topic Trouble with NAT Rule for DMZ Webserver ASA5510 in Network Security

Trouble with NAT Rule for DMZ Webserver ASA5510

joshscott — Tue, 12 Mar 2019 00:13:24 GMT

Hello all I am having a hell of a time with a NAT rule I am trying to set up for a webserver I want to place into my DMZ. I have created a NAT rule and added the appropriate access rules but I am still unable to hit my webserver from the internet.

I did a packet trace from the CLI and here are the results.

packet-tracer input outside tcp 192.168.0.1 1025 10.47.20.21 80 detail

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.47.20.0 255.255.255.0 dmz

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp object-group WebServerAccess object DMZ_WebHost object-group PublicWebServerRestricted

object-group network WebServerAccess

description: Allowed IPs to connect to ACME External Web Server

network-object object ACME_TESTING_IP

network-object object GenericCompanyCorporate

object-group service PublicWebServerRestricted tcp

description: Restricted Ports for Public Web Server

port-object eq www

port-object eq https

port-object eq ssh

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacd94350, priority=13, domain=permit, deny=false

hits=19, user_data=0xa9040a80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=192.168.0.1, mask=255.255.255.255, port=0

dst ip/id=10.47.20.21, mask=255.255.255.255, port=80, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacc129a8, priority=0, domain=inspect-ip-options, deny=true

hits=191811, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect http

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xadf98708, priority=70, domain=inspect-http, deny=false

hits=55, user_data=0xad998988, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 6

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xadf9b518, priority=51, domain=ids, deny=false

hits=14552, user_data=0xadf9b228, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad71e010, priority=13, domain=ipsec-tunnel-flow, deny=true

hits=13914, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 8

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network DMZ_WebHost

nat (dmz,outside) static 192.168.5.1

Additional Information:

Forward Flow based lookup yields rule:

out id=0xacd82240, priority=6, domain=nat-reverse, deny=false

hits=25, user_data=0xacd81a40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.47.20.21, mask=255.255.255.255, port=0, dscp=0x0

input_ifc=outside, output_ifc=dmz

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Im not sure what im looking at here other than it seems to be failing at the last bit.

Trouble with NAT Rule for DMZ Webserver ASA5510

V S Narayana Chivukula — Thu, 25 Oct 2012 05:56:26 GMT

Hi,

I see that the nat rule is not hit. Can you provide the output of command 'show run' or all configuration related to nat as below :

if software version 8.2 or below

show run nat

show run global

show run st

show access-list (if any access-list is used in nat configurations)

if software version 8.3 or above

show run nat

show run object

Regards,

Narayana

Trouble with NAT Rule for DMZ Webserver ASA5510

Jouni Forss — Thu, 25 Oct 2012 06:20:56 GMT

Hi,

Are you saying that the configuration in one of the NAT portions is not the rule you want the traffic to hit?

I mean this

object network DMZ_WebHost

nat (dmz,outside) static 192.168.5.1

If this IS the correct NAT rule then you have to use the actual NAT IP in the packet-tracer command and not the local address. (If the "host" configuration under that object contains the IP 10.47.20.21)

- Jouni

Trouble with NAT Rule for DMZ Webserver ASA5510

V S Narayana Chivukula — Thu, 25 Oct 2012 06:27:46 GMT

Hi Jouni,

If the real Ip of the server is 10.47.20.21 and the mapped IP is 192.168.5.1, then the nat rule configured is correct. However the packet-tracer command should be to the mapped IP as below :

packet-tracer input outside tcp 192.168.0.1 1025 192.168.5.180 detail

Regards,

Narayana

Trouble with NAT Rule for DMZ Webserver ASA5510

joshscott — Thu, 25 Oct 2012 14:21:06 GMT

Weird now when I run the packet-trace command using the public IP address instead of the internal as Narayana suggested then it shows that it is working. However I am still unable to hit that IP Address.

packet-tracer input outside tcp 192.168.0.1 1025 192.168.5.1$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacb6cc30, priority=1, domain=permit, deny=false

hits=45975731, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network DMZ_WebHost

nat (dmz,outside) static 192.168.5.1

Additional Information:

