topic Need help accesing a server from the internet in Network Security

Need help accesing a server from the internet

ArieteCisco — Tue, 12 Mar 2019 02:40:18 GMT

I have recently changed my PIX 500E for an ASA 5505 version 9.0(1) but in spite of all the reading about the new NAT commands and similar problems solved I haven't been able to give access to my http and ftp server from the internet. I think my configuration is OK but I must miss something because it doesn't work.

Could you please take a look to my configuration and point me what id wrong?

Thankyou

Gerardo

***************************************************************************************************

: Saved

ASA Version 9.0(1)

hostname ciscoasa1

enable password HK8DwXVw0PRo5n0D encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.240.1 255.255.255.128

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object network my-inside-net

subnet 192.168.240.0 255.255.255.128

object network MyPublicIP

host xxx.xxx.xxx.xxx

object network FTP_PAT

host 192.168.240.19

object network WEB_PAT

host 192.168.240.19

object network NAT-DYN

subnet 192.168.240.0 255.255.255.128

access-list inside_access_in extended permit ip object my-inside-net any

access-list inside_access_in extended permit tcp object my-inside-net any

access-list inside_access_in extended permit udp object my-inside-net any

access-list inside_access_in extended permit icmp object my-inside-net any

access-list outside_access_in extended permit tcp any object WEB_PAT eq www

access-list outside_access_in extended permit tcp any object FTP_PAT eq ftp

access-list outside_access_in extended permit icmp any4 any4

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network my-inside-net

nat (inside,outside) dynamic interface

object network FTP_PAT

nat (inside,outside) static interface service tcp ftp ftp

object network WEB_PAT

nat (inside,outside) static interface service tcp www www

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.240.0 255.255.255.128 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username MyName password IPks.pvF1fRLc2sc encrypted

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:643794ad28d775a6a849045ced67d284

: end

no asdm history enable

***************************************************************************************************

Need help accesing a server from the internet

mvsheik123 — Wed, 18 Sep 2013 20:01:32 GMT

Hi,

The config looks fine (unless I miss something ). Were you able to access internet from internal PC/server? In general, you may need to reboot the internet devices (modem etc) to clear the arp after you chance hardware. Just wanted to check on that.

Thx

Need help accesing a server from the internet

Oscar Castillo — Wed, 18 Sep 2013 20:31:38 GMT

Please, remove:

---> access-group inside_access_in in interface inside<---

access-group outside_access_in in interface outside

-All you need to do is one access group in that configuration.

Also, you can have one Object and add miltiple ACLs to it. It all depends on the services that you want.

object network FTP_PAT

host 192.168.240.19

object network WEB_PAT

host 192.168.240.19

Need help accesing a server from the internet

ArieteCisco — Thu, 19 Sep 2013 07:59:33 GMT

Thanks MvSheik,

yes, the server has internet connectivity. This is an http and ftp server that was already running and was accessed by both internal net PCs (which still can access) and from the internet (which after changing the PIX for the ASA can't anymore).

Any way I reset the modem, the asa even the server but still can't access the server from internet.

Regards

Gerardo

Need help accesing a server from the internet

Jouni Forss — Thu, 19 Sep 2013 08:10:16 GMT

Hi,

Have you removed the default inspection configurations? I cant see them in the configurations. I would suggest adding them just for the sake of the FTP

For example

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

no protocol-enforcement

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect sqlnet

inspect sunrpc

inspect tftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect rtsp

inspect skinny

inspect pptp

inspect http

inspect esmtp

inspect icmp

inspect icmp error

inspect ftp

service-policy global_policy global

Also with regarding the actual specific problem, if you issue "show access-list" command do you see any hitcount on the ACL statements which allow TCP/80 and TCP/21?

Also you could try to take the output of the "packet-tracer" command to test the traffic

packet-tracer input outside tcp 1.1.1.1 12345 80

packet-tracer input outside tcp 1.1.1.1 12345 21

Even though in your situation the Static PAT configuration format shouldnt matter, you could try to do the following configurations and see if they make any difference. These remove the current Static PAT (Port Forward) configurations

no access-list outside_access_in extended permit tcp any object WEB_PAT eq www

no access-list outside_access_in extended permit tcp any object FTP_PAT eq ftp

no object network FTP_PAT

no object network WEB_PAT

object network SERVER

host 192.168.240.19

object service FTP

service tcp source eq 21

object service WWW

service tcp source eq 80

nat (inside,outside) source static SERVER interface service FTP FTP

nat (inside,outside) source static SERVER interface service WWW WWW

- Jouni

Need help accesing a server from the internet

ArieteCisco — Thu, 19 Sep 2013 08:10:23 GMT

Thanks Oscar,

I removed the access-group inside_access_in but still the same.

