topic ACL denying traffic on object NAT in Network Security

ACL denying traffic on object NAT

tim829 — Tue, 12 Mar 2019 07:29:11 GMT

I've followed the below guide for setting up a Static PAT using a spare IP so I can keep the WebVPN on the default outside interface using 80/443.

Here is what it looks like from my config. The default WAN interface is XXX.XXX.210.131

object network Web-Server
host 172.17.1.14

object network Web-Server
nat (inside,outside) static XXX.XXX.210.137 service tcp www www

I've also added the following to the access list: access-list outside_access_in extended permit object http any object Web_Server

Running "show nat" and "show access-list outside_access_in" gives me the following:

4 (inside) to (outside) source static Web-Server XXX.XXX.210.137 service tcp www www
translate_hits = 0, untranslate_hits = 17

access-list outside_access_in line 8 extended permit object http any object Web-Server (hitcnt=0) 0x49a6c1e3
access-list outside_access_in line 8 extended permit tcp any eq www host 172.17.1.14 eq www (hitcnt=0) 0x49a6c1e3

I checked the log and I'm seeing this.

Mar 14 2016

18:30:03

106023

70.210.3.15

5421

172.17.1.14

Deny tcp src outside:70.210.3.15/5421 dst inside:172.17.1.14/80 by access-group "outside_access_in" [0x0, 0x0]

I'm sure I'm missing something simple and I've tried several different things but I continue to get the following error in the log regardless of what I try.

Thanks

Hi,

Akshay Rastogi — Mon, 14 Mar 2016 18:51:21 GMT

Hi,

From the log, it looks like that you are trying to access the real (private ip 172.17.1.14 from Outside, not the mapped one XXX.XXX.210.137). That is the reason you are getting this log.

- access Public IP(mapped one) from your outside host.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Correct, but if you look at

tim829 — Mon, 14 Mar 2016 19:03:22 GMT

Correct, but if you look at the NAT above it looks right according to the documentation I was following. Are you suggesting I need to change the ACL, not that NAT?

Hi,

Akshay Rastogi — Mon, 14 Mar 2016 19:09:34 GMT

Hi,

I am not sure what you have specified in that object 'http' however you could create this simple access-list and remove those you have created:

access-list outside_access_in extended permit tcp any object Web_Server eq http

Also access 'XXX.XXX.210.137' instead of 172.17.1.14 from 70.210.3.15

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Ok, so what I did was reverse

tim829 — Mon, 14 Mar 2016 19:10:03 GMT

Ok, so what I did was reverse the NAT and now I see this in the log.

I did go in and add the .210.137 IP to the ACL "outside_access_in" as well.

Mar 14 2016

19:09:24

106023

70.210.3.15

5428

165.166.210.137

Deny tcp src outside:70.210.3.15/5428 dst outside:XXX.XXX.210.137/80 by access-group "outside_access_in" [0x0, 0x0]

Hi Tim,

Aditya Ganjoo — Mon, 14 Mar 2016 19:18:05 GMT

Hi Tim,

Seems an ACL issue.

You just need the following ACL statement:

access-list outside_access_in line 8 extended permit tcp any host 172.17.1.14 eq www

Seems you may have used ASDM for configuring it.

Regards,

Aditya

Please rate helpful posts

I removed the other ACL and

tim829 — Mon, 14 Mar 2016 19:22:44 GMT

I removed the other ACL and added the one you advised above.

Still getting this in the log. I've tried about everything I can think of.

Mar 14 2016

19:22:01

106023

70.210.3.15

5423

XXX.XXX.210.137

Deny tcp src outside:70.210.3.15/5423 dst outside:XXX.XXX.210.137/80 by access-group "outside_access_in" [0x0, 0x0]

Hi Tim,

Aditya Ganjoo — Mon, 14 Mar 2016 19:25:05 GMT

Hi Tim,

Share the packet tracer result:

packet-tracer input outside tcp 70.210.3.15 5423 XXX.XXX.210.137 80 detailed

Regards,

Aditya

Alright I got it working. I

tim829 — Mon, 14 Mar 2016 19:30:55 GMT

Alright I got it working. I removed the object based NAT rule and added a static NAT instead. Here is the NAT I added..

nat (outside,inside) source static any any destination static XXX.XXX.210.137 172.17.1.14

I left the ACL the way I had it, just allowing port 80 traffic to 172.17.1.14

Any explanation why this worked but the other didn't?

