topic Akshay, Thanks for the reply. in Network Security

Unable to access web server from the outside

alex.vue — Tue, 12 Mar 2019 06:45:02 GMT

All-

I am unable to access my web server from the public. I can access locally if I by pass the FW, I can access as well. Nat and ACLs are in placed. Below is my config;

ASA Version 8.3(2)
!

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.1.56 255.255.255.128
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif dmz1
security-level 40
ip address 172.28.10.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 172.28.1.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE
subnet 172.28.1.0 255.255.255.0
object network OUTSIDE-172.16
subnet 172.16.1.0 255.255.255.128
object network obj-172.28.10.50
host 172.28.10.50
object network dmz1_network
subnet 172.28.10.0 255.255.255.0
object network obj-172.16.1.50
host 172.16.1.50
access-list acl_outside_in extended permit tcp host 172.28.10.254 host 172.16.1.56 eq ssh
access-list acl_outside_in extended permit tcp any host 172.28.10.50 eq https log
access-list acl_dmz1_in extended permit icmp any host 172.28.10.50
access-list acl_dmz1_in extended permit udp host 172.28.10.50 any eq domain
access-list acl_dmz1_in extended permit ip host 172.28.10.50 any
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 262144
logging console debugging
logging monitor notifications
logging buffered debugging
logging trap debugging
logging history errors
logging asdm informational
logging facility 18
logging queue 8192
mtu inside 1500
mtu outside 1500
mtu dmz1 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static INSIDE INSIDE destination static OUTSIDE-172.16 OUTSIDE-172.16
nat (inside,dmz1) source static INSIDE INSIDE
!
object network INSIDE
nat (inside,outside) dynamic interface
object network Liebert-AC
nat (dmz1,outside) static 172.16.1.50 service tcp https https
object network dmz1_network
nat (dmz1,outside) dynamic interface
access-group acl_outside_in in interface outside
access-group acl_dmz1_in in interface dmz1
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.1.0 255.255.255.128 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5

ssh 172.16.1.0 255.255.255.128 outside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
svc image disk0:/anyconnect-win-3.1.05160-k9.pkg 1
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:09bb35574a1eef1b3ddee51778f73480
: end

PACKET-Tracer:

FW01XXXX# packet-tracer input outside tcp 4.2.2.2 5555 172.16.1.50 443

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-172.28.10.50
nat (dmz1,outside) static 172.16.1.50 service tcp https https
Additional Information:
NAT divert to egress interface dmz1
Untranslate 172.16.1.50/443 to 172.28.10.50/443

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_outside_in in interface outside
access-list acl_outside_in extended permit tcp any host 172.28.10.50 eq https log
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-172.28.10.50
nat (dmz1,outside) static 172.16.1.50 service tcp https https
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8378, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz1
output-status: up
output-line-status: up
Action: allow

Log:

Oct 14 2015 08:33:22: %ASA-6-106100: access-list acl_outside_in permitted tcp outside/x.x.x.x(34522) -> dmz1/172.28.10.50(443) hit-cnt 1 first hit [0x92530be, 0x0]
Oct 14 2015 08:33:22: %ASA-7-609001: Built local-host outside:x.x.x.x
Oct 14 2015 08:33:22: %ASA-6-302013: Built inbound TCP connection 8382 for outside:x.x.x.x/34522 (x.xx.x.x/34522) to dmz1:172.28.10.50/443 (172.16.1.50/443)
Oct 14 2015 08:33:22: %ASA-6-106100: access-list acl_outside_in permitted tcp outside/x.x.x.x(34530) -> dmz1/172.28.10.50(443) hit-cnt 1 first hit [0x92530be, 0x0]
Oct 14 2015 08:33:22: %ASA-6-302013: Built inbound TCP connection 8383 for outside:x.x.x.x/34530 (x.x.x.x/34530) to dmz1:172.28.10.50/443 (172.16.1.50/443)
Oct 14 2015 08:33:43: %ASA-6-106100: access-list acl_outside_in permitted tcp outside/x.x.x.x(35243) -> dmz1/172.28.10.50(443) hit-cnt 1 first hit [0x92530be, 0x0]
Oct 14 2015 08:33:43: %ASA-6-302013: Built inbound TCP connection 8384 for outside:x.x.x.x/35243 (x.x.x.x/35243) to dmz1:172.28.10.50/443 (172.16.1.50/443)
Oct 14 2015 08:33:52: %ASA-6-302014: Teardown TCP connection 8382 for outside:x.x.x.x/34522 to dmz1:172.28.10.50/443 dura

My page never got loaded. What am I missing here?

Thanks,

Hi Alex,Packet-tracer shows

Akshay Rastogi — Wed, 14 Oct 2015 16:54:14 GMT

Hi Alex,

Packet-tracer shows it is allowed but it could be Manual NAT statement ordering as well.

