topic Re: Access Rules - Action - DROP in Network Security

Access Rules - Action - DROP

wynneitmgr — Fri, 07 Feb 2020 14:18:24 GMT

I am new to managing Firewalls, so any help would be appreciated. We have a link on our website that goes to one of our internal servers that we have. However, nothing is happening when I click the link on our website. When I do a Packet Trace, it shows that it DROPs at the ACCESS-LIST. Any ideas what I can check? I have attached some screenshots. Thank you in advance.

Re: Access Rules - Action - DROP

Jaderson Pessoa — Fri, 07 Feb 2020 14:22:22 GMT

Hello,

Check on the logs and do a filter to check specific address. According to your rules, all internal rules to internal and external address are allowed.

Are you checked if the service under the server is enabled as well?

Re: Access Rules - Action - DROP

wynneitmgr — Fri, 07 Feb 2020 14:26:35 GMT

Hi Jaderson,

Thank you for your feedback, I appreciate it as I am still learning Cisco Firewalls.

Which service should I check on the server? I am also not sure where to access the logs you are talking about. Please be patient, I am a novice. Appreciate your help!

Re: Access Rules - Action - DROP

Rob Ingram — Fri, 07 Feb 2020 14:27:06 GMT

Hi,
Unfortunately it's possible to determine the issue from the screenshot.

Are you referring to rule #2 inbound on the outside interface - http to WYNNEAPPS1?
Have you defined a static NAT for that server - mapping the public ip address to the real/private ip address?
Does the object WYNNEAPPS1 reference the real/private IP address of the server? The ACL needs to reference the real/private IP address rather than the public ip address.

If you provided your configuration we could probably easily determine the issue

HTH

Re: Access Rules - Action - DROP

wynneitmgr — Fri, 07 Feb 2020 14:31:31 GMT

Does the Global Implicit Rule that shows Deny, have anything to do with traffic being blocked from accessing the IP?

Re: Access Rules - Action - DROP

wynneitmgr — Fri, 07 Feb 2020 14:35:20 GMT

So WYNNEAPPS1 is the name of the server that the link on our website is trying to access. Here is the link from our website: https://63.147.191.67/Ships5Web/Application/. Thank you for your help!

Here is what I have under NAT Rules

Re: Access Rules - Action - DROP

Rob Ingram — Fri, 07 Feb 2020 14:39:56 GMT

You link is for HTTPS but your ACL only permits HTTP, therefore any connection on https will be dropped by the implicit deny at the end of the ACL.

You need to amend the ACL rule to include HTTPS.

You need to look at the properties of the WYNEAPPS1 and determine what IP address is defined, hopefully it is the private IP address.

Re: Access Rules - Action - DROP

wynneitmgr — Fri, 07 Feb 2020 14:48:56 GMT

Thank you!

I changed the Access Rule to include HTTPS

The properties of WYNNEAPPS1 show the correct ip addresses

Re: Access Rules - Action - DROP

Rob Ingram — Fri, 07 Feb 2020 14:54:00 GMT

Ok, I can access you URL so I assume all is working and your issue is resolved?

HTH

Re: Access Rules - Action - DROP

wynneitmgr — Fri, 07 Feb 2020 14:58:51 GMT

Yes, I can access the link if I am outside of my network or on data on a cell phone. However, I still cannot access it from my computer at the office. Do I need another rule so I can access it from office network? Thanks!

Re: Access Rules - Action - DROP

Rob Ingram — Fri, 07 Feb 2020 15:04:06 GMT

You should access the server directly, using it's real/private IP address (10.0.0.3) - not via the firewall on the natted ip address.

Re: Access Rules - Action - DROP

wynneitmgr — Fri, 07 Feb 2020 15:07:48 GMT

So if I am on my office network and go to our website the link is not going to work. So I need to access it by using the local IP 10.0.0.3? I thought maybe if I had a rule in place, I would still be able to access it directly from our website. The reason being, all my users do not know the local IP 10.0.0.3, they would just go to our website and click the link. Any workaround for this?

Re: Access Rules - Action - DROP

Rob Ingram — Fri, 07 Feb 2020 15:13:09 GMT

Create a FQDN that when inside the network resolves to the private IP address, and when outside the network resolves to the nat IP address. I suggest getting a valid public signed certificate for the site aswell.

Re: Access Rules - Action - DROP

wynneitmgr — Fri, 07 Feb 2020 15:26:00 GMT

Where do I create the FQDN? Is that under Access or NAT Rules?

Re: Access Rules - Action - DROP

Rob Ingram — Fri, 07 Feb 2020 15:30:02 GMT

Sorry, I was referring to creating a DNS entry on your local DNS server which resolves to the private IP address and another entry with your external DNS provider resolving to the NAT ip address.

Re: Access Rules - Action - DROP

wynneitmgr — Fri, 07 Feb 2020 16:01:39 GMT

Okay, I am in my DNS Manager. Can you assist me at all with the FQDN? Thanks a ton!

Re: Access Rules - Action - DROP

Rob Ingram — Fri, 07 Feb 2020 16:18:38 GMT

You would create an A record under the forward lookup zone of your domain name. Here is an example from my lab.

Re: Access Rules - Action - DROP

wynneitmgr — Fri, 07 Feb 2020 16:55:02 GMT

I looked under my settings and I already see the IP address listed. So do I need to create an additional one?

Re: Access Rules - Action - DROP

Rob Ingram — Fri, 07 Feb 2020 17:05:39 GMT

In your internal DNS you would define your private IP address, I doubt the internet queries that server to resolve the public IP address?

Is that domain name the same inside and outside of the network?

It might be easier just to provide the users inside the network with a seperate link and get them to save it in their web browser.