topic Re: Web Application Server in Network Security

Web Application Server

dissai — Fri, 26 Apr 2024 09:39:02 GMT

Dear Community,

I'm asking for you guidance. I have come across a challenge on Cisco ASA version 9.8. Need to allow a web server to be access outside(Public) from DMZ Zone to Ouside Zone. Per below configuration template. Nat is transilating but access-list no hits which result that I can ping transilated IP from outside but I am not able to open application (to load a page). Kindly assist to receive the configuration and the packet tracer out form outside and DMZ leg shared.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 200.100.1.2 255.255.255.248
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 80
ip address 172.16.10.253 255.255.255.0
!

!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LAN
subnet 192.168.50.0 255.255.255.0
object network ASDM
host 155.12.32.90
object network vpn_subnet
subnet 10.6.7.0 255.255.255.0
object network dmz_subnet
subnet 172.16.10.0 255.255.255.0
object network webserver-external-ip
host 200.100.1.2
object network web_server
host 172.16.10.50
object network MONITOR_SRV
host 192.168.50.114
object network SWITCH_HOST
host 192.168.50.2
object network OUTSIDE_INTERFACE
host 200.100.1.2
object network Water_Gateway_NAT
host 200.100.1.70
object network Water_Gateway
host 172.16.10.70
object-group network OBJ-SITE-ASA
network-object host 172.16.10.50

object-group network DMZ_SERVERS
network-object host 172.16.10.51
object-group network DMZ-Network
network-object 172.16.10.0 255.255.255.0
object-group network Outside-Network
network-object 200.100.1.0 255.255.255.0
object-group network NETWORK_Devices
network-object host 192.168.50.1
network-object host 192.168.50.2
network-object host 192.168.50.114
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list management_access_in extended permit ip any any
access-list management_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any4 object Water_Gateway object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_access_in extended permit tcp any interface outside eq 32007
access-list outside_access_in extended permit tcp any host 41.188.165.190 eq https
access-list outside_access_in extended permit icmp any4 any4
access-list outside_access_in extended permit tcp any object Water_Gateway eq www
access-list outside_access_in extended permit tcp any object Water_Gateway eq https
access-list dmz_access_in extended permit tcp object Water_Gateway any eq https
access-list dmz_access_in extended permit tcp object Water_Gateway any eq www
access-list dmz_access_in extended deny ip any object LAN_network
access-list dmz_access_in extended permit ip any any
access-list ACL_MACOS standard permit host 192.168.50.114
access-list ACL_MACOS standard permit host 192.168.50.2
access-list ACL_MACOS standard permit host 192.168.50.1
access-list ACL_MACOS standard permit 172.16.10.0 255.255.255.0
access-list dmz_access_out extended permit icmp any any
access-list inside_access_in extended permit ip host 200.100.1.1 10.6.7.0 255.255.255.0

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu MGMT 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7202.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (INSIDE,outside) source dynamic LAN_network interface
nat (outside,any) source static ASDM ASDM destination static interface any
nat (outside,DMZ) source static vpn_subnet vpn_subnet destination static dmz_subnet dmz_subnet
nat (INSIDE,outside) source static NETWORK_Devices NETWORK_Devices destination static vpn_subnet vpn_subnet
nat (DMZ,outside) source static dmz_subnet dmz_subnet destination static LAN_network LAN_network
!
object network LAN_network
nat (INSIDE,outside) dynamic interface
object network dmz_subnet
nat (DMZ,outside) dynamic interface
object network web_server
nat (DMZ,outside) static 200.100.1.51
object network Water_Gateway
nat (DMZ,outside) static Water_Gateway_NAT
access-group outside_access_in in interface outside
access-group dmz_access_in in interface DMZ
access-group dmz_access_out out interface DMZ
access-group management_access_in in interface MGMT
route MGMT 0.0.0.0 0.0.0.0 172.16.5.2 1
route outside 0.0.0.0 0.0.0.0 200.100.1.1 1
route outside 10.6.7.0 255.255.255.0 200.100.1.1 1
route outside 200.100.1.51 255.255.255.255 200.100.1.1 1

crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint REMOTE_VPN
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ikev2 enable outside
telnet timeout 5

