topic Re: Cannot Access Hosts (Servers) From Outside to Inside in Network Security

Cannot Access Hosts (Servers) From Outside to Inside

beatinger — Thu, 22 Aug 2019 08:56:22 GMT

I was able to setup my Cisco ASA5540 for Internet access from inside servers to the outside (i.e., I can hit websites, and ping hosts to the outside, and I can ping the inside hosts at their IPs from the firewall), but I cannot figure out how to allow access from outside public IPs, to NATed IPs on the inside network. I feel that the problem is related to no mapping between outside IPs to the inside IPs, which have been assigned to servers. There used to be a "static route" command, which has not been deprecated. I have configured and setup an access list for one of the servers. The OUTSIDE public IP is 12.43.6.93 and the INSIDE private IP is 10.1.252.249. One of the things that I don't understand, is where do you do the mapping from the public IP to the private IP (such as was done with the "static" command before), or 12.43.6.93 to 10.1.252.249. I don't understand how to do that anymore, with this new version IOS.

This is my current, very simple configuration:

ciscoasa5540# show config
: Saved
:
: Serial Number: JMX1112L1JH
: Hardware: ASA5540-K8, 2560 MB RAM, CPU Pentium 4 2000 MHz
: Written by enable_15 at 19:15:49.949 UTC Wed Aug 21 2019
!
ASA Version 9.1(7)32
!
hostname ciscoasa5540
domain-name edenhosting.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.43.6.90 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.252.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name edenhosting.net
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network IIS85Server
host 10.1.252.249
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any4 host 10.1.252.249 eq www
access-list outside_access_in extended permit tcp any4 host 10.1.252.249 eq https
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.43.6.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 18dad19e267de8bb4a2158cdcc6b3b4a
308204d3 308203bb a0030201 02021018 dad19e26 7de8bb4a 2158cdcc 6b3b4a30
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d30
36313130 38303030 3030305a 170d3336 30373136 32333539 35395a30 81ca310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313a30 38060355 040b1331 28632920 32303036 20566572 69536967
6e2c2049 6e632e20 2d20466f 72206175 74686f72 697a6564 20757365 206f6e6c
79314530 43060355 0403133c 56657269 5369676e 20436c61 73732033 20507562
6c696320 5072696d 61727920 43657274 69666963 6174696f 6e204175 74686f72
69747920 2d204735 30820122 300d0609 2a864886 f70d0101 01050003 82010f00
3082010a 02820101 00af2408 08297a35 9e600caa e74b3b4e dc7cbc3c 451cbb2b
e0fe2902 f95708a3 64851527 f5f1adc8 31895d22 e82aaaa6 42b38ff8 b955b7b1
b74bb3fe 8f7e0757 ecef43db 66621561 cf600da4 d8def8e0 c362083d 5413eb49
ca595485 26e52b8f 1b9febf5 a191c233 49d84363 6a524bd2 8fe87051 4dd18969
7bc770f6 b3dc1274 db7b5d4b 56d396bf 1577a1b0 f4a225f2 af1c9267 18e5f406
04ef90b9 e400e4dd 3ab519ff 02baf43c eee08beb 378becf4 d7acf2f6 f03dafdd
75913319 1d1c40cb 74241921 93d914fe ac2a52c7 8fd50449 e48d6347 883c6983
cbfe47bd 2b7e4fc5 95ae0e9d d4d143c0 6773e314 087ee53f 9f73b833 0acf5d3f
3487968a ee53e825 15020301 0001a381 b23081af 300f0603 551d1301 01ff0405
30030101 ff300e06 03551d0f 0101ff04 04030201 06306d06 082b0601 05050701
0c046130 5fa15da0 5b305930 57305516 09696d61 67652f67 69663021 301f3007
06052b0e 03021a04 148fe5d3 1a86ac8d 8e6bc3cf 806ad448 182c7b19 2e302516
23687474 703a2f2f 6c6f676f 2e766572 69736967 6e2e636f 6d2f7673 6c6f676f
2e676966 301d0603 551d0e04 1604147f d365a7c2 ddecbbf0 3009f343 39fa02af
33313330 0d06092a 864886f7 0d010105 05000382 01010093 244a305f 62cfd81a
982f3dea dc992dbd 77f6a579 2238ecc4 a7a07812 ad620e45 7064c5e7 97662d98
097e5faf d6cc2865 f201aa08 1a47def9 f97c925a 0869200d d93e6d6e 3c0d6ed8
e6069140 18b9f8c1 eddfdb41 aae09620 c9cd6415 3881c994 eea28429 0b136f8e
db0cdd25 02dba48b 1944d241 7a05694a 584f60ca 7e826a0b 02aa2517 39b5db7f
e784652a 958abd86 de5e8116 832d10cc defda882 2a6d281f 0d0bc4e5 e71a2619
e1f4116f 10b595fc e7420532 dbce9d51 5e28b69e 85d35bef a57d4540 728eb70e
6b0e06fb 33354871 b89d278b c4655f0d 86769c44 7af6955c f65d3208 33a454b6
183f685c f2424a85 3854835f d1e82cf2 ac11d6a8 ed636a
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous

