topic Re: ASA port forwarding issue only with https in Network Security

ASA port forwarding issue only with https

Chan Thar — Thu, 14 Mar 2024 15:56:15 GMT

Hello ,

I am experiencing a port forwarding issue.We want a internal server's https web page to expose public access.

The thing is - it is still not sucess.

1. Other ports are working perfect except 443.

2. Tested multiple same internal servers .. only 443 is happening .. Local 443 services are running and tested.

3. Sometimes, really sometimes, I got the https webpage access for a while. No one is making changes at that time.

4. The public ip has no other https service port forwarding . checked all.

5. Port testing with telnet and tcping is showing open.

6.Configuration is fine since it's simple.

7. show Conn , show NAT commands are showing logs when accessed.

8. NAT, ACL rules are hitting when accessed

9. Internet

Can you someone share me similar cases or helpful troubleshooting ?

ASA 5525 , version 9.8

Re: ASA port forwarding issue only with https

MHM Cisco World — Thu, 14 Mar 2024 16:04:15 GMT

Show nat

And packet-capture

MHM

Re: ASA port forwarding issue only with https

balaji.bandi — Thu, 14 Mar 2024 16:13:50 GMT

If the ASA Using 443 Address for any other services - so that may not work, so better test with Different port (to confirm that port-forwarding working)

example use 8443 to internal Server 443 is that works ?

or change on ASA 443 IP address to 8443 so that port get free to port-forward your request.

if this is not the case then we would like to see your config and NAT config ? and show output while translating.