NAT divert to egress interface dmz

Untranslate 192.168.5.1/80 to 10.47.20.21/80

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp object-group WebServerAccess object DMZ_WebHost object-group GenericCompanyRestricted

object-group network WebServerAccess

description: Allowed IPs to connect to ACME External Web Server

network-object object ACME_TESTING_IP

network-object object GenericCompanyCorporate

object-group service GenericCompanyRestricted tcp

description: Restricted Ports for Public Web Server

port-object eq www

port-object eq https

port-object eq ssh

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacd94350, priority=13, domain=permit, deny=false

hits=38, user_data=0xa9040a80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=192.168.0.1, mask=255.255.255.255, port=0

dst ip/id=10.47.20.21, mask=255.255.255.255, port=80, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacc129a8, priority=0, domain=inspect-ip-options, deny=true

hits=1026923, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect http

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xadf98708, priority=70, domain=inspect-http, deny=false

hits=679, user_data=0xad998988, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 7

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xadf9b518, priority=51, domain=ids, deny=false

hits=60553, user_data=0xadf9b228, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad71e010, priority=13, domain=ipsec-tunnel-flow, deny=true

hits=55724, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 9

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network DMZ_WebHost

nat (dmz,outside) static 192.168.5.1

Additional Information:

Forward Flow based lookup yields rule:

out id=0xacd82240, priority=6, domain=nat-reverse, deny=false

hits=44, user_data=0xacd81a40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.47.20.21, mask=255.255.255.255, port=0, dscp=0x0

input_ifc=outside, output_ifc=dmz

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xacc67d20, priority=0, domain=inspect-ip-options, deny=true

hits=42802, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=dmz, output_ifc=any

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1078064, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_translate

snp_fp_divert_fragment

snp_ids

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_divert_fragment

snp_ids

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: allow

What should I check next? I will post the results of show run nat and show run object here shortly after i sanitize them.

Trouble with NAT Rule for DMZ Webserver ASA5510

joshscott — Thu, 25 Oct 2012 15:23:41 GMT

Here is the results from show run nat

nat (inside,outside) source static ACME_TERMINAL_SERVERS testCOX_Source_NAT destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_2

nat (outside,dmz) source static any any destination static interface ACME-TMG1 service FTPS_PASSIVE FTPS_PASSIVE

nat (outside,dmz) source static any any destination static interface ACME-TMG1 service INBOUND_OWA INBOUND_OWA

nat (outside,inside) source static any any destination static interface theforce service INBOUND_MAIL INBOUND_MAIL

nat (outside,dmz) source static any any destination static interface ACME-TMG1 service FTPS_MAIN FTPS_MAIN

nat (inside,outside) source static ACME1 interface service COportal COportal

nat (inside,any) source static ACME_INSIDE_NETWORKS ACME_INSIDE_NETWORKS destination static Outside1_HOSTS_REMOTE Outside1_HOSTS_REMOTE

nat (inside,any) source static ACME_INSIDE_NETWORKS ACME_INSIDE_NETWORKS destination static VANRU_HOSTS_REMOTE VANRU_HOSTS_REMOTE

nat (inside,any) source static ACME_INSIDE_NETWORKS ACME_INSIDE_NETWORKS destination static ACME_COLO_NETWORK ACME_COLO_NETWORK

nat (inside,any) source static ACME_INSIDE_NETWORKS ACME_INSIDE_NETWORKS destination static Outside3_HOSTS_REMOTE Outside3_HOSTS_REMOTE

nat (inside,any) source static ACME_INSIDE_NETWORKS ACME_INSIDE_NETWORKS destination static Outside3_HOSTS_REMOTE_BACKUP Outside3_HOSTS_REMOTE_BACKUP

nat (inside,outside) source dynamic any interface description Basic PAT

nat (inside,outside) source static EXEMPT EXEMPT

object network vpnclient-network

nat (outside,outside) dynamic interface

object network dmz-network

nat (dmz,outside) dynamic interface

object network AS5400-VOIP

nat (dmz,outside) static 192.168.5.2

object network DMZ-FTP-01

nat (dmz,outside) static 192.168.5.5

object network DMZ_WebHost

nat (dmz,outside) static 192.168.5.1

Here are the results for show run object

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network ACME_INSIDE_NETWORKS

