topic Thank you!! It works fine now in Network Security

ACL problem on ASA-5505

sergioloporto — Tue, 12 Mar 2019 07:46:53 GMT

Hello, I have a device that needs to be reached from outside on port 443.

I am trying to redirect all the requests that come from outside on port 443, to 192.168.1.25 on port 443.

I configured it in ASDM, however I see this in the logs:

4 May 22 2016 16:42:32 106023 x.x.x.x 50278 192.168.1.25 443 Deny tcp src outside:x.x.x.x/50278 dst inside:192.168.1.25/443 by access-group "outside_access_in_1" [0x0, 0x0]

(x.x.x.x) is an external public IP of a port checker

In ACL manager I have a rule that says:

2 True outside 192.168.1.25 Port443 Permit Default

Can anybody help?

Please post the output of the

Karsten Iwen — Sun, 22 May 2016 18:30:09 GMT

Please post the output of the following command (just insert the public IP that you use in your NAT):

packet-tracer input outside tcp 1.2.3.4 1234 YOUR_PUBLIC_IP_FOR_THE_SERVER 443

Here it is:

sergioloporto — Sun, 22 May 2016 19:53:25 GMT

Here it is:

Result of the command: "packet-tracer input outside tcp 1.2.3.4 1234 8x.x.x.x 443"

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.0.1, outside

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

It doesn't match your NAT

Karsten Iwen — Mon, 23 May 2016 04:47:13 GMT

It doesn't match your NAT-rule. Please check them or post the output of "show run nat".

Here it is:

sergioloporto — Mon, 23 May 2016 07:56:25 GMT

Here it is:

Result of the command: "show run nat"

!
object network obj_any
 nat (inside,outside) dynamic interface
object network SSH_2222_Device
 nat (inside,outside) static interface service tcp 2222 2222 
object network 443_Device
 nat (inside,outside) static interface service tcp https https

The strange thing is that the port 2222 forwarding works fine. If I check with a port scanner from the internet it says that 2222 is open

But 443 is open only if I test it within the LAN, not from the internet.

Check the object "443_Device"

Karsten Iwen — Mon, 23 May 2016 17:22:48 GMT

Check the object "443_Device". It shoud be the following:

object network 443_Device
 host 192.168.1.25

It looks like it is there as

sergioloporto — Mon, 23 May 2016 17:30:34 GMT

It looks like it is there as you said:

ASA Version 9.2(3)4 
!
hostname MYHOSTNAME
enable password MYPASS encrypted
passwd MYPASSSS encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
boot system disk0:/asa923-4-k8.bin
ftp mode passive
clock timezone Rome 1
clock summer-time Rome recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network SSH_2222_Device
 host 192.168.1.25
 description Device
object service port_100
 service tcp destination eq 100 
object service port_443
 service tcp destination eq https 
object network 443_Device
 host 192.168.1.25
object-group service Port2222 tcp
 port-object eq 2222
object-group service Port3333 tcp
 port-object eq 3333
object-group service Port443 tcp
 group-object Port3333
access-list outside_access_in_1 extended permit tcp any object SSH_2222_Device object-group Port2222 
access-list outside_access_in_1 extended permit tcp interface outside object 443_Device object-group Port443 
pager lines 24
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-741.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
object network SSH_2222_Device
 nat (inside,outside) static interface service tcp 2222 2222 
object network 443_Device
 nat (inside,outside) static interface service tcp https https 
access-group outside_access_in_1 in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.1.26,CN=MYasa
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca XXXXXXXXXXXXXXXX
 quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate XXXXXXXXXXXXX
 quit
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcprelay server 192.168.1.1 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0
username MYNAME password MYPASSSS encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
 inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
Cryptochecksum:c34e38e523b98e9ssc40026424e15801
: end

There are two things going

Karsten Iwen — Mon, 23 May 2016 18:20:52 GMT

There are two things going wrong in your config:

object-group service Port443 tcp
 group-object Port3333

You are referencing the object Port3333 instead of using a "port-object eq 443".

access-list outside_access_in_1 extended permit tcp interface outside object 443_Device object-group Port443

Here you specify a source of the interface which has to be "any":

access-list outside_access_in_1 extended permit tcp any object 443_Device object-group Port443

Thank you!! It works fine now

sergioloporto — Mon, 23 May 2016 18:37:23 GMT

Thank you!! It works fine now.

What if I want to change the mapping. For example:

People will be able to reach the Device which is configured with port 443, but they should reach it to 888 for example.

http://mypublicIP:888 will drive all the traffic to 443_Device on Port 443.

What should I change if I want to have this?

object network 443_Raspberry_Pi
 nat (inside,outside) static interface service tcp https 888

Would be enough?

object network 443_Raspberry

Karsten Iwen — Mon, 23 May 2016 18:55:09 GMT

object network 443_Raspberry_Pi
 nat (inside,outside) static interface service tcp https 888

yes, that's all that has to be done. The ACL stays the same as there the real port/IP on the server is used, which is already allowed.