Re: ASA port forwarding issue only with https

Chan Thar — Fri, 15 Mar 2024 07:00:04 GMT

DC1-A5K-FW1/sec# sh nat
Manual NAT Policies (Section 1)
1 (LAN) to (INTERNET) source static MDC MDC destination static VPNPOOL VPNPOOL no-proxy-arp route-lookup
translate_hits = 1, untranslate_hits = 1
2 (LAN) to (WAN) source static MDC MDC destination static BRANCH BRANCH
translate_hits = 0, untranslate_hits = 0
3 (DMZ) to (WAN) source static DMZ DMZ destination static BRANCH BRANCH
translate_hits = 0, untranslate_hits = 0
4 (DMZ) to (INTERNET) source static DMZ1 DMZ1 destination static VPNPOOL VPNPOOL no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (DMZ) to (INTERNET) source dynamic DMZ interface
translate_hits = 8208, untranslate_hits = 20
6 (LAN) to (INTERNET) source dynamic EX-SVR interface
translate_hits = 4615, untranslate_hits = 4
7 (LAN) to (INTERNET) source dynamic MDC interface
translate_hits = 894987, untranslate_hits = 70994
8 (LAN) to (INTERNET) source dynamic SVR3 interface
translate_hits = 0, untranslate_hits = 0
9 (INTERNET) to (LAN) source static any any destination static MailIP EX_SERVER service https https no-proxy-arp inactive
translate_hits = 0, untranslate_hits = 0
10 (INTERNET) to (LAN) source static any any destination static MailIP EXCHANGE_SVR service https https unidirectional no-proxy-arp inactive
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (LAN) to (INTERNET) source static EXCHANGE_SVR X.X.164.60 service tcp https https
translate_hits = 0, untranslate_hits = 17
2 (LAN) to (WAN) source static SHAREPOINT_SERVER interface service tcp www www
translate_hits = 0, untranslate_hits = 0
3 (LAN) to (INTERNET) source static EX_SVR3_110 X.X.164.60 service tcp pop3 pop3
translate_hits = 0, untranslate_hits = 7736
4 (LAN) to (INTERNET) source static EX_SVR3_587 X.X.164.60 service tcp 587 587
translate_hits = 0, untranslate_hits = 196
5 (LAN) to (INTERNET) source static HRDB_SERVER X.X.164.61 service tcp 8003 8003
translate_hits = 0, untranslate_hits = 1133
6 (LAN) to (INTERNET) source static TEST_SVR X.X.164.60 service tcp ssh ssh
translate_hits = 0, untranslate_hits = 6551
7 (DMZ) to (WAN) source static FTP_SERVER 10.1.255.131
translate_hits = 0, untranslate_hits = 0
8 (DMZ) to (INTERNET) source static FORTIMAIL_8889 X.X.164.60 service udp 8889 8889
translate_hits = 0, untranslate_hits = 0
9 (DMZ) to (INTERNET) source static FORTIMAIL_9443 X.X.164.60 service udp 9443 9443
translate_hits = 0, untranslate_hits = 0
10 (DMZ) to (INTERNET) source static FORTI_MAIL X.X.164.60 service tcp smtp smtp
translate_hits = 0, untranslate_hits = 78928
11 (DMZ) to (INTERNET) source static HRWEB_HTTPS X.X.164.61 service tcp https 8443
translate_hits = 0, untranslate_hits = 371
12 (DMZ) to (INTERNET) source static HRWEB_SERVER interface service tcp telnet telnet
translate_hits = 0, untranslate_hits = 0
13 (DMZ) to (INTERNET) source static AMSWeb X.X.164.61 service tcp 3389 8339
translate_hits = 0, untranslate_hits = 6189
14 (DMZ) to (INTERNET) source static MACWEB X.X.164.61 service tcp https https
translate_hits = 0, untranslate_hits = 1155
15 (DMZ) to (INTERNET) source static MACWeb X.X.164.61 service tcp 3389 8340
translate_hits = 0, untranslate_hits = 5705
16 (LAN) to (INTERNET) source static EX_SVR_110 MailIP service tcp pop3 pop3
translate_hits = 0, untranslate_hits = 0
17 (LAN) to (INTERNET) source static EX_SVR_143 MailIP service tcp imap4 imap4
translate_hits = 0, untranslate_hits = 25
18 (LAN) to (INTERNET) source static EX_SVR_587 MailIP service tcp 587 587
translate_hits = 0, untranslate_hits = 0
19 (LAN) to (INTERNET) source dynamic VLAN67-MPT interface
translate_hits = 222, untranslate_hits = 10
20 (LAN) to (TML) source dynamic VLAN67-TML interface
translate_hits = 266486, untranslate_hits = 2211
21 (LAN) to (INTERNET) source dynamic VLAN68-MPT interface
translate_hits = 34, untranslate_hits = 0
22 (LAN) to (TML) source dynamic VLAN68-TML interface
translate_hits = 56345, untranslate_hits = 176
23 (LAN) to (INTERNET) source dynamic VLAN69-MPT interface
translate_hits = 2103, untranslate_hits = 1480
24 (LAN) to (TML) source dynamic VLAN69-TML interface
translate_hits = 833532, untranslate_hits = 7278
25 (LAN) to (INTERNET) source dynamic VLAN200-MPT interface
translate_hits = 1, untranslate_hits = 0
26 (LAN) to (TML) source dynamic VLAN200-TML interface
translate_hits = 18855, untranslate_hits = 16
27 (LAN) to (INTERNET) source dynamic VLAN201-MPT interface
translate_hits = 1660, untranslate_hits = 12
28 (LAN) to (TML) source dynamic VLAN201-TML interface
translate_hits = 503079, untranslate_hits = 2714
29 (LAN) to (INTERNET) source dynamic VLAN202-MPT interface
translate_hits = 0, untranslate_hits = 0
30 (LAN) to (TML) source dynamic VLAN202-TML interface
translate_hits = 0, untranslate_hits = 0
31 (LAN) to (INTERNET) source dynamic VLAN203-MPT interface
translate_hits = 96, untranslate_hits = 0
32 (LAN) to (TML) source dynamic VLAN203-TML interface
translate_hits = 43753, untranslate_hits = 46
33 (LAN) to (INTERNET) source dynamic VLAN204-MPT interface
translate_hits = 7, untranslate_hits = 0
34 (LAN) to (TML) source dynamic VLAN204-TML interface
translate_hits = 25981, untranslate_hits = 9
35 (LAN) to (INTERNET) source dynamic VLAN205-MPT interface
translate_hits = 43, untranslate_hits = 0
36 (LAN) to (TML) source dynamic VLAN205-TML interface
translate_hits = 60004, untranslate_hits = 0
37 (LAN) to (INTERNET) source dynamic VLAN206-MPT interface
translate_hits = 0, untranslate_hits = 0
38 (LAN) to (TML) source dynamic VLAN206-TML interface
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (LAN) to (WAN) source dynamic MDC interface
translate_hits = 0, untranslate_hits = 0
2 (LAN) to (TML) source dynamic MDC interface
translate_hits =

DC1-A5K-FW1/sec# packet-tracer input INTERNET tcp 103.101.16.102 https 136.228$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network EXCHANGE_SVR
nat (LAN,INTERNET) static 136.228.164.60 service tcp https https
Additional Information:
NAT divert to egress interface LAN
Untranslate 136.228.164.60/443 to 10.1.103.21/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INTERNET_IN in interface INTERNET
access-list INTERNET_IN extended permit tcp any host 10.1.103.21 eq https
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map firePOWER-class
description class to send all traffic to the Firepower module
match any
policy-map global_policy
class firePOWER-class
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map firePOWER-class
description class to send all traffic to the Firepower module
match any
policy-map global_policy
class firePOWER-class
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,INTERNET) source dynamic EX-SVR interface
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8052151, packet dispatched to next module

Result:
input-interface: INTERNET
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: allow

DC1-A5K-FW1/sec#

Re: ASA port forwarding issue only with https

MHM Cisco World — Fri, 15 Mar 2024 07:12:43 GMT

DC1-A5K-FW1/sec# packet-tracer input INTERNET tcp 103.101.16.102 https 136.228$ <<- can I see full packet-tracer you use

the NAT is not correct the Inbound is use NAT different than Outbound,
Use Manual NAT instead Auto NAT
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network EXCHANGE_SVR
nat (LAN,INTERNET) static 136.228.164.60 service tcp https https <<- Auto NAT, change it to Manual NAT
Additional Information:
NAT divert to egress interface LAN
Untranslate 136.228.164.60/443 to 10.1.103.21/443