From the nat statement i could see the you already have object nat for all the inside traffic for internet access therefore you could remove the first manual dynamic nat :

"nat (inside,outside) source dynamic any interface"

Check if this works.

Also have you tried taking captures on ASA interfaces for the traffic? Take the below captures and see if all the traffic works fine you you see the complete 3-way handshake :

capture capi interface inside match tcp host 172.28.10.50 host <your pc public ip>

capture capo interface outside match tcp host 172.16.1.50 host <your pc public ip>

capture drop type asp-drop all (to see if there is any drop for the traffic)

Regards,

Akshay Rastogi

Akshay, Thanks for the reply.

alex.vue — Wed, 14 Oct 2015 17:00:44 GMT

Akshay,

Thanks for the reply. You are right on the inside interface NAT. I am actually having issue with the dmz1 interface. My server is on the dmz1 interface. With that being said, do I need a manual NAT for the server IP 172.28.10.50 ?

Akshay,Below are the captures

alex.vue — Wed, 14 Oct 2015 17:22:19 GMT

Akshay,

Below are the captures;

XXXFW01# sh capture capi

21 packets captured

   1: 10:12:21.229175 x.x.x.x.10132 > 172.28.10.50.443: S 2141124451:2141124451(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   2: 10:12:24.229327 x.x.x.x.10132 > 172.28.10.50.443: S 2141124451:2141124451(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   3: 10:12:30.229709 x.x.x.x.10132 > 172.28.10.50.443: S 2141124451:2141124451(0) win 8192 <mss 1380,nop,nop,sackOK>
   4: 10:12:42.221897 x.x.x.x.10780 > 172.28.10.50.443: S 4072524934:4072524934(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   5: 10:12:42.472677 x.x.x.x.10790 > 172.28.10.50.443: S 97694985:97694985(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   6: 10:12:45.221866 x.x.x.x.10780 > 172.28.10.50.443: S 4072524934:4072524934(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   7: 10:12:45.471899 x.x.x.x.10790 > 172.28.10.50.443: S 97694985:97694985(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   8: 10:12:51.223895 x.x.x.x.10780 > 172.28.10.50.443: S 4072524934:4072524934(0) win 8192 <mss 1380,nop,nop,sackOK>
   9: 10:12:51.474355 x.x.x.x.10790 > 172.28.10.50.443: S 97694985:97694985(0) win 8192 <mss 1380,nop,nop,sackOK>
10: 10:13:03.477773 x.x.x.x.11568 > 172.28.10.50.443: S 886242131:886242131(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
11: 10:13:06.475897 x.x.x.x.11568 > 172.28.10.50.443: S 886242131:886242131(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
12: 10:13:12.474035 x.x.x.x.11568 > 172.28.10.50.443: S 886242131:886242131(0) win 8192 <mss 1380,nop,nop,sackOK>
13: 10:13:24.476400 x.x.x.x.12480 > 172.28.10.50.443: S 1764168049:1764168049(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
14: 10:13:24.726662 x.x.x.x.12484 > 172.28.10.50.443: S 1328452944:1328452944(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
15: 10:13:27.476476 x.x.x.x.12480 > 172.28.10.50.443: S 1764168049:1764168049(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
16: 10:13:27.727058 x.x.x.x.12484 > 172.28.10.50.443: S 1328452944:1328452944(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
17: 10:13:33.471182 x.x.x.x.12480 > 172.28.10.50.443: S 1764168049:1764168049(0) win 8192 <mss 1380,nop,nop,sackOK>
18: 10:13:33.721962 x.x.x.x.12484 > 172.28.10.50.443: S 1328452944:1328452944(0) win 8192 <mss 1380,nop,nop,sackOK>
19: 10:13:45.730247 x.x.x.x.13012 > 172.28.10.50.443: S 3230414906:3230414906(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
20: 10:13:48.722466 x.x.x.x.13012 > 172.28.10.50.443: S 3230414906:3230414906(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
21: 10:13:54.723992 x.x.x.x.13012 > 172.28.10.50.443: S 3230414906:3230414906(0) win 8192 <mss 1380,nop,nop,sackOK>
21 packets shown