subnet 10.47.2.0 255.255.255.0

object network theforce

host 10.47.2.10

object service FTPS_MAIN

service tcp destination eq 990

object service FTPS_PASSIVE

service tcp destination range 10000 10050

object service INBOUND_MAIL

service tcp destination eq smtp

object service INBOUND_OWA

service tcp destination eq https

object network vpnclient-network

subnet 10.47.30.0 255.255.255.0

object network 10.47.2.17

host 10.47.2.17

object network EXEMPT

subnet 10.47.2.0 255.255.255.0

object network vpn

subnet 10.47.2.0 255.255.255.0

object service COportal

service tcp destination eq 8443

object network ACMEC1

host 10.47.2.158

object network ACMEC-TMG1

host 10.47.20.10

description TMG

object network dmz-network

subnet 10.47.20.0 255.255.255.0

object network AS5400-VOIP

host 10.47.20.3

description VOIP Switch

object service IN_VOIP_5060

service tcp destination eq sip

object service IN_VOIP_NTP

service udp destination eq ntp

description NTP

object service IN_VOIP_SIP

service udp destination range 5004 65535

description SIP signaling and Media Ports (RTP)

object service IN_VOIP_SNMP

service udp destination range snmp snmptrap

description SNMP

object service IN_VOIP_SSH

service tcp destination eq ssh

description SSH access

object service IN_VOIP_TELNET

service tcp destination eq telnet

description Telnet

object service OUT_FTP_10022

service tcp destination eq 10022

object service OUT_FTP_2233

service tcp destination eq 2233

object service RDP

service tcp destination eq 3389

object service POP3_SSL

service tcp destination eq 995

object service IN_VOIP_TCP_544

service tcp destination eq kshell

object service IN_VOIP_UDP_544

service udp destination eq 544

object service HTTP_8080

service tcp destination eq 8080

object network ACMEDATA1

host 10.47.2.141

description Joseph's workstation

object network 192.168.85.8-FTP

host 192.168.85.8

description TEMP - Joseph FTP

object network ACMEC-DP1

host 10.47.2.25

description Data Processing Server

object service OUT_FTP_PASSIVE_1

service tcp destination range 23552 24063

object service OUT_FTP_PASSIVE_2

service tcp destination range 49152 65535

object service OUT_FTP_PASSIVE_3

service tcp destination range 30000 50000

object network MAILFILTER_RANGE_1

subnet 192.168.90.9 255.255.255.0

object network MAILFILTER_RANGE_2

subnet 192.168.90.10 255.255.255.192

object network DMZ-FTP-01

host 10.47.20.15

description DMZ SSH

object network Remote2FTPES

host 192.168.95.5

description RemoteHost1 FTPES Server sftp.Remote2.com

object network RemoteHost1_REMOTE_HOSTS

subnet 10.0.0.0 255.0.0.0

description RemoteHost1 Remote Hosts

object network ACMEC-TS1

host 10.47.2.17

object network ACMEC-TS2

host 10.47.2.18

object network RemoteHost1_PUBLIC_1

host 192.168.100.10

description Public IP Address for RemoteHost1

object network RemoteHost1_PUBLIC_2

host 192.168.100.11

description Public IP Address for RemoteHost1

object network ACME_TESTING_IP

host 192.168.0.1

description Testing IP Address from ACME Financial

object network PowerUserTerminalServer

host 10.47.2.12

description Primary Power User Terminal Server

object network ACMEC-TS4

host 10.47.2.20

description Secondary Power User Terminal Server

object network Remote3_CAPITAL_1

host 192.168.105.2

object network Remote3_CAPITAL_2

host 192.168.105.3

object network Remote3_CAPITAL_3

host 192.168.105.4

object network Remote3_CAPITAL_4

host 192.168.105.5

object network Remote4_FTP_IP

host 192.168.105.6

object network Remote5_CONSUMER

host 192.168.110.2

description Remote5 Consumer

object network ACMEC-WS02

host 10.47.2.93

description Joseph's PC

object network ACME_EXTERNAL_IP

host 192.168.5.6

object network ACMEC-MGMT1

host 10.47.2.24

object network RemoteHost1_1

host 10.62.236.50

object network testRemoteHost1_Source_NAT

host 192.168.217.60

object network Remote6_1

host 192.168.45.5

description IP address for Remote6 connectivity to the SFTP

object network Remote6_2

host 192.168.45.6

description IP address for Remote6 connectivity to the SFTP

object network RemoteHost1_2

host 192.168.56.2

object network RemoteHost1_3

host 192.168.56.3

object network FIS_FTP_SERVER_1

host 192.168.56.4

object network GenericCompanySFTP

host 192.168.58.5