I tried with one object before but hadn't internet access to the server either. I don't think it matters so I rather use one object for each port for the sake of clarity.

Regards

Gerardo

Need help accesing a server from the internet

ArieteCisco — Thu, 19 Sep 2013 10:50:51 GMT

Thanks Jouni,

I did add the lines you suggested but still the server is unreachable although the packet-tracer show a better answer.

I had to add a line to permit the ip traffic in the outside_access_list to the server as only icmp was left after the changes.

This is the response to the packet-tracer command before and after.

BEFORE*********************************************************************************

Result of the command: "packet-tracer input outside tcp 1.1.1.1 12345 X.X.X.X 80"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

AFTER*************************************************************************************

Result of the command: "packet-tracer input outside tcp 1.1.1.1 12345 X.X.X.X 80"

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static SERVER interface service WWW WWW

Additional Information:

NAT divert to egress interface inside

Untranslate X.X.X.X/80 to 192.168.1.19/80

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip any object SERVER

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static SERVER interface service WWW WWW

Additional Information:

Static translate 1.1.1.1/12345 to 1.1.1.1/12345

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static SERVER interface service WWW WWW

Additional Information:

Phase: 9

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1491, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

and this is how my configuration looks now.

: Saved

ASA Version 9.0(1)

hostname ciscoasa1

enable password HK8DwXVw0PRo5n0D encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.128

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object network my-inside-net

subnet 192.168.1.0 255.255.255.128

object network MyPublicIP

host X.X.X.X

object network NAT-DYN

subnet 192.168.1.0 255.255.255.128

object network SERVER

host 192.168.1.19

object service FTP

service tcp source eq ftp

object service WWW

service tcp source eq www

access-list inside_access_in extended permit ip object my-inside-net any

access-list inside_access_in extended permit tcp object my-inside-net any

access-list inside_access_in extended permit udp object my-inside-net any

access-list inside_access_in extended permit icmp object my-inside-net any

access-list outside_access_in extended permit ip any object SERVER

access-list outside_access_in extended permit icmp any4 any4

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static SERVER interface service FTP FTP

nat (inside,outside) source static SERVER interface service WWW WWW

object network my-inside-net

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.128 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username MyName password IPks.pvF1fRLc2sc encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

no protocol-enforcement

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect sqlnet

inspect sunrpc

inspect tftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect rtsp

inspect skinny

inspect pptp

inspect http

inspect esmtp

inspect icmp

inspect icmp error

inspect ftp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6f9275db2a20167e195bf1144cd05961

: end

no asdm history enable

Regards

Gerardo

Need help accesing a server from the internet

Jouni Forss — Thu, 19 Sep 2013 14:24:39 GMT

Hi,

Since you are only using the public IP that you get for the ASA with DHCP there should be no problem reaching your ASA and therefore your server. If there was a problem no internal device could access the Internet.

You didnt reply/mention in the above reply if you we seeing any hitcounts on the output of the "show access-list" command for this SERVER when you are testing connections from the external network. Try the connections multiple times and check the "show access-list" command to see if the hitcount of the rule for the SERVER is increasing.

Do notice that using the "packet-tracer" commands add to the ACL hitcount even though no actual connection has come from the external network.

I would also suggest double checking the network configurations on the SERVER and confirming that no software firewalls etc is not blocking the connections.

Also, are you sure you are targetting the correct public IP address from the external network? Since you are using DHCP to get a public IP address for your ASA.

- Jouni

Need help accesing a server from the internet

ArieteCisco — Thu, 19 Sep 2013 16:15:45 GMT

Hello Jouni,

in fact I can access cisco ASDM from the internet. The IP is obtained by DHCP but is static, never changes.

I did the show access-list before your changes and showed 0 hits for the server I forgot to tell.