This has been an extremely difficult setup for me, as the server room is a 70-mile round trip, and I cannot get out there very often, and when I am there, I just can't figure this out. I spent 8 hours on this today alone. I did figure out how to get the ASDM working, but it doesn't help much. Thank you very much for your help!

Re: Cannot Access Hosts (Servers) From Outside to Inside

Rob Ingram — Thu, 22 Aug 2019 09:30:55 GMT

Hi,

This example will nat behing the IP address assigned to the outside interface:-

object network SVR-HTTP
host 10.1.252.249
nat (inside,outside) static interface service tcp 80 80

object network SVR-HTTPS
host 10.1.252.249
nat (inside,outside) static interface service tcp 443 443

If you had multiple IP addresses you would replace "interface" with the IP address, e.g.

object network SVR
host 10.1.252.249
nat (inside,outside) static 12.43.6.9x

Your existing NAT rule might take precedence, so might be worth removing your existing dynamic nat with the following rule (This is global and not defined under an object.):-

nat (inside,outside) after-auto dynamic interface

Your ACL looks correct, it needs to reference the real IP address rather than the NATTED address.

HTH

Re: Cannot Access Hosts (Servers) From Outside to Inside

beatinger — Thu, 22 Aug 2019 17:59:33 GMT

Hello HTH,

Thank you very much for your help! Most appreciated! So I did everything you suggested, and yes, I have multiple IPs and multiple servers, so this is what (the pertinent section) my config looks like now:

object network obj_any
subnet 0.0.0.0 0.0.0.0object network IIS85Server
host 10.1.252.249
object network WebServerIIS80
host 10.1.252.249
object network WebServerIIS10
host 10.1.252.250
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any4 host 12.43.6.93 eq www
access-list outside_access_in extended permit tcp any4 host 12.43.6.93 eq https
access-list outside_access_in extended permit tcp any4 host 12.43.6.88 eq https
access-list outside_access_in extended permit tcp any4 host 12.43.6.88 eq www
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network WebServerIIS80
nat (inside,outside) static 12.43.6.93
object network WebServerIIS10
nat (inside,outside) static 12.43.6.88
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.43.6.81 1

Question: Should I remove this:

object network obj_any
subnet 0.0.0.0 0.0.0.0

I also added a group of names, to help me follow things, and this is what my config file looks like for that:

names
name 10.1.252.219 Sendmail description OLD Mail Server (92)
name 10.1.252.247 ExchangeServer description Exchange Server 2016 (94)
name 10.1.252.249 WebServerIIS80 description Windows Server 2012 (93)
name 10.1.252.190 DRAC-DNS description DRAC for DNS Server (87)
name 10.1.252.191 DRAC-WebServer description DRAC for Web Server (92)
name 10.1.252.246 NAS description Synology NAS (86)
name 10.1.252.250 WebServerIIS10 description Windows Server 2019 (88)
name 10.1.252.192 DRAC-VirtualServer description DRAC for Virtual Server (89)
name 10.1.252.245 DNS-Server description Primary DNS Server (91)

I am not really sure how to use these anymore to help me follows things, as I did before, so perhaps you could advise me on this. The new "objects" are a bit confusing, but I think I am starting to understand it.

