topic Re: cannot reach special port from internet in Network Security

cannot reach special port from internet

jonathan.borgeaud — Mon, 11 Mar 2019 23:26:01 GMT

Hi, i've got several problem. The goal is to reach port 8888 from outside to inside my lan.

my config is simple, asa inside : 192.168.1.0/24, outside dhcp by fai.

inside to outside all is ok.

internet ping to outside interface is ok.

But internet to connect to port 8888 is not working.

I try many things and i'm quite sure that my config is shitty now...

So please help me

here it is :

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

interface Vlan2

mac-address a44c.1156.90b2

nameif outside

security-level 0

ip address dhcp setroute

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 178.250.208.37

name-server 8.8.8.8

domain-name xx

same-security-traffic permit intra-interface

object network obj_any

subnet 192.168.1.0 255.255.255.0

object network server1

host 192.168.1.20

object network NETWORK_OBJ_192.168.1.192_27

subnet 192.168.1.192 255.255.255.224

object network telephone_ip

host 192.168.1.5

object network lan

subnet 192.168.1.0 255.255.255.0

description lan

object network vpn

range 192.168.69.100 192.168.69.110

description vpn

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.69.96_28

subnet 192.168.69.96 