description GenericCompany IP Address

object network Remote8SFTP1

host 192.168.62.2

description IP Address that Remote8 Uses to connect to the ACME SFTP

object network Remote8SFTP2

host 192.168.62.3

description IP Address that Remote8 Uses to connect to the ACME SFTP

object network Remote9FTPS

host 192.102.5

object network ACMEC-WS01

host 10.47.2.51

object service FTPS_IMPLICIT

service tcp destination range 5500 5599

object service OUT_FTP_PASSIVE_4

service tcp destination range 5500 5599

object network Remote10_1

host 67.53.190.215

description Green Bay Location

object network Remote10_2

host 12.192.9.22

description New York Location

object service ActiveSync

service tcp source eq https destination eq https

description ActiveSync

object network RemoteHost1_PUBLIC_3

host 192.168.161.2

object network DialerRemoteHost

host 192.168.3.110

description Dialer Remote Server

object network ACMEC-DIALC

host 10.47.2.33

description Dialer Server

object network DialerRemoteHosts

subnet 192.168.3.0 255.255.255.0

description DialerRemoteHosts

object service DialerAgentDialer1

service tcp source eq 943 destination eq 943

description Dialer Agent Dialer Port 1

object service DialerAgentDialer2

service tcp source eq 4510 destination eq 4510

description Dialer Agent Dialer Port 2

object network ACMEC-LT03

host 10.47.2.183

object service DialerAgentDialer3

service udp source eq sip destination eq sip

object service DialerAgentDialer4

service tcp source eq 4722 destination eq 4722

object network FIS_FTP_SERVER_2

host 192.168.25.2

object network FIS_FTP_SERVER_3

host 192.168.25.3

object network ACMEC-DP2

host 10.47.2.90

object network ACMEC-WS07

host 10.47.2.144

description Candace's PC

object network ACMEC-WEB1

host 10.47.20.21

object network DMZ_WebHost

host 10.47.20.21

description DMZ Web Server

object network GenericCompanyCorporate

host 192.168.7.5

Trouble with NAT Rule for DMZ Webserver ASA5510

V S Narayana Chivukula — Fri, 26 Oct 2012 02:24:48 GMT

Hi,

As we see that the packet-tracer shows that its hitting the correct nat rule, if the web server is still not accessible, I would suggest you to run packet captures on ASA interfaces and troubleshoot further. Please find the link below for packet capture commands :

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/c1.html#wp2147322

Regards,

Narayana

Trouble with NAT Rule for DMZ Webserver ASA5510

joshscott — Fri, 26 Oct 2012 14:51:41 GMT

Ok so I ran a packet capture and I cannot see any inbound traffic when I try and navigate to one of my public IP Addresses. I have a /29 network supplied by my ISP.

I have my outside interface configured for (sanitized for security please let me know if this makes sense) 192.168.5.12 with a subnet mask of 255.255.255.248 I have configured the NAT rule for 192.168.5.10 (outside) to my DMZ IP address of 10.47.20.21 which according to packet trace should be working just fine.

I have confirmed with my ISP that 192.168.5.10 does indeed belong to me and should be routing properly but I dont see anything in packet captures or in my Syslog that indicates that I am getting any traffic on 192.168.5.10.

Trouble with NAT Rule for DMZ Webserver ASA5510

V S Narayana Chivukula — Sun, 28 Oct 2012 00:33:35 GMT

Hi,

If you are not getting traffic on 192.168.5.10, then it might be an arp issue.

Please try deleting arp-cache on the device after the ASA towards internet and then send traffic on this IP address and check if it is received

(Or)

change the your Outside interface Ip address from 192.168.5.12 to 192.168.5.10, wait for few seconds and then change it back to 192.168.5.12 (this would make your network traffic to go down for few seconds and you need to have console/inside access to ASA while performing this). This would make the ASA to proxy arp for this IP. Then check if you can receive traffic on this IP address.

Regards,

Narayana

Trouble with NAT Rule for DMZ Webserver ASA5510

andduart — Thu, 20 Dec 2012 23:56:55 GMT

Hi,

Could you attach some logs? Maybe we can get some information about it

logging on

logging buffered 7

sh log

Capture to see if there is a problem with packets dropped by the ASA in some way

capture asp type asp-drop all

sh capture asp | include ./ip address of the server/