topic access from outside in Network Security

access from outside

cbuschini — Tue, 12 Mar 2019 02:53:14 GMT

Hello All,

I am new here and in the ASA world.

I have a small issue with allowing access to my webserver from the Internet.

Internet -------- Router COLT ---------- ASA ---------- MyLan

I have created an access-list :

access-list acl-out extended permit tcp any object WebServer eq www

I have created a NAT rule :

nat (LANColt,DMZCarax) source static any any destination static WebServer WebServer

The website is reachable when I plugged between the Route Colt and the ASA but not when I try from the Internet ...

Do you have any idea ???

Thanks

Cedric

access from outside

sganpat — Thu, 17 Oct 2013 15:49:37 GMT

Do you have Internet access from the inside? Is the IP address that you're translating to publicly routable? Is the translated IP address the same as the outside network of the ASA?

Also, this belongs in the Security --> Firewalling section. You should move it.

Sachin

Re: access from outside

cbuschini — Thu, 17 Oct 2013 16:00:18 GMT

Hi Sachin,

Yes I do have Internet access from the inside.

Yes the ip address is publicly routable.

Here is a quick description :

62.23.x.x ------ Router Colt [192.168.1.1] ---- [192.168.1.3] ASA [192.168.10.2] ------- [192.168.10.4] Webserver

access from outside

Jouni Forss — Thu, 17 Oct 2013 16:08:41 GMT

Hi,

The provided information is not all we need.

Since your router actually holds the public IP address (and not the ASA) then your options to create a NAT configuraiton for the Web server would either be

Configure Static PAT (Port Forward) on the router that points to the ASA IP address 192.168.1.3 and the needed ports and then configure Static PAT (Port Forward) on the ASA from the IP address 192.168.1.3 to the actual IP address of the server for the needed ports and make sure the ACL on the ASA allows the traffic

Make sure there is NO NAT between the ASAs "inside" and "outside" interface and configure the Static PAT for the actual server IP 192.168.10.x directly on the Router and make sure the ACL on the ASA allows the traffic.

So first we need to know if the router will see the actual 192.168.10.0/xx network (NONAT on ASA) or will it just see the ASA outside IP address 192.168.1.3

The correct configuraiton format for Static PAT on ASA is for example

object network STATIC-PAT

host 192.168.10.x

nat (inside,outside) static interface service tcp 80 80

This would forward the port TCP/80 if connections are coming to the "interface" IP address of "outside" with that destination port.

- Jouni

access from outside

cbuschini — Thu, 17 Oct 2013 16:40:47 GMT

Hi Jouni,

Thanks for your reply.

The router only see the ASA on 192.168.1.3 and there is a NAT to this IP

(ip nat inside source static 192.168.1.3 62.23.xx.xx)

There is a NAT between ASAs inside and ouside interfaces.

I have tried to create the static PAR on the ASA. But I still cannot reach the web server from the Internet.

Is the access-list I wrote fine ?

cedric

Re: access from outside

Jouni Forss — Thu, 17 Oct 2013 17:03:29 GMT

Hi,

Either post the configuration or post the output of this "packet-tracer" command

packet-tracer input outside tcp 8.8.8.8 12345 192.168.1.3 80

Or use the destination port "443" if that is the one you are using

- Jouni

Re: access from outside

cbuschini — Mon, 21 Oct 2013 05:52:31 GMT

Hello Jouni,

Sorry for the time to reply.

Here is the output of the packet tracer :

ciscoasa# packet-tracer input LANColt tcp 8.8.8.8 12345 192.168.1.3 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.1.3 255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: LANColt

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Packets are drop by an ACL.

Here is "sh access-list" :

ciscoasa# sh access-list

access-list cached ACL log flows: total 397, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list LANColt_access_in; 4 elements; name hash: 0xa28dded0

access-list LANColt_access_in line 1 extended permit icmp any any object-group obj-i-all log informational interval 300 (hitcnt=0) 0x1507d1f7

access-list LANColt_access_in line 1 extended permit icmp any any echo log informational interval 300 (hitcnt=0) 0x188a9836

access-list LANColt_access_in line 1 extended permit icmp any any echo-reply log informational interval 300 (hitcnt=0) 0xada2a22a

