topic Are you using the IP or a URL in Network Security

ASA 5510 Public Server Problem

ECCsimmons — Tue, 12 Mar 2019 07:42:35 GMT

I have been tasked with some ASA configuration coming in a few weeks, and to test out some configuration options I have setup a web server on my local network which I would like to be able to access from via WAN with one of our static IP that ISP has given us.

Info:

ASA: 8.2

ASM: 6.2

Static Block from ISP: xx.152.125.240/29

Default Gateway (Static route to): xx.152.125.241

Ethernet 0/0 (outside) - WAN - xx.152.125.243 255.255.255.248

Ethernet 0/3 (inside) - LAN - 10.255.170.1 255.255.255.0

Attempt:

I first attempted to setup the NAT & ACL rules manually, without luck. So I deleted those and simply used the "Public Servers" feature setup like so:

Private Interface: inside

Private IP Address: 10.255.170.4

Service: tcp/8080, tcp/http, tcp/https

Public Interface: outside

Public IP Address: xx.152.125.244

This created the same exact rules I had setup manually the first time that hadn't worked, so I had little faith. Little to my surprise I could not hit the server via a browser. All other network functionality works great, and internally I can hit 10.255.170.4 server from a browser on a LAN workstation.

Troubleshooting:

I usually work via ASDM because I'm just starting to dig through the CLI references. I however dropped into CLI to perform the packet trace:

# packet-tracer input outside tcp 1.2.3.4 8080 xx.152.125.244 8080

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255
nat-control
match ip inside host 10.255.170.4 outside any
static translation to xx.152.125.244
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate xx.152.125.244/0 to 10.255.170.4/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from_wan in interface outside
access-list from_wan extended permit tcp any host xx.152.125.244 object-group DM_INLINE_TCP_0
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
port-object eq 8080
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255
nat-control
match ip inside host 10.255.170.4 outside any
static translation to xx.152.125.244
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255
nat-control
match ip inside host 10.255.170.4 outside any
static translation to xx.152.125.244
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 350070, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Question:

So given that the packet is not dropped, why would I not be able to hit the server via a browser to the public IP (xx.152.125.244:8080)? I feel like I'm missing something very simple but can't put my finger on it.

Any assistance is much appreciated!

Thanks.

Where are you testing from?

Marius Gunnerud — Thu, 05 May 2016 10:22:39 GMT

Where are you testing from? Are you testing from the local network and trying to go to the public IP or are you originating traffic from the WAN / Internet?

Looks like the traffic is being matched on a VPN tunnel. Are the relevant IPs allowed through the tunnel (encryption domain)?

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Trying to hit the public IP that the ASA expects to see on the outside interface from the inside LAN will never work.

If you are testing from the outside then possible issues could be that the Server is not listening on port 8080, or there is a routing issue on the server sending traffic to the wrong default gateway.

Please remember to select a correct answer and rate helpful posts

I was testing both on-site

ECCsimmons — Thu, 05 May 2016 13:34:59 GMT

I was testing both on-site with the private IP, and offsite with the public IP. I overlooked the VPN in there, thanks for that. I've since made changes to disable VPN as we no longer use it, and it's no longer a factor in the packet tracer.

Still no headway though, I do know the server is listening on 8080 as it responds when I hit it with the private IP on the LAN. The server's default gateway is 10.255.170.1(inside interface), and the outside default gateway is the normal xx.152.125.241.

Here's the running-config.. any other info I can provide just let me know.

