topic Hi,The packet trace command in Network Security

Port forwarding ASA5512

firestormnet — Tue, 12 Mar 2019 06:44:25 GMT

Hi All.

Just having a problem with port-forwarding on ASA5512 v.9.1. The configuration the same as used for port forwarding but it doesn't work.

I need to forward port 443 from outside interface to local device. Local device ip is 192.168.1.90 and SSL VPN server is configured on it. Local ip of ASA (inside interface) is 192.168.2.1 then its connected to Core switch ip 192.168.2.2. Core switch has a local subnet 192.168.1.0/24.

When i login locally as https://192.168.1.90, the SSL VPN login page opens.

Debugging doesn't show any traffic coming from outside to that. Packet tracer on ASA shows NAT problem, configuration below:

object network PBX
host 192.168.1.90

nat (inside,outside) source dynamic any interface

object network PBX
nat (inside,outside) static interface service tcp https https

Appreciate any help. Thanks

Hi, The NAT statement:object

Rishabh Seth — Tue, 13 Oct 2015 11:12:12 GMT

Hi,

The NAT statement:

object network PBX
nat (inside,outside) static interface service tcp https https

will translate traffic coming on the outside interface with destination IP as asa's public on port 443 to 192.168.1.90/443.

In your update you have mentioned that you tried running packet-tracer and you observed some issues with NAT. What is the error that you see in the packet-tracer output.

You can try making the object NAT to static manual NAT and put it on top so that you can ensure there is no other overlapping NAT rule present:

nat (inside,outside) 1 source static PBX interface service https https

Also ensure you have ACL to permit traffic after un-translation of tcp/443 traffic destined for 192.168.1.90/443..

Share your findings.

Thanks,

R.Seth

Hi Rishabh.The ACL i've got

firestormnet — Tue, 13 Oct 2015 12:05:20 GMT

Hi Rishabh.

The ACL i've got:

access-list outside_access_in remark SSL VPN to PBX
access-list outside_access_in extended permit tcp any object PBX eq https

access-list inside_access_in_1 remark SSL VPN to PBX
access-list inside_access_in_1 extended permit tcp object PBX any eq https

And packet-tracer:

# packet-tracer input outside tcp 8.8.8.8 https 192.168.1.90 https det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object PBX eq https
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9fa028a0, priority=13, domain=permit, deny=false
        hits=0, user_data=0x7fff9b9db1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.1.90, mask=255.255.255.255, port=443, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9edeec20, priority=0, domain=nat-per-session, deny=false
        hits=5721791, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f869830, priority=0, domain=inspect-ip-options, deny=true
        hits=6478779, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa0564210, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=398057, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff9fae34c0, priority=6, domain=nat-reverse, deny=false
        hits=2652, user_data=0x7fff9fadc150, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Does it look like i need to move my NAT rule to top?

Regards,

Hi, In packet-tracer you are

Rishabh Seth — Tue, 13 Oct 2015 12:34:28 GMT

Hi,

In packet-tracer you are trying the real IP for the internal device.

Try the packet tracer with the destination as your ASA's public IP and not the internal IP.

Let us know if it helps.

Thanks,

R.Seth

Hi.But i need to reach local

firestormnet — Tue, 13 Oct 2015 12:53:35 GMT

Hi.

But i need to reach local ip from outside using ASA public ip.

i tried this:

# packet-tracer input outside tcp 8.8.8.8 https <ASA WAN IP> https det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in <ASA WAN IP> 255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9edeec20, priority=0, domain=nat-per-session, deny=false
        hits=5810133, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f863570, priority=0, domain=permit, deny=true
        hits=685701, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Any ideas about that ACL?

Thanks

Hi,The packet trace command

Rishabh Seth — Tue, 13 Oct 2015 13:35:25 GMT

Hi,

The packet trace command is correct, looks like the NAT rule is not getting evaluated, can you try creating a NAT rule for specific host and service on top as mentioned before and check if it helps.

packet-tracer input outside tcp 8.8.8.8 https <ASA WAN IP> https det

Share your findings,

Thanks,

R.Seth

Hi,Still web page is not

firestormnet — Tue, 13 Oct 2015 15:49:15 GMT

Hi,

Still web page is not opening from outside.

