topic That did the trick, Jon. I'll in Network Security

HTTPS Inbound PAT ASA-5505 Not Working

Don Smallwood — Tue, 12 Mar 2019 05:40:40 GMT

Greetings, all. This is my first post, and I'm hoping someone can catch what my tired and forgetful eyes did not.

Basic problem: We need to use a public IP to an internal server

Steps: 1 - Setup firewall, verify SSH inside and outside

2 - Setup Static PAT per examples in Harris Andrea book

3 - test, and when fails after multiple tests and redos:

4 - post in forum for help.

Sanitized configuration shown below

Thanks!

-----------------------------------------------

ASA Version 8.2(5)
!
hostname ASA-5505
domain-name XXXXXX.local
enable password XXXXXXX encrypted
passwd XXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 91
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.73 255.255.255.248
!
interface Vlan91
nameif inside
security-level 100
ip address Y.Y.Y.248 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.231.183.25
domain-name tomwood.local
access-list inbound extended permit tcp any host X.X.X.74
pager lines 24
logging buffered debugging
logging asdm informational
logging debug-trace
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp X.X.X.74 https Z.Z.Z.28 https netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.78 1
route inside Z.Z.Z.0 255.255.255.0 Z.Z.Z.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside

no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password XXXXXXXXXXX encrypted privilege 15
username twadmin attributes
service-type admin
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ef877009ef8b0f2824eb05bd092f4ab6
: end

DonYour NAT and acl look fine

Jon Marshall — Sat, 21 Mar 2015 20:20:18 GMT

Don

Your NAT and acl look fine but -

route inside Z.Z.Z.0 255.255.255.0 Z.Z.Z.254

this may be a typo when you blanked out the IPs but the next hop would be Y.Y.Y.254.

Couple of other things -

1) I would add "eq https" to your acl line but that is just preference

2) if the next hop is correct in your configuration check that the next hop device has a default route pointing to the inside IP of the ASA.

Jon

Thanks, Jon. Good catch on my

Don Smallwood — Sat, 21 Mar 2015 21:39:36 GMT

Thanks, Jon. Good catch on my alphabet challenge. 🙂

Regarding #1, I added that. As for #2, here's a quick diagram:

Comcast<----E0/0->ASA <--E0/1 (Access)----G1/0/48 (Access)-->Switch<---G3/0/49 (Trunk)----G0/0 (Trunk)--> Router

I added a route for the X.X.X.X network on the router (ip route X.X.X.0 255.255.255.0 Y.Y.Y.248)

That allows ping through to the X.X.X.78 gateway IP from the Y and Z networks.

Still no success on the https://X.X.X.74 connection in browsers.

DonWhere you are you trying

Jon Marshall — Sun, 22 Mar 2015 12:13:48 GMT

Don

Where you are you trying to connect from ie. from the outside or the inside ?

Jon

We're trying to connect from

Don Smallwood — Sun, 22 Mar 2015 17:37:03 GMT

We're trying to connect from the outside.

DonDoes your router have a

Jon Marshall — Sun, 22 Mar 2015 17:57:45 GMT

Don

Does your router have a default route pointing to the inside interface of the ASA ?

It's not a route for the subnet used on your outside interface, you don't need that.

Can you run -

"packet-tracer input outside tcp 8.8.8.8 12345 X.X.X.74 443"

and post the results.

Edit - that should be port 443 in the above.

Jon

Thanks, Jon. This is not a

Don Smallwood — Sun, 22 Mar 2015 18:09:02 GMT

Thanks, Jon. This is not a default route for traffic - we've got an MPLS link for that that feeds into a central internet location (single point of filtering,control, etc.) Only specific traffic needs to flow outbound here.

Packet-Tracer results:

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) X.X.X.74 Z.Z.Z.28 netmask 255.255.255.255
match ip inside host Z.Z.Z.28 outside any
static translation to X.X.X.74
translate_hits = 0, untranslate_hits = 4
Additional Information:
NAT divert to egress interface inside
Untranslate X.X.X.74/0 to Z.Z.Z.28/0 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any host X.X.X.74
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) X.X.X.74 Z.Z.Z.28 netmask 255.255.255.255
match ip inside host Z.Z.Z.28 outside any
static translation to X.X.X.74
translate_hits = 0, untranslate_hits = 4
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) X.X.X.74 Z.Z.Z.28 netmask 255.255.255.255
match ip inside host Z.Z.Z.28 outside any
static translation to X.X.X.74
translate_hits = 0, untranslate_hits = 4
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 521, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Honda-5920-ASA-5505# packet-tracer input outside tcp 8.8.8.8 1234$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) X.X.X.74 Z.Z.Z.28 netmask 255.255.255.255
match ip inside host Z.Z.Z.28 outside any
static translation to X.X.X.74
translate_hits = 0, untranslate_hits = 4
Additional Information:
NAT divert to egress interface inside
Untranslate X.X.X.74/0 to Z.Z.Z.28/0 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any host X.X.X.74
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 521, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

DonThis is not a default

Jon Marshall — Sun, 22 Mar 2015 18:15:48 GMT

Don

This is not a default route for traffic - we've got an MPLS link for that that feeds into a central internet location (single point of filtering,control, etc.) Only specific traffic needs to flow outbound here.

That's your problem then.

The packet-tracer output shows the firewall configuration is fine.

But the source IPs are internet IPs so they could be anything and your default route is sending the traffic out to the MPLS network and not back to the firewall.

Try this -

nat (outside) 2 0.0.0.0 0.0.0.0 outside
global (inside) 2 interface

what the above should do is translate all source IPs ie. internet IPs to the inside interface IP of the ASA so the return traffic from the server is sent back the same way.

I have used it before. If it works can you also test that any internal to internet traffic is also still working as it can sometimes interfere with that.

Jon

That did the trick, Jon. I'll

Don Smallwood — Sun, 22 Mar 2015 18:24:37 GMT

That did the trick, Jon. I'll have to study the books a bit more to understand this in depth, but you've rescued me from further angst over this...thanks!

DonNo problem.If you need a

Jon Marshall — Sun, 22 Mar 2015 18:28:23 GMT

Don

No problem.

If you need a fuller explanation then happy to help but just to be clear your ASA configuration was fine and you wouldn't normally need to add that extra configuration which is why it wouldn't be in the instructions you followed.

It was only because within your network the default route was pointing somewhere else that you needed it.

Glad you got it working.

Jon

DonNot sure if you'll see

Jon Marshall — Sun, 22 Mar 2015 19:37:05 GMT

Don

Not sure if you'll see this but just wanted to mention something.

Those commands you added mean every internet IP that accesses your web server is translated to the inside interface IP of your ASA.

Depending on the number of outside clients accessing your web server this could create a lot of translations on your firewall.

You should be okay but if it becomes an issue the alternative is not to use those commands and do PBR on your router.

With PBR you could say any traffic from the web server to an unknown IP should go to the ASA.

This may be an option but it depends on what the existing default route is being used for ie. if there is traffic from the web server to unknown IPs that should go via MPLS as opposed to the ASA then PBR probably wouldn't work.

Apologies if I have confused the issue, just wanted you to be aware of possible alternatives.

Jon