access-list LANColt_access_in line 1 extended permit icmp any any time-exceeded log informational interval 300 (hitcnt=19) 0xaf99f695

access-list LANColt_access_in line 2 extended permit tcp any any eq www (hitcnt=0) 0x25780758

access-list DMZCarax_access_in; 3 elements; name hash: 0xef6085d

access-list DMZCarax_access_in line 1 extended permit ip any any log debugging interval 300 (hitcnt=20007537) 0x563bb185

access-list DMZCarax_access_in line 2 extended permit icmp any any log informational interval 300 (hitcnt=0) 0x3ddebcbf

access-list DMZCarax_access_in line 3 extended permit udp host 192.168.2.2 any (hitcnt=0) 0xa1c4ec7c

access-list CARAX; 2 elements; name hash: 0xf5e4518b

access-list CARAX line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xc362eb9d

access-list CARAX line 2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xdc4e01b7

access-list LANEurex_access_in; 3 elements; name hash: 0x77b8262a

access-list LANEurex_access_in line 1 extended permit ip object obj-h-Eurex object-group gobj-n-Global-Carax 0x741dc2a6

access-list LANEurex_access_in line 1 extended permit ip host 193.29.93.173 192.168.20.0 255.255.255.0 (hitcnt=0) 0xbf558d64

access-list LANEurex_access_in line 1 extended permit ip host 193.29.93.173 192.168.10.0 255.255.255.0 (hitcnt=0) 0xe6964c68

access-list LANEurex_access_in line 2 extended permit ip any any inactive (hitcnt=0) (inactive) 0xe0241ced

access-list LANAbn_access_in; 5 elements; name hash: 0xfc8d5221

access-list LANAbn_access_in line 1 extended permit ip object-group gobj-h-ABN object-group gobj-n-Global-Carax inactive (inactive) 0xe7ef84f4

access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.102 192.168.20.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0x13f4adc8

access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.102 192.168.10.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xd1e47353

access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.103 192.168.20.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xc6f7ec02

access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.103 192.168.10.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0x0e46a02e

access-list LANAbn_access_in line 2 extended permit ip any any (hitcnt=2) 0x0fdd7231

access-list LANBloom_access_in; 1 elements; name hash: 0xcc39ac70

access-list LANBloom_access_in line 1 extended permit ip any any (hitcnt=7872) 0xc86a3df1

access-list acl-out; 6 elements; name hash: 0x12815e8f

access-list acl-out line 1 extended permit icmp any any object-group obj-i-all (hitcnt=0) 0xc838e767

access-list acl-out line 1 extended permit icmp any any echo (hitcnt=0) 0x9ab79491

access-list acl-out line 1 extended permit icmp any any echo-reply (hitcnt=0) 0xa2377349

access-list acl-out line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0xcb4b3851

access-list acl-out line 2 extended permit gre any host 192.168.10.221 (hitcnt=0) 0xdeafcf2f

access-list acl-out line 3 extended permit tcp any host 192.168.10.221 eq pptp (hitcnt=0) 0xdb7d38da

Thanks in advance.

access from outside

Jouni Forss — Mon, 21 Oct 2013 06:14:24 GMT

Hi,

You should use your external interface as the input interface of this test. Not your LAN interface which you are using now. The hosts on the Internet wont be using that as the input interface.

- Jouni

access from outside

Jouni Forss — Mon, 21 Oct 2013 06:18:27 GMT

Or,

If this was the interface connected to the router then you either are missing a NAT configuration or you have an overriding NAT configuration in your current configuration which is most likely a Dynamic PAT configuration.

- Jouni

access from outside

cbuschini — Mon, 21 Oct 2013 06:28:28 GMT

LANColt is the interface facing the router Colt. It is the 192.168.1.3 interface.

ciscoasa# sh nat

Manual NAT Policies (Section 1)

1 (DMZCarax) to (LANColt) source dynamic OBJ_GENERIC_ALL interface

translate_hits = 18933401, untranslate_hits = 1516833

2 (DMZCarax) to (LANBloom) source static obj-LANCarax obj-LANCarax destination static obj-LANBloom obj-LANBloom

translate_hits = 0, untranslate_hits = 15244

3 (DMZCarax) to (LANEurex) source static obj-LANCarax obj-LANCarax destination static obj-LANEurex obj-LANEurex