The extrange thing is that hitcnt is only increased by the packet-tracer command not when I try a web page of the server or the ftp. Both the IIS server and ftp server are up and running I can access them from the internal network.

access-list outside_access_in; 2 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit ip any object SERVER (hitcnt=3) 0xee330cf0

access-list outside_access_in line 1 extended permit ip any host 192.168.1.19 (hitcnt=3) 0xee330cf0

access-list outside_access_in line 2 extended permit icmp any4 any4 (hitcnt=1108) 0x5ac062e8

I have checked the SERVER network configuration and security settings and found nothing wrong. Also I shut down the antivirus and antispybot. But everything remains the same.

Regards

Gerardo

Need help accesing a server from the internet

Jonathan Rees — Thu, 26 Sep 2013 00:26:34 GMT

Hi Gerardo,

Did you manage to get this resolved?

I'm experiencing the same issue but I'm using a Cisco ASA 5510 with IOS 9.1.2.

My issue is the same as yours, the ACL that is applied to the Outside interface behaves like it hasn't been applied so I get no hit counts. The only statement that works and gets a hit count is the "permit icmp any any" but all my other statements which are TCP and UDP don't work, it feels like TCP and UDP requests are being dropped but even before the requests get to the ACL.

One thing i noticed on IOS 9.0 and later is that at the beginning of the config it shows this:

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

I'm not sure if by changing them to permit would make a difference, I'll give it a go tomorrow.

Cheers.

Jon

Re:Need help accesing a server from the internet

Mike Williams — Thu, 26 Sep 2013 05:14:39 GMT

Gerardo,
Please disable ASDM.

no http server enable

It could be intercepting the requests for port 80.

Regards,
Mike

Sent from Cisco Technical Support Android App

Need help accesing a server from the internet

ArieteCisco — Thu, 26 Sep 2013 15:46:28 GMT

Hello Jon,

I don't have those statements so I don't think that is.

Need help accesing a server from the internet

ArieteCisco — Thu, 26 Sep 2013 15:48:33 GMT

Hello Mike,

I tried but it didn't work so I swithed it back.

Just curious: If the ASDM uses https, why disabling http stopped the communication with the ASDM.

Need help accesing a server from the internet

ArieteCisco — Thu, 26 Sep 2013 16:09:23 GMT

Hello and thanks to all of you,

I haven't exactly resolved the issue but very very very near. I will explain:

I don't have an ASA 5505 but two of them each of one linked to the internet with a different ISP (backup connection) and of course with a different external fixed IP.

So, I sended the same configuration to the other ASA and in the server I configured the gateway to be this othar asa, and then everything worked!

I switched back to the original ASA and added these lines:

object service FTP2121
 service tcp source eq 2121 
object service WWW8080
 service tcp source eq 8080 

nat (inside,outside) source static SERVER interface service FTP2121 FTP2121 nat (inside,outside) source static SERVER interface service WWW8080 WWW8080

and voila! I can connect with my SERVER web and ftp services on these ports from the outside.

I have also nated the ultraVNC port 5900 and with this I had no problem.

I am not a hundred percent sure but it seems that the first ISP is blocking somehow ports 21 and 80, is this even posible? its router is in bridging mode to serve the IP to my ASA.

Need help accesing a server from the internet

Oscar Castillo — Fri, 27 Sep 2013 01:21:31 GMT

Hi Geraldo,

is your ISP Comcast? I have done the same, I called them up, switched to bridge mode my cable modem, them let the ASA do the work.

Double NAT with a router in between causes many issues. I spent two days doing the same until I got my modem into Bridge mode setup.

Regards,

Need help accesing a server from the internet

ArieteCisco — Mon, 30 Sep 2013 06:48:55 GMT

Hello Oscar,

no, my ISP is Telefonica and its router has NAT deactivated.

Regards

Need help accesing a server from the internet

ArieteCisco — Mon, 30 Sep 2013 06:55:41 GMT

Thanks to all of you, the problem is now resolved.

It was the zyxel router provided by my ISP. It was configured in routing mode, NAT deactivated, no filtering rules and giving the external IP to my ASA through DHCP but it keeped 3 ports for itself for comissioning: 21, 23 and 80. Once I changed this ports to 2121, 2323 and 8080 they were liberated for the ASA.