topic Sorry. After everything I did in Network Security

unable to public server

Kayson Daley — Tue, 12 Mar 2019 08:49:49 GMT

This is driving me a little crazy so any help would be nice. I am having trouble with public server. I was about to one for smtp and it seem to work, but when I tried doing one for the web server using https and http I am having issues. I am unable to get to the servers after setting them up. I have tried a few different Access Rules and NAT Rules but I just seem able to get this to work. I have a ASA 5506. Attached is my current running config. I am not running a DMZ. I would be glad for any help!

Hi,

Francesco Molino — Wed, 25 Jan 2017 01:43:52 GMT

Hi,

I'm sorry but I don't understand what issue your facing?

I checked your config and you have 2 NAT that seems to be ok.

Thanks

Can you confirm if the issue

Ajay Saini — Wed, 25 Jan 2017 01:48:02 GMT

Can you confirm if the issue is with 20.1.1.37. I see that you have NAT and access rule allowing smtp and https traffic. Please attach packet-tracer output for 20.1.1.37 and port 443 and lets see what ASA is doing with this traffic.

I would also advise to remove the below NAT statement since there is one already in twice nat section. Use of 'any' keyword in NAT statement can sometimes get us unexpected results:

object network obj_any
 nat (any,outside) dynamic interface

In future, it would be best if you can attach some more useful info like related ip address, packet-tracer output etc. It saves time for everyone.

Yeah I removed that one. Well

Kayson Daley — Wed, 25 Jan 2017 05:19:03 GMT

Yeah I removed that one. Well 20.1.1.37 is the ip for the web server. There are two that I am trying to make public the other is 20.1.1.6. the outside ip's are 85.150.14.26 & 29.

Sorry about not given enough info.

Well I setup these public

Kayson Daley — Wed, 25 Jan 2017 05:23:16 GMT

Well I setup these public servers to allow our web servers to make a site accessible off network via ssl https. But I cannot seem to get it to work.

ok, so 20.1.1.6 maps to 85

Ajay Saini — Wed, 25 Jan 2017 11:22:56 GMT

ok, so 20.1.1.6 maps to 85.150.14.26 and 20.1.1.37 maps to 85.150.14.26.

And you need to access these servers from internet over https.

Now, please clarify which one is not working. The config seems to be legit, although it can fine tuned but we can keep it for a later stage once testing is done.

Can you check if the ip addresses you are using is routable if you are using them for the first time. One thing we can do for testing is to create a test nat using outside interface and see if that works:

object network owa-server
 nat (inside,outside) static interface service tcp 443 443

Please test it. If it works, then we will have to check if the public ip address you are using are routable.

As a tshoot step, we can also set up captures on outside interface to see if traffic is arriving for a specific ip address:

cap capo interface outside match ip any host 85.150.14.26

and then initiate traffic on this ip on port 443.

then take output of show cap capo

Can you check if the ip

Farhan Mohamed — Wed, 25 Jan 2017 12:43:33 GMT

object network owa-server

nat (inside,outside) static interface service tcp 443 443

Please test it. If it works, then we will have to check if the public ip address you are using are routable.

As a tshoot step, we can also set up captures on outside interface to see if traffic is arriving for a specific ip address:

cap capo interface outside match ip any host 85.150.14.26

and then initiate traffic on this ip on port 443.

then take output of show cap capo

Hi

Francesco Molino — Wed, 25 Jan 2017 13:32:58 GMT

Did you do the capture?

For the firewall rules, everything is fine but as it has been told, you can make some cleanup and/or tweak rules /NAT already existing

Thanks

Thanks for the help that kind

Kayson Daley — Wed, 25 Jan 2017 16:45:22 GMT

Thanks for the help that kind of lead me to some more testing and I found out that I can access it but just not from inside my network. I have to now figure out what is blocking it from inside. Maybe I need to setup a NAT Loopback?

On your ASA, please do the

Francesco Molino — Wed, 25 Jan 2017 16:58:05 GMT

On your ASA, please do the following packet-tracer and paste the output:

packet-tracer input outside tcp 8.8.8.8 5565 85.150.14.29 443

If it's allowed then the issue isn't coming from ASA but something else internally.

Yeah agreed All are allowed

Kayson Daley — Wed, 25 Jan 2017 17:43:44 GMT

Yeah agreed All are allowed

Sorry. After everything I did

Kayson Daley — Thu, 26 Jan 2017 23:17:31 GMT

Sorry. After everything I did figure out that they are showing up outside the network after testing on my cell phone. The problem is that inside my network I cannot access them.

I have checked the DNS and everything seems fine. I cannot still access it from inside the network. I also cannot ping the outside interface from inside the network. Any ideas?

Also I have turn on our old gateway which the ASA replaced, I setup a PC to use that as the gateway as a test. I am about to get to the sites with no problem. It seems it only happens via the ASA that we cannot access it on the network.

Doing the capture lead me to

Kayson Daley — Thu, 26 Jan 2017 23:19:13 GMT

Doing the capture lead me to test on my cell phone. I am still trying to fine what is stopping it from being accessible from the inside.

Hi

Francesco Molino — Thu, 26 Jan 2017 23:55:19 GMT

Can you tell what tests are you doing? What it isn't accessible?

And please provide packet-tracer logs.

Thanks

Hi

Francesco Molino — Fri, 27 Jan 2017 18:14:56 GMT

We get a private IM for your concern and the answer was:

You won't be able to ping your Outside IP from internal zone and even your NAT Public IP. If you look at your logs (try pinging your nat public IP), you should see a message like Deny IP due to Land Attack from

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question