topic Randy, there is an ACL in Network Security

Cisco ASA 5520 NAT ACL issues across a EZVPN

Adam Hudson — Tue, 12 Mar 2019 07:13:30 GMT

I have an EZVPN running between two locations, Location A has a 5520 and is the EZVPN server, Location B has a 5506 and is a EZVPN client. Currently I'm trying to set NAT and ACL(s) so that hosts on the Location B inside network can access a few servers in Location A's DMZ. Below are my packet traces from both locations. Attached are sanitized configs from both locations.

LocationA-Firewall# packet-tracer input dmz tcp <DMZ servers IP> 443 <Location B inside ip> 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   <Location B inside ip>        255.255.255.0   outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (dmz,outside) source static DMZ_Servers DMZ_Servers destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate <Location B inside ip>/443 to <Location B inside ip>/443

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

==========================================================

LocationB-Firewall# packet-tracer input inside tcp <Location B inside ip> 443 <Location A DMZ server ip> 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop <internet next hop> using egress ifc outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate <Location A DMZ server ip>/443 to <Location A DMZ server ip>/443

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OWL_inside in interface inside
access-list OWL_inside extended permit ip any4 any4
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup
Additional Information:
Static translate <Location B inside ip>/443 to <Location B inside ip>/443

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: aaa-user
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 568767, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Any help is appreciated.

Hi Adam,

rvarelac — Tue, 02 Feb 2016 01:35:07 GMT

Hi Adam,

Is there any ACL applied on the DMZ? You should allow the source and destination traffic on it. Also if the DMZ and Outside interface have the same security level, you should add the command "same-security-traffic permit inter-interface"

An ASP capture might provide more information about this drop as well.

Hope it helps

-Randy-

Randy, there is an ACL

Adam Hudson — Tue, 02 Feb 2016 13:59:56 GMT

Randy, there is an ACL applied to that interface "dmz_access_in" and I have the following line inserted at the top:

access-list dmz_access_in extended permit tcp object (location B)-remote_network object-group DMZ_Servers eq https

But this didn't solve the issue or even change the results of my packet trace.

Randy, after setting up an

Adam Hudson — Tue, 02 Feb 2016 15:15:24 GMT

Randy, after setting up an ASP capture and running packet traces and pings across the two locations. Combing through the capture results I didn't see anything related to my two endpoints pop up. Also, the DMZ and Outside do not have the same security levels.

Adding: nat (dmz,outside)

Adam Hudson — Tue, 02 Feb 2016 15:46:31 GMT

Adding: nat (dmz,outside) source static DMZ_Servers DMZ_Servers destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup didn't help either.

Adding: access-list outside

Adam Hudson — Tue, 02 Feb 2016 16:09:58 GMT

Adding: access-list outside_access_in extended permit tcp object (location B)-remote_network object-group DMZ_Servers eq https didn't work either.

Hi Adam,

rvarelac — Tue, 02 Feb 2016 18:36:36 GMT

Hi Adam,

Can you please run a packet-tracer detailed , example:

packet-tracer input dmz tcp <DMZ servers IP> 443 <Location B inside ip> 443 detailed

Also can you please attach sanitized configuration with the ACLs configs.

Cheers,

-Randy-

Here's the packet-tracer

Adam Hudson — Tue, 02 Feb 2016 18:58:23 GMT

Here's the packet-tracer results:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   <Location B inside ip> 255.255.255.0   outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (dmz,outside) source static DMZ_Servers DMZ_Servers destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate <Location B inside ip>/443 to <Location B inside ip>/443

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x73cb5f60, priority=11, domain=permit, deny=true
   hits=343658, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=dmz, output_ifc=any

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I tried adding the DMZ to my

Adam Hudson — Tue, 02 Feb 2016 20:54:52 GMT

I tried adding the DMZ to my split tunnel list for the EZVPN thinking that might work with this command:

access-list ezvpn_split extended permit tcp object-group DMZ_Servers object (location B)-remote_network

It didn't help.

Randy, is there something

Adam Hudson — Wed, 03 Feb 2016 15:12:34 GMT

Randy, is there something specifically you're looking for in the ACLs? Besides the lines I've included on my posts there's nothing in the ACLs pertaining to the ezvpn network.

Here's what I see in my

Adam Hudson — Thu, 04 Feb 2016 16:04:49 GMT

Here's what I see in my logging after running packet traces in both directions:

Location A
Feb 4 10:05:08 10.255.1.1 %ASA-5-111008: User 'enable_15' executed the 'packet-tracer input dmz tcp <DMZ Server IP> 443 <Location B Inside IP> 443' command.
Feb 4 10:05:08 10.255.1.1 %ASA-5-111010: User 'enable_15', running 'CLI' from IP x.x.x.x, executed 'packet-tracer input dmz tcp <DMZ Server IP> 443 <Location B Inside IP> 443'

Location B
Feb 4 08:50:30 <Location B Inside IP> %ASA-5-111008: User 'enable_15' executed the 'packet-tracer input inside tcp <Location B Inside IP> 443 <DMZ Server IP> 443' command.
Feb 4 08:50:30 <Location B Inside IP> %ASA-5-111010: User 'enable_15', running 'CLI' from IP x.x.x.x, executed 'packet-tracer input inside tcp <Location B Inside IP> 443 <DMZ Server IP> 443'
Feb 4 08:51:15 <Location B Inside IP> %ASA-7-609001: Built local-host outside:<DMZ Server IP>
Feb 4 08:51:15 <Location B Inside IP> %ASA-6-302013: Built outbound TCP connection 936480 for outside:<DMZ Server IP>/443 (<DMZ Server IP>/443) to inside:<Location B Inside IP>45/50378 (<Location B Inside IP>45/50378)
Feb 4 08:51:45 <Location B Inside IP> %ASA-6-302014: Teardown TCP connection 936480 for outside:<DMZ Server IP>/443 to inside:<Location B Inside IP>45/50378 duration 0:00:30 bytes 0 SYN Timeout
Feb 4 08:51:45 <Location B Inside IP> %ASA-7-609002: Teardown local-host outside:<DMZ Server IP> duration 0:00:30

Both locations have the following logging options turned on:

logging enable
logging timestamp
logging standby
logging buffer-size 1048576
logging console emergencies
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm notifications
logging facility 23
logging host inside <syslog server IP>

Attached are updated configs

Adam Hudson — Thu, 04 Feb 2016 20:05:09 GMT

Attached are updated configs with access groups applied to interfaces and ACL entries.

Here's the solution (why

Adam Hudson — Mon, 08 Feb 2016 16:08:22 GMT

Here's the solution (why Cisco doesn't let you mark your own answers is beyond me) after a lot of pounding my head against this problem: 1) Take out the nat statements at Location B since they interfere with the VPN tunnel:

    nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Location_A_Networks Location_A_Networks no-proxy-arp route-lookup
    nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup

2) Keep the DMZ statement in the split tunnel ACL:

    access-list ezvpn_split extended permit tcp object-group DMZ_Servers object (location B)-remote_network

3) I had the access list entry switch around for no good reason. It was this:

    access-list dmz_access_in extended permit tcp object (location B)-remote_network object-group DMZ_Servers eq https

when it should have been this:

    access-list dmz_access_in extended permit tcp object-group DMZ_Servers object (location B)-remote_network eq https