: Saved
:
ASA Version 8.2(1) 
!
names
name 10.255.170.0 XXXX_net
name xx.152.125.243 XXXX_wan description WAN
dns-guard
!
interface Ethernet0/0
 description ISP/WAN
 nameif outside
 security-level 0
 ip address XXXX_wan 255.255.255.248 
!
interface Ethernet0/3
 description LAN
 nameif inside
 security-level 100
 ip address 10.255.170.1 255.255.255.0 
!
interface Management0/0
 description Management Interface
 shutdown
 nameif MGMT
 security-level 0
 ip address 172.16.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup MGMT
dns server-group DefaultDNS
 domain-name XXXX.office
same-security-traffic permit inter-interface
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group network bomgar-subnet
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object icmp 
 service-object tcp eq www 
 service-object tcp eq https 
object-group service DM_INLINE_SERVICE_2
 service-object ip 
 service-object icmp 
 service-object tcp eq www 
 service-object tcp eq https 
object-group service DM_INLINE_TCP_0 tcp
 port-object eq 8080
 port-object eq www
 port-object eq https
access-list from_lan extended permit ip any any 
access-list from_lan extended permit gre any any 
access-list from_lan extended permit icmp any any 
access-list wan_xmit extended permit ip any any 
access-list from_wan extended permit tcp any host xx.152.125.244 object-group DM_INLINE_TCP_0 
access-list from_wan extended permit icmp any any 
access-list from_wan extended permit udp any any eq isakmp 
access-list from_wan extended permit tcp any any object-group DM_INLINE_TCP_1 
access-list from_wan extended permit object-group DM_INLINE_SERVICE_1 any interface outside inactive 
access-list from_wan extended permit object-group DM_INLINE_SERVICE_2 any xx.152.125.240 255.255.255.248 inactive 
access-list inside_nat0_outbound extended permit ip XXXX_net 255.255.255.0 XXXX_other_net 255.255.255.0 
access-list inside_nat0_outbound extended permit ip XXXX_net 255.255.255.0 10.255.170.240 255.255.255.240 
access-list inside_nat0_outbound extended permit ip any 10.255.170.240 255.255.255.240 
access-list inside_nat0_outbound extended permit ip any 10.255.170.192 255.255.255.192 
access-list inside_nat0_outbound extended permit ip any 10.255.170.208 255.255.255.248 
access-list XXXX-RA_splitTunnelAcl standard permit XXXX_net 255.255.255.0 
access-list outside_nat0_outbound extended permit ip host XXXX_wan XXXX_net 255.255.255.0 
access-list VPN_RA_splitTunnelAcl standard permit XXXX_net 255.255.255.0 
access-list Bomgar extended permit object-group DM_INLINE_PROTOCOL_1 any host 10.255.170.169 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu MGMT 1500
ip local pool RA-IP-Pool 10.255.170.240-10.255.170.250 mask 255.255.255.0
ip local pool NEW-POOL 10.255.170.220-10.255.170.230 mask 255.255.255.0
ip local pool WIN-POOL 10.255.170.210-10.255.170.215 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outboundF
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 XXXX_net 255.255.255.0
static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255 
access-group from_wan in interface outside
access-group wan_xmit out interface outside
access-group from_lan in interface inside
route outside 0.0.0.0 0.0.0.0 xx.152.125.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
http server enable
http XXXX_other_net 255.255.255.0 inside
http XXXX_net 255.255.255.0 inside
http 172.16.1.0 255.255.255.0 MGMT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 200
crypto isakmp ipsec-over-tcp port 10000 
telnet timeout 5
ssh XXXX_net 255.255.255.0 inside
ssh XXXX_other_net 255.255.255.0 inside
ssh 172.16.1.0 255.255.255.0 MGMT
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol svc 
 
[usernames-ommited]

tunnel-group DefaultRAGroup general-attributes
 address-pool RA-IP-Pool
 address-pool NEW-POOL
 address-pool WIN-POOL
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
 inspect ftp 
 inspect h323 h225 
 inspect h323 ras 
 inspect netbios 
 inspect rsh 
 inspect rtsp 
 inspect skinny 
 inspect esmtp 
 inspect sqlnet 
 inspect sunrpc 
 inspect tftp 
 inspect sip 
 inspect xdmcp 
 inspect pptp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:2a15a897244d95160b7f34f2b8a1c8f6
: end

if you issue the command show

Marius Gunnerud — Thu, 05 May 2016 13:58:42 GMT

if you issue the command show nat do you see any hits on your static NAT? Also check your show xlate output to make sure the nat is correct.