Did those changes:

nat (inside,outside) 1 source static PBX interface service HTTPS HTTPS

#packet-tracer input outside tcp 8.8.8.8 https <ASA WAN IP> https

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static PBX interface service HTTPS HTTPS
Additional Information:
NAT divert to egress interface inside
Untranslate <ASA WAN IP>/443 to 192.168.1.90/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object PBX eq https
access-list outside_access_in remark CUE_WEB_access
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9fa028a0, priority=13, domain=permit, deny=false
        hits=6, user_data=0x7fff9b9db1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.1.90, mask=255.255.255.255, port=443, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static PBX interface service HTTPS HTTPS
Additional Information:
Static translate 8.8.8.8/443 to 8.8.8.8/443
Forward Flow based lookup yields rule:
in id=0x7fff9e5fbca0, priority=6, domain=nat, deny=false
        hits=0, user_data=0x7fffa10d5bd0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=443, tag=0
        dst ip/id=<ASA WAN IP>, mask=255.255.255.255, port=443, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9edeec20, priority=0, domain=nat-per-session, deny=false
        hits=6034939, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f869830, priority=0, domain=inspect-ip-options, deny=true
        hits=6747444, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa0564210, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=407079, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static PBX interface service HTTPS HTTPS
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff9f235900, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0x7fffa123ce30, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=443, tag=0
        dst ip/id=192.168.1.90, mask=255.255.255.255, port=443, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffa0517050, priority=0, domain=user-statistics, deny=false
        hits=3977057, user_data=0x7fffa0a1c3b0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=inside

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff9edeec20, priority=0, domain=nat-per-session, deny=false
        hits=6034941, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff9fa458c0, priority=0, domain=inspect-ip-options, deny=true
        hits=5915584, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fff9e5eb380, priority=0, domain=user-statistics, deny=false
        hits=4724199, user_data=0x7fffa0a1c3b0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6904215, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Looks like everything is ALLOW then where is a problem.

Thanks

Hi,NAT and acts seems to be

Rishabh Seth — Tue, 13 Oct 2015 15:56:07 GMT

Hi,

NAT and acts seems to be fine. I think there is some issue with vpn config, I see that the packet-tracer shows ipsec-tunnel. It could be that the traffic after getting permitted is entering the tunnel. Can you check if this traffic is not sent over vpn.

Hint: check the ACL used in crypto-map. 🙂

Thanks,

R.Seth

Hi.Couldn't see any obvious.

firestormnet — Wed, 14 Oct 2015 10:32:23 GMT

Hi.

Couldn't see any obvious. There three L2L IPSec and two VPNclient configurations and all are having or pointing to different subnets like local 192.168.1.0/24 to remote 192.168.200.0/24, and crypto ACL has that config so looks ok. I don't how traffic pointing to 192.168.1.90 would go to a tunnel. How can i check that?

Thanks

Hi,You can try checking the

Rishabh Seth — Wed, 14 Oct 2015 11:00:12 GMT

Hi,

You can try checking the real traffic by applying captures on the ingress and egress interface for specific source and destination IP.

capture capo interface outside match tcp any host <public-IP> eq 443

capture capi interface inside match tcp any host 192.168.1.90 eq 443

View captures:

show cap capi

show cap capo

Remove captures:

no cap capi

no cap capo

This way you can check if the traffic hitting the firewall is getting properly translated and leaving the ASA towards inside host.

Share your findings.

Thanks,

R.Seth

Hi Rishabh.I've tried your

firestormnet — Thu, 15 Oct 2015 11:15:10 GMT

Hi Rishabh.

