topic Unfortunately packet tracer in Network Security

SSL HTTPS connection from "outside" interface

robbo79871 — Tue, 12 Mar 2019 07:06:52 GMT

Hi, i'm trying to establish a HTTPS connection to my ASA from another "site" in packet tracer. I can ping across the sites and into the "inside" network of the other site but cannot HTTPS into the ASA or the web server itself also. Here is the config for the ASA that i want to HTTPS into:

hostname ASA2

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 30

interface Ethernet0/2

switchport access vlan 30

interface Ethernet0/3

switchport access vlan 30

interface Vlan2

nameif outside

security-level 0

ip address 172.16.30.2 255.255.255.0

interface Vlan30

nameif inside

security-level 100

ip address 10.30.0.1 255.255.255.0

webvpn

enable outside

enable inside

object network asa_inside_address

subnet 10.30.0.1 255.255.255.255

object network inside_network

subnet 10.30.0.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 172.16.30.1 1 <<<<<This is just to the router on the edge for the frame relay, everything works as far as connectivity goes anyway

access-list website_outside extended permit tcp any object asa_inside_address eq 443

access-list website_outside extended permit icmp any object asa_inside_address

access-list website_outside extended permit icmp any object inside_network

access-list website_outside extended permit udp any 10.30.0.0 255.255.255.0

access-group website_outside in interface outside

group-policy webvpn internal

group-policy webvpn attributes

vpn-tunnel-protocol ssl-clientless

webvpn

url-list value test1

username bob password 4IncP7vTjpaba2aF encrypted

username bob attributes

vpn-group-policy webvpn

class-map inspect

match default-inspection-traffic

class-map test

class-map ssh

policy-map global

class inspect

inspect icmp

class test

service-policy global global

tunnel-group webvpn type remote-access

tunnel-group webvpn general-attributes

default-group-policy webvpn

And here is the config for the ASA on the other "site" with the PC behind it that i'm using HTTPS on:

hostname ASA1

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 20

interface Ethernet0/2

switchport access vlan 20

interface Vlan2

nameif outside

security-level 0

ip address 172.16.20.2 255.255.255.0

interface Vlan20

nameif inside

security-level 100

ip address 10.20.0.1 255.255.255.0

webvpn

enable

route outside 0.0.0.0 0.0.0.0 172.16.20.1 1

access-list test extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0

access-group test in interface outside

class-map inspect

match default-inspection-traffic

policy-map global

class inspect

inspect icmp

service-policy global global

I would just like to point out that the HTTPS works on "ASA2" because I've tested it on the inside interface from a PC there and it all works. Its just connections from the "outside" that do not work

Hi Rob,

gaowen — Wed, 06 Jan 2016 18:27:39 GMT

Hi Rob,

your ACL on the first box will need:

access-list website_outside line 1 extended permit tcp any object inside_network eq 443

access-list website_outside line 1 extended permit tcp any host 172.16.30.2 eq 443

I think I'm right in saying you are tring to HTTPS to that outside interface address 172.16.30.2 and also through the box to the internal network object inside_network

Gareth

Hi

robbo79871 — Thu, 07 Jan 2016 10:03:44 GMT

Thank you very much that worked perfectly.

Would the same kind of concept be applied to other examples such trying to SSH to the edge router and the edge router connecting to a radius server on the inside network? Would the ports or ACL need to enable a UDP connection on the OUTSIDE interface to and not just the inside one?

Many thanks

Hi Rob,

gaowen — Thu, 07 Jan 2016 10:10:04 GMT

Hi Rob,

yes for the SSH but no for the RADIUS, as RADIUS is initiated by the firewall itself (using relevant interface IP address).

If you had an outbound ACL on the inside interface then you'd need to let it through that. But you don't have one and it's best to keep it that way 😛

Gareth

Yeah i didnt see the point in

robbo79871 — Thu, 07 Jan 2016 10:21:47 GMT

Yeah i didnt see the point in an ACL for outbound traffic on the inside. I did have this ACL though:

access-list website_outside extended permit udp any 10.30.0.0 255.255.255.0

I thought that would enable the router to send the UDP radius traffic through the ASA to the appropriate address on the INSIDE interface.

It doesn't work though, it just comes up Login Invalid from PC's on the INSIDE as well, I'm not even talking about the OUTSIDE yet.

Would you have any suggestions on that?

Thanks again

Tried these 2 then and no luck

ASA2(config)#access-list website_outside extended permit udp any host 172.16.30.2 eq 1645

ASA2(config)#access-list website_outside extended permit udp any host 172.16.30.2

do you mean firewall?

gaowen — Thu, 07 Jan 2016 10:43:19 GMT

do you mean firewall?

where is the RADIUS client and where is the server and what's their IP addresses?

The client PC is on the

robbo79871 — Thu, 07 Jan 2016 11:05:41 GMT

The client PC is on the INSIDE network and so is the AAA Radius server. The router that i want to SSH to is on the OUTSIDE interface.

Here is the router config for the radius server

radius-server host 10.30.0.11 auth-port 1645

radius-server key key

The AAA details are:

Client Name R1

Client IP 172.16.30.1

Key key

The client machine would be a 10.30.0.0/24 address.

I can ping the AAA server from the OUTSIDE interface also through part of the ACL's i have set up.

are you doing dot1x? so your

gaowen — Thu, 07 Jan 2016 11:45:48 GMT

are you doing dot1x? so your supplicant, authenticator and authentication server are all on the same LAN? It sounds like you need to figure out what your traffic flows are going to be, it's not an ACL issue

As far as i'm aware, no.

robbo79871 — Thu, 07 Jan 2016 13:18:52 GMT

As far as i'm aware, no. Sorry i'm not as experinced with configuring Radius servers.

So the ACL i have configured "access-list website_outside extended permit udp any 10.30.0.0 255.255.255.0" would be enough for it to work?

The traffic flow would go like this:

Internal PC on the inside interface makes SSH connection

Past the OUTSIDE interface to the Router on the edge

The Router then tries to contact the AAA server on the INSIDE

The AAA server then sends the authentication response back to it

Then the router should send the response back to the INSIDE internal client.

I think I'm right in saying that but I'm not 100% because i haven't done AAA as much.

okay well i'd set up a packet

gaowen — Thu, 07 Jan 2016 13:37:57 GMT

okay well i'd set up a packet capture on the outside interface to check you're getting hits:

cap cap1 circular-buffer interface outside match ip any any

then do your thing with SSH

then

show cap cap1

look for your ssh packets leaving the interface and then your RADIUS packets coming in the other direction slightly after. Based on output from that I'd enable debugging on the router and/or the ACS.

Gareth

Unfortunately packet tracer

robbo79871 — Thu, 07 Jan 2016 16:20:24 GMT

Unfortunately packet tracer doesn't support those types of commands, i would have to move GNS3 to do that.

Any other way or is that really the only main step forward?

Thanks

not sure, not familiar with

gaowen — Thu, 07 Jan 2016 17:20:16 GMT

not sure, not familiar with the product. I'd move to GNS3 anyway it's worth the investment in time.