you could also do a packet capture to see if there is traffic in both directions or just one.

capture capin interface inside match tcp host <server private IP> any

capture capout interface outside match tcp any host <server public IP>

show cap capin

show cap capout

Also, I would suggest removing nat-control. Any reason why you have the following configured?

access-list wan_xmit extended permit ip any any

access-group wan_xmit out interface outside

Please remember to select a correct answer and rate helpful posts

I will look into your

ECCsimmons — Thu, 05 May 2016 14:14:00 GMT

I will look into your suggestions, as for the configuration, this setup was installed and maintained by a prior employee. They had VPN and a couple other wacky things going on at that time, and we've since simplified our network and don't need anything special anymore. I just haven't had a chance to go through and eliminate the unnecessary configuration settings yet.

It's strange, I'm not seeing

ECCsimmons — Thu, 05 May 2016 14:40:31 GMT

It's strange, I'm not seeing anything from the captures. 0 packets on both.

show nat

- no hits

show xlate

- Global 66.152.125.244 Local 10.255.170.4

Can you clarify why I would want to disable nat-control? I wouldn't think that this would hurt given we have the static NAT rule for the inside IP?

Some other information:

We have a dell powerconnect switch between the ASA and the WAN. The powerconnect has two VLANs, one for LAN, and one for WAN. The ASA outside interface is connected to the WAN VLAN, and then the inside interfaces feeds back into LAN VLAN. If I move the server I'm trying to NAT to the dell WAN VLAN, instead of the internal LAN, and assign it the public IP, it works as expected. So I know the traffic is coming in and hitting that WAN VLAN & thus the outside interface of the ASA.

Are you using the IP or a URL

Marius Gunnerud — Thu, 05 May 2016 15:02:43 GMT

Are you using the IP or a URL when accessing the server from outside? I think there might be some stale xlate entries that are getting in the way here. Try clearing the xlate table and perhaps even the connections

clear xlate local 10.255.170.4

clear xlate global 66.152.125.244

clear conn

If this is still not working I suggest doing a reload of the ASA.

I suggested removing nat-control as it no longer used in newer versions and really doesn't add that much more security.

Please remember to select a correct answer and rate helpful posts

Had tried both URL and IP.

ECCsimmons — Thu, 05 May 2016 15:25:13 GMT

Had tried both URL and IP. Still no traffic. Cleared everything, no luck.

Reloading the ASA is going to be a last ditch effort, I'd prefer to track down what's causing the issue if for nothing other than an educational experience with this device.

Have you checked that proxy

Marius Gunnerud — Thu, 05 May 2016 15:32:46 GMT

Have you checked that proxy arp is enabled on the outside interface?

show run all | in sysopt

If it is enabled then I again suggest a reload. The problem could be that some sub processes are hanging and causing the issue.

Please remember to select a correct answer and rate helpful posts

show run all | in sysopt:

ECCsimmons — Thu, 05 May 2016 15:41:44 GMT

show run all | in sysopt:

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp FLTG
no sysopt noproxyarp inside
no sysopt noproxyarp MGMT

Little confused on the double negative here. "no" sysopt "no"proxyarp outside would logically suggest it is enabled?

Yes the no for of that

Marius Gunnerud — Thu, 05 May 2016 16:01:09 GMT

Yes the no for of that command means it is enabled.

You could also try to remove the NAT statement, Then clear xlate and then re-add the commands.

Please remember to select a correct answer and rate helpful posts

So the issue turned out to be

ECCsimmons — Tue, 10 May 2016 16:15:54 GMT

So the issue turned out to be ISP's fault. They made some changes to a piece of hardware and the routing for our static block got screwed up. Now everything is working as it should. Thanks for the assistance, and apologies for any wasted time!