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,INTERNET) source dynamic EX-SVR interface
Additional Information:

Re: ASA port forwarding issue only with https

Chan Thar — Fri, 15 Mar 2024 07:16:32 GMT

packet-tracer input outside tcp 103.101.16.102 443 136.228.164.60 443

this is full command line

Re: ASA port forwarding issue only with https

MHM Cisco World — Fri, 15 Mar 2024 07:33:30 GMT

OK, change the NAT you use as I mention above

MHM

Re: ASA port forwarding issue only with https

Chan Thar — Fri, 15 Mar 2024 07:55:57 GMT

nat (LAN,INTERNET) source static EXCHANGE_SVR WEB-SERVER_PUBLIC service https https

i configured manual nat and port is not even opening.

DC1-A5K-FW1/sec# packet-tracer input INTERNET tcp 103.101.16.102 443 136.228$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,INTERNET) source static EXCHANGE_SVR WEB-SERVER_PUBLIC service https https
Additional Information:
NAT divert to egress interface LAN
Untranslate 136.228.164.60/443 to 10.1.103.21/443

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,INTERNET) source static EXCHANGE_SVR WEB-SERVER_PUBLIC service https https
Additional Information:
Static translate 103.101.16.102/443 to 103.101.16.102/443

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map firePOWER-class
description class to send all traffic to the Firepower module
match any
policy-map global_policy
class firePOWER-class
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map firePOWER-class
description class to send all traffic to the Firepower module
match any
policy-map global_policy
class firePOWER-class
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,INTERNET) source dynamic EX-SVR interface
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8237271, packet dispatched to next module

Result:
input-interface: INTERNET
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: allow

DC1-A5K-FW1/sec#

Re: ASA port forwarding issue only with https

Chan Thar — Fri, 15 Mar 2024 07:56:44 GMT

i am just wondering if it may be ASA version bug or something like that?

Re: ASA port forwarding issue only with https

MHM Cisco World — Fri, 15 Mar 2024 09:21:43 GMT

this phase meaning the flow add to conn
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8237271, packet dispatched to next module

can you share the
show conn address <server>\

if there is no entry try
show conn protocol 443

MHM

Re: ASA port forwarding issue only with https

Chan Thar — Mon, 18 Mar 2024 14:13:21 GMT

DC1-A5K-FW1/sec# show conn address 10.1.103.21
191 in use, 16507 most used

TCP INTERNET 74.125.200.95:443 LAN 10.1.103.21:49510, idle 0:00:00, bytes 10727, flags UxIO

sorry for my late data ..thanks for help

Re: ASA port forwarding issue only with https

Chan Thar — Mon, 18 Mar 2024 14:17:25 GMT

now .. i changed from auto nat to manual nat as MHM suggested.. but still has issue

Re: ASA port forwarding issue only with https

Marvin Rhoads — Mon, 18 Mar 2024 15:38:22 GMT

Did you check the suggestion made by @balaji.bandi ?

For instance, if you have remote access SSL VPN enabled that will bind tcp/443 for that purpose and it will not be usable for other services.

Re: ASA port forwarding issue only with https

Chan Thar — Mon, 18 Mar 2024 16:10:36 GMT

yes. i already tried disabling ssl webvpn config interface level "no enable INTERFACE" .. But still same issue.

Strange behavior for me this issue is sometimes expected webpage can be accessed. as per my testing, this is not browser,ip, public ip , isp not related.. it just pop up when continuously refreshed.. any other ports are working.. just 443 is issue. since internal server is not easy to change port for web service.. i still finding solution.

Re: ASA port forwarding issue only with https

Marius Gunnerud — Mon, 18 Mar 2024 19:29:21 GMT

Setup a capture on the LAN interface an see if the traffic is actually leaving the ASA interface

cap capLAN interface LAN tcp any host 10.1.103.21 eq 443

show cap

show cap capLAN

If you know the IP of the source you can change any to host aaa.bbb.ccc.ddd

If you do not see any packets being captured change the the capture from tcp to ip (remove eq 443 also) and then test again.

Post the results here

Re: ASA port forwarding issue only with https

MHM Cisco World — Mon, 18 Mar 2024 19:49:14 GMT

packet-tracer input outside tcp 103.101.16.102 443 136.228.164.60 443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,INTERNET) source static EXCHANGE_SVR WEB-SERVER_PUBLIC service https https
Additional Information:
NAT divert to egress interface LAN
Untranslate 136.228.164.60/443 to 10.1.103.21/443

DC1-A5K-FW1/sec# show conn address 10.1.103.21
191 in use, 16507 most used

TCP INTERNET 74.125.200.95:443 LAN 10.1.103.21:49510, idle 0:00:00, bytes 10727, flags UxIO <<- this Outbound not Inbound

from all above it seem to me that there is Host have IP 10.1.103.21 connect to internet via HTTP
and not server access from outside

i.e. there is IP conflict

MHM