!
t
webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-macos-4.10.04065-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.10.04065-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-linux64-4.10.08029-webdeploy-k9.pkg 3
anyconnect profiles profile_macos disk0:/anyconnect_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
group-policy ASA-TO-FTD internal
group-policy ASA-TO-FTD attributes
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-client
group-policy REMOTE_L2L_VPN internal
group-policy REMOTE_L2L_VPN attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_MACOS
default-domain value LAN.co.tz
webvpn
anyconnect profiles value profile_macos type user
dynamic-access-policy-record DfltAccessPolicy

tunnel-group REMOTE_VPN type remote-access
tunnel-group REMOTE_VPN general-attributes
address-pool VPN_POOL_MACOS
default-group-policy REMOTE_L2L_VPN
tunnel-group REMOTE_VPN webvpn-attributes
group-alias LAN_ONENET enable
tunnel-group LAN_DEVOPS type remote-access
tunnel-group LAN_DEVOPS webvpn-attributes
group-alias LAN_DEVOPS enable
!
——————————————————————————————————————————————

# packet-tracer input outside tcp 5.5.5.5 1234 200.100.1.70 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,outside) source static Water_Gateway Water_Gateway_NAT
Additional Information:
NAT divert to egress interface DMZ
Untranslate 200.100.1.70/80 to 172.16.10.70/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object Water_Gateway eq www
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ,outside) source static Water_Gateway Water_Gateway_NAT
Additional Information:
Static translate 5.5.5.5/1234 to 5.5.5.5/1234

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

———————————————————————————————————————————————————————————

# packet-tracer input DMZ tcp 5.5.5.5 1234 200.100.1.70 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 200.100.1.1 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface DMZ
access-list dmz_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3476841, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

#

Re: Web Application Server

Rob Ingram — Fri, 26 Apr 2024 07:45:26 GMT

@dissai is the configuration you provided accurate? The packet-tracer output references objects called "Momo_Gateway" but there is no mention of Momo_Gateway in your configuration. Please provide the full configuration.

Re-run packet-tracer appended "detailed" at the end.

Provide "show nat detail"

Re: Web Application Server

MHM Cisco World — Fri, 26 Apr 2024 07:59:17 GMT

object network web_server
nat (DMZ,outside) static 200.100.1.51
object network Water_Gateway
nat (DMZ,outside) static Water_Gateway_NAT

this need to change to be
nat(DMZ,outside) static object <real server IP> object <mapped server IP>

do that and check again

MHM

Re: Web Application Server

dissai — Fri, 26 Apr 2024 09:35:58 GMT

Hi Rob,

ignore Momo, shared configuration is accurate.

Re: Web Application Server

dissai — Fri, 26 Apr 2024 10:01:55 GMT

Hi MHM,

The Cisco ASA version 9.8 no option for static object as you see below.

config-network-object)# nat (DMZ,outside) static ?

network-object mode commands/options:
A.B.C.D Mapped IP address
WORD Mapped network object/object-group name
X:X:X:X::X/<0-128> Enter an IPv6 prefix
interface Use interface address as mapped IP

Re: Web Application Server

MHM Cisco World — Fri, 26 Apr 2024 10:06:29 GMT

config-network-object)# nat (DMZ,outside) static <name of object>

MHM

Re: Web Application Server

dissai — Fri, 26 Apr 2024 12:28:33 GMT

Hi MHM,

Still I'm getting same responce.