XXXFW01# sh capture capo

18 packets captured

   1: 10:12:42.221698 x.x.x.x.10780 > 172.16.1.50.443: S 3825201827:3825201827(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   2: 10:12:42.472479 x.x.x.x.10790 > 172.16.1.50.443: S 2730085291:2730085291(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   3: 10:12:45.221836 x.x.x.x.10780 > 172.16.1.50.443: S 3825201827:3825201827(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   4: 10:12:45.471868 x.x.x.x.10790 > 172.16.1.50.443: S 2730085291:2730085291(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   5: 10:12:51.223865 x.x.x.x.10780 > 172.16.1.50.443: S 3825201827:3825201827(0) win 8192 <mss 1380,nop,nop,sackOK>
   6: 10:12:51.474325 x.x.x.x.10790 > 172.16.1.50.443: S 2730085291:2730085291(0) win 8192 <mss 1380,nop,nop,sackOK>
   7: 10:13:03.477575 x.x.x.x.11568 > 172.16.1.50.443: S 304360431:304360431(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   8: 10:13:06.475851 x.x.x.x.11568 > 172.16.1.50.443: S 304360431:304360431(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   9: 10:13:12.474005 x.x.x.x.11568 > 172.16.1.50.443: S 304360431:304360431(0) win 8192 <mss 1380,nop,nop,sackOK>
10: 10:13:24.476186 x.x.x.x.12480 > 172.16.1.50.443: S 1626187008:1626187008(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
11: 10:13:24.726479 x.x.x.x.12484 > 172.16.1.50.443: S 1325861497:1325861497(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
12: 10:13:27.476446 x.x.x.x.12480 > 172.16.1.50.443: S 1626187008:1626187008(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
13: 10:13:27.727043 x.x.x.x.12484 > 172.16.1.50.443: S 1325861497:1325861497(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
14: 10:13:33.471151 x.x.x.x.12480 > 172.16.1.50.443: S 1626187008:1626187008(0) win 8192 <mss 1380,nop,nop,sackOK>
15: 10:13:33.721932 x.x.x.x.12484 > 172.16.1.50.443: S 1325861497:1325861497(0) win 8192 <mss 1380,nop,nop,sackOK>
16: 10:13:45.730034 x.x.x.x.13012 > 172.16.1.50.443: S 2308891737:2308891737(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
17: 10:13:48.722405 x.x.x.x.13012 > 172.16.1.50.443: S 2308891737:2308891737(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
18: 10:13:54.723961 x.x.x.x.13012 > 172.16.1.50.443: S 2308891737:2308891737(0) win 8192 <mss 1380,nop,nop,sackOK>
18 packets shown
XXXFW01#
XXXFW01#
XXXFW01# sh capture drop

11 packets captured

   1: 10:13:12.406549 172.28.10.254.137 > 172.28.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   2: 10:13:13.163123 172.28.10.254.137 > 172.28.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   3: 10:13:53.175634 193.105.134.220.51710 > 172.16.1.50.8118: S 2897382283:2897382283(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
   4: 10:13:56.411630 172.28.10.254.137 > 172.28.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   5: 10:13:57.161750 172.28.10.254.137 > 172.28.10.255.137: udp 50
   6: 10:13:57.599624 82.28.215.152.40407 > 172.16.1.50.23: S 2164620322:2164620322(0) win 5840 <mss 1460,sackOK,timestamp 23419048 0,nop,wscale 1> Drop-reason: (acl-drop) Flow is denied by configured rule
   7: 10:13:57.913191 172.28.10.254.137 > 172.28.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   8: 10:13:58.674479 172.28.10.254.137 > 172.28.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   9: 10:13:59.426155 172.28.10.254.137 > 172.28.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
10: 10:14:00.185155 172.28.10.254.137 > 172.28.10.255.137: udp 50
11: 10:14:00.595718 82.28.215.152.40407 > 172.16.1.50.23: S 2164620322:2164620322(0) win 5840 <mss 1460,sackOK,timestamp 23419348 0,nop,wscale 1> Drop-reason: (acl-drop) Flow is denied by configured rule
11 packets shown

Hi Alex,You have already

Akshay Rastogi — Wed, 14 Oct 2015 17:32:18 GMT

Hi Alex,

You have already configured the object nat your concerned traffic so you do not need manual nat :

object network Liebert-AC
nat (dmz1,outside) static 172.16.1.50 service tcp https https

Have you tried removing the first nat and tested?

Also for the testing purpose you could try with the manual NAT statement:

nat (dmz1,outside) 1 source static <real-ip-object> <mapped-ip-object>

Also check with capture as i had mentioned in my previous reply.

Regards,

Akshay Rastogi

Hi Alex,I wrongly typed

Akshay Rastogi — Wed, 14 Oct 2015 19:42:44 GMT

Hi Alex,

I wrongly typed 'inside' in the capi capture instead of 'dmz1' as your server is behind dmz1. From the captures i believe that you have corrected that yourself.

From the capture outputs, i could only see SYN packets going to your server side. We do not see any SYN-ACK coming from Server back to ASA on the capi captures. No drops for interesting traffic.

Please check if there is a proper connectivity/reachability between Server and ASA. Also check the arp entry on asa 'show arp' for the server IP.

Regards,

Akshay Rastogi

Thank you so much Akshay.

alex.vue — Wed, 14 Oct 2015 20:37:07 GMT

Thank you so much Akshay. Your suggested capture helped isolate the issue. It turns out, the server firewall had blocked the incoming ports. It is working now and thank you very much for your help.

-Alex