Finally, I can't test this until I drive back up to the server room, which will probably be tomorrow. I will update then. Thank you again!

Re: Cannot Access Hosts (Servers) From Outside to Inside

Rob Ingram — Thu, 22 Aug 2019 18:24:08 GMT

Hi,
I think you miss understood, your ACL was correct first time. You need to reference the real (private) IP address of the server e.g. 10.1.252.249 not the NATTED IP address in the ACL.

Yes, remove "object network obj_any" and add the example I provided. Use the command "show nat" to confirm that the new static NAT entries are above this new dynamic NAT rule, used for general outbound traffic (internet).

You can add a description under the object, e.g.

object network WebServerIIS80
 host 10.1.252.249
 description Windows Server 2012 (93)

Re: Cannot Access Hosts (Servers) From Outside to Inside

beatinger — Thu, 22 Aug 2019 19:22:48 GMT

Okay, here are the current (pertinent to our discussion) contents of my config:

object network IIS85Server
host 10.1.252.249
object network WebServerIIS80
host 10.1.252.249
object network WebServerIIS10
host 10.1.252.250
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any4 host 10.1.252.249 eq www
access-list outside_access_in extended permit tcp any4 host 10.1.252.249 eq https
access-list outside_access_in extended permit tcp any4 host 10.1.252.250 eq www
access-list outside_access_in extended permit tcp any4 host 10.1.252.250 eq https
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network WebServerIIS80
nat (inside,outside) static 12.43.6.93
object network WebServerIIS10
nat (inside,outside) static 12.43.6.88
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.43.6.81 1

And here is the output of the "show nat" command:

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static WebServerIIS80 12.43.6.93
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static WebServerIIS10 12.43.6.88
translate_hits = 0, untranslate_hits = 0

Unfortunately, the command to setup the dynamic NAT, that you gave me earlier, gets an error:

ciscoasa5540(config)# nat (inside,outside) after-auto dynamic interface
^
ERROR: % Invalid input detected at '^' marker.

Re: Cannot Access Hosts (Servers) From Outside to Inside

beatinger — Thu, 22 Aug 2019 19:23:58 GMT

I just noticed that the cut and paste, put the error marker in the wrong place. It should be under the start of the word "dynamic."

Re: Cannot Access Hosts (Servers) From Outside to Inside

Rob Ingram — Thu, 22 Aug 2019 19:43:55 GMT

I have a newer ASA version, try this "nat (INSIDE,OUTSIDE) after-auto source dynamic any interface"

Re: Cannot Access Hosts (Servers) From Outside to Inside

beatinger — Thu, 22 Aug 2019 19:46:36 GMT

Awesome! That worked!

ciscoasa5540(config)# show nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static WebServerIIS80 12.43.6.93
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static WebServerIIS10 12.43.6.88
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
ciscoasa5540(config)#

Is this now in the correct order?

I can't wait to go back up to the server room and try this, and let you know what happens. Your help is most appreciated!

Re: Cannot Access Hosts (Servers) From Outside to Inside

Rob Ingram — Thu, 22 Aug 2019 19:54:09 GMT

Yes, order is fine. The static NATs in Section 2 will always be processed before the dynamic NAT. If you add any new static NAT rules, they would also be added to Section 2.

Re: Cannot Access Hosts (Servers) From Outside to Inside

beatinger — Tue, 27 Aug 2019 22:55:11 GMT

I was finally able to get up to the server room and try this new configuration out, and IT WORKED. So I finished up all of the necessary access lists and got it all done, and now we are in business! Thank you SO MUCH for helping me out with this. How did you learn so much about this complicated firewall?

I do have another 2 questions, and that is...how can I completely disable all of the "SmartCallHome" code that is on this firewall configuration? I also can suddenly no longer get into the ASDM, and get this message:

"The webpage cannot be found."

The URL at the top of the page is correct, and is as follows:

https://192.168.1.1/admin/public/index.html

The http server is enabled, as can be seen via the "show run http" command:

http server enable
http 192.168.1.0 255.255.255.0 management

So, I am very confused as to what happened to the ASDM. What is the command to see if it is loading correctly on the router startup? It appears that the image is simply not loading perhaps. Thank you again for all of your help!