Hi Tim,

Aditya Ganjoo — Mon, 14 Mar 2016 19:33:28 GMT

Hi Tim,

As already suggested a packet-tracer would have answered this query.

And the traffic was denied by access-group and not the NAT statement.

Regards,

Aditya

please rate helpful posts.

Hi Tim,

Akshay Rastogi — Mon, 14 Mar 2016 19:34:40 GMT

Hi Tim,

The other one also should work, i guess there is some overlapping nat statement which might be stopping this. Please share the output of 'show run nat'

Also the output of packet-tracer as requested by Aditya.

Regards,

Akshay Rastogi

gwdcity-asa# packet-tracer

tim829 — Mon, 14 Mar 2016 19:49:55 GMT

gwdcity-asa# packet-tracer input outside tcp 70.210.3.15 5423 XXX.XXX.210.137 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad59526c0, priority=1, domain=permit, deny=false
hits=270969751, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside) source static any any destination static XXX.XXX.210.137 IRSA_Server description IRSA / Web Server NAT / Port 80
Additional Information:
NAT divert to egress interface inside
Untranslate XXX.XXX.210.137/80 to 172.17.1.14/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object IRSA_Server eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad5b37450, priority=13, domain=permit, deny=false
hits=14, user_data=0x2aaacdbe8480, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=172.17.1.14, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static any any destination static XXX.XXX.210.137 IRSA_Server description IRSA / Web Server NAT / Port 80
Additional Information:
Static translate 70.210.3.15/5423 to 70.210.3.15/5423
Forward Flow based lookup yields rule:
in id=0x2aaad61d7f00, priority=6, domain=nat, deny=false
hits=32, user_data=0x2aaad8d93e90, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=XXX.XXX.210.137, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad4f3f910, priority=0, domain=nat-per-session, deny=false
hits=3139292, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad595ab80, priority=0, domain=inspect-ip-options, deny=true
hits=2630246, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaad62363d0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=224422, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source static any any destination static XXX.XXX.210.137 IRSA_Server description IRSA / Web Server NAT / Port 80
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaad8d81bb0, priority=6, domain=nat-reverse, deny=false
hits=33, user_data=0x2aaad68cc450, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=172.17.1.14, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaad4f3f910, priority=0, domain=nat-per-session, deny=false
hits=3139294, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaad5aee060, priority=0, domain=inspect-ip-options, deny=true
hits=2686070, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2636781, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.15.65.0_24 NETWORK_OBJ_10.15.65.0_24 no-proxy-arp route-lookup description *DO NOT DELETE* NAT for AnyConnect VPN
translate_hits = 0, untranslate_hits = 0
2 (outside) to (inside) source static any any destination static XXX.XXX.210.137 IRSA_Server description IRSA / Web Server NAT / Port 80
translate_hits = 23, untranslate_hits = 35

Auto NAT Policies (Section 2)
1 (any) to (outside) source static Danny_Mac interface service tcp 8080 8080
translate_hits = 0, untranslate_hits = 90
2 (any) to (outside) source static Camera-Fountain interface service tcp www 9081
translate_hits = 0, untranslate_hits = 20
3 (any) to (outside) source static Camera-Oak-Main interface service tcp www 9082
translate_hits = 0, untranslate_hits = 21
4 (any) to (outside) source static City-ComServer interface service udp 5008 5008
translate_hits = 25, untranslate_hits = 490
5 (any) to (outside) source static County-ComServer interface service udp 5008 5009
translate_hits = 44, untranslate_hits = 556
6 (any) to (outside) source static Piler interface service tcp smtp smtp
translate_hits = 0, untranslate_hits = 1171
7 (any) to (outside) source static HVAC_IP interface service tcp www 88
translate_hits = 0, untranslate_hits = 22
8 (any) to (outside) source dynamic obj_any interface
translate_hits = 2403513, untranslate_hits = 49162

Hi,

Akshay Rastogi — Mon, 14 Mar 2016 20:06:16 GMT

Hi,

Can you once again try to remove this manual nat and add the below one:

Object net IRSA_Server

nat (inside,outside) static <mapped-ip> service tcp 80 80

If this mapped ip is the outside interface ip then use 'interface' keyword instead of the mapped ip.

Regards,

Akshay Rastogi

I removed the static/manual

tim829 — Mon, 14 Mar 2016 20:13:35 GMT

I removed the static/manual NAT and added back in the object NAT provided above and it's working. Not sure what happened because I believe we had already tried that one. However it's working so I'm content, thanks.