I've tried your recommendation, see results below:

# sh cap capi

0 packet captured

0 packet shown

# sh cap capo

37 packets captured

32: 11:55:33.674769       <Remote_WAN_ip>.16889 > <ASA_WAN_ip>.443: S 1979714501:1979714501(0) win 5840 <mss 1442,sackOK,timestamp 157663 0,nop,wscale 1>
33: 11:56:13.104242       <Remote_WAN_ip>.16892 > <ASA_WAN_ip>.443: S 2030584064:2030584064(0) win 5840 <mss 1442,sackOK,timestamp 161605 0,nop,wscale 1>
34: 11:56:16.096659       <Remote_WAN_ip>.16892 > <ASA_WAN_ip>.443: S 2030584064:2030584064(0) win 5840 <mss 1442,sackOK,timestamp 161905 0,nop,wscale 1>
35: 11:56:34.098566       <Remote_WAN_ip>.16892 > <ASA_WAN_ip>.443: S 2030584064:2030584064(0) win 5840 <mss 1442,sackOK,timestamp 163705 0,nop,wscale 1>
36: 11:56:54.376857       <Remote_WAN_ip>.16898 > <ASA_WAN_ip>.443: S 2058663125:2058663125(0) win 5840 <mss 1442,sackOK,timestamp 165732 0,nop,wscale 1>
37: 11:56:57.373424       <Remote_WAN_ip>.16898 > <ASA_WAN_ip>.443: S 2058663125:2058663125(0) win 5840 <mss 1442,sackOK,timestamp 166032 0,nop,wscale 1>

Then checking NAT hits:

# sh nat det
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static PBX interface   service HTTPS HTTPS
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.1.90/32, Translated: <ASA WAN IP>/30
    Service - Origin: tcp source eq https destination eq https , Translated: tcp source eq https destination eq https

i don't see statistics for translating <ASA WAN IP> to 192.168.1.90.

Should it be translating (outside, inside)?

Regards,

Hi, Based on your packet

Rishabh Seth — Thu, 15 Oct 2015 11:34:36 GMT

Hi,

Based on your packet-tracer output looks like the configuration is correct but the captures show that the traffic is hitting the firewalls outside interface and not making to the inside interface.

To check what is happening to the traffic you can try couple of things:

1. Check syslogs/ ASDM logs for this traffic and check what is ASA doing with this traffic.

2. Apply ASP drop captures to check if ASA is dropping the traffic due to some security reason/protocol anomaly.

ASP capture captures everything which ASA would drop so the buffer might get full before capturing intended traffic. So you should try this more than once to collect correct data:

configure: cap asp type asp-drop all

view: show cap asp. Try to filter these for appropriate traffic and check if you see any drops here and check the reason for drop.

remove: no cap asp

Share your findings.

Thanks,

R.Seth

Hi Rishabh.I haven't tried

firestormnet — Tue, 20 Oct 2015 07:50:56 GMT

Hi Rishabh.

I haven't tried your suggestion as i think we're going too far away so i start checking the configuration as i thought there is a problem with NAT configuration. When i was creating Static NAT forwarding using your command it was asking for Object service which i didn't have so i created it in ASDM as:

object service HTTPS
service tcp source eq https destination eq https
description HTTPS SSL VPN access

This Object service didn't work correctly, once i removed: destination eq https, phones started working using SSL VPN.

Now, I've got another question.

I want to use a different port, for example, port 444. I did change it in PBX and Object service and SSL VPN works if you use web browser as you can assign port 444 there, but the phones don't work as they always use port 443 to connect.

I tried manipulate Object service but nothing works. So i need to create some kind of rule like that:

Incoming ASA port 443 --> Forwarding to PBX port 444

Outgoing PBX port 444 --> ASA outgoing port 443

Regards,

Hi, You can create a static

Rishabh Seth — Wed, 21 Oct 2015 09:46:58 GMT

Hi,

You can create a static NAT for the same

Sample conifg:

object service 444
service tcp source eq 444

object service 443
service tcp source eq https

object network PBX_real
host 10.1.1.1

object network PBX_public
host 100.1.1.1

nat (inside,outside) source static PBX_real PBX_pubic service 443 444

Hope it helps!!!

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

Thanks for suggestion. i'll

firestormnet — Fri, 23 Oct 2015 21:50:11 GMT

Thanks for suggestion. i'll try that at some stage.