for pointing me in the right direction.</P> Thu, 31 Mar 2022 12:46:54 GMT https://community.cisco.com/t5/network-security/allow-outside-host-web-access-to-inside-host-fails/m-p/4583025#M1088822 rmunoz10 2022-03-31T12:46:54Z