Re: Web Application Server

MHM Cisco World — Fri, 26 Apr 2024 15:48:01 GMT

show run nat
do test again and share
show conn <server IP>

MHM

Re: Web Application Server

Aref Alsouqi — Fri, 26 Apr 2024 17:04:24 GMT

Firstly, is the public IP 200.100.1.70 you are using correct? the outside interface on your firewall has a /29 which means that the usable range of the IP addresses would be from 200.100.1.1 to 200.100.1.16, so .70 is out of that range. Or maybe you purchased additional range from the provider?

The second thing I've noticed is the access list "dmz_access_out". This ACL is applied in outbound direction on the DMZ interface and it only has a single rule allowing ICMP traffic. This rule must allow the application traffic as well, so if you want to allow http and https then you would need to add them to that ACL. Probably this is why ping is working for you but not the application traffic.

Re: Web Application Server

dissai — Fri, 26 Apr 2024 17:53:45 GMT

Hi MHM,

Below is the output.

(DMZ) to (outside) source static Water_Gateway Water_Gateway_NAT
translate_hits = 0, untranslate_hits = 65

show conn address 172.16.10.70
27 in use, 22405 most used

TCP outside 10.6.7.3:56233 DMZ 172.16.10.70:22, idle 0:00:59, bytes 13244, flags UIOB

packet-tracer input outside tcp 5.5.5.5 1234 200.100.1.70 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Water_Gateway
nat (DMZ,outside) static Water_Gateway_NAT
Additional Information:
NAT divert to egress interface DMZ
Untranslate 200.100.1.70/80 to 172.16.10.70/80

Re: Web Application Server

dissai — Fri, 26 Apr 2024 18:41:00 GMT

Hello Aref,

I have added but still am having same result.

Re: Web Application Server

MHM Cisco World — Fri, 26 Apr 2024 19:23:45 GMT

it some long steps but It need to know the issue here (before each step try access to server) and (after each step show capture with it name)
1-capture CAP1 interface out match ip host <the server public IP>
2- capture asp-drop type asp-drop acl-drop
3- capture CAP2 interface DMZ match ip host <the server private IP>

waiting you

MHM

Re: Web Application Server

dissai — Fri, 26 Apr 2024 22:23:18 GMT

Hi MHM,

Below is output means no traffic detected.

FW(config)# show capture CAP1

0 packet captured

0 packet shown
FW(config)#
FW(config)#
FW(config)# show capture CAP2

0 packet captured

0 packet shown
FW(config)#

Re: Web Application Server

MHM Cisco World — Fri, 26 Apr 2024 22:32:23 GMT

You use IP or FQDN of server when you test?

MHM

Re: Web Application Server

MHM Cisco World — Sat, 27 Apr 2024 00:05:58 GMT

Check your DNS server

MHM

Re: Web Application Server

dissai — Sat, 27 Apr 2024 06:08:17 GMT

Hi MHM,

I used Server IP.

Tell me on Cisco version 9.8. The nat rule work when using object-group or network-group.I think is the area I'm facing issues.

Re: Web Application Server

MHM Cisco World — Sat, 27 Apr 2024 06:44:38 GMT

yes that can be but we must check traffic point by point

NOW

capture CAP1 interface OUT match ip host <the ip of PC you use for test>

Do this capture one time using ping

other using access to web server

Share result here

Thanks for waiting

MHM

Re: Web Application Server

dissai — Sat, 27 Apr 2024 15:30:07 GMT

Hi MHM,

Here is the ouput

capture CAP1 type raw-data interface outside [Capturing - 0 bytes]
match ip host x.x.x.x host 200.100.1.70
capture asp-drop type asp-drop acl-drop [Buffer Full - 524276 bytes]
capture CAP2 type raw-data interface DMZ [Capturing - 0 bytes]

Re: Web Application Server

MHM Cisco World — Sat, 27 Apr 2024 15:33:45 GMT

this is your topolgy
you want to access ServerPriv from the UserPublic?

MHM

Re: Web Application Server

dissai — Sat, 27 Apr 2024 16:13:36 GMT

Yes MHM.

I want to access the ServerPriv from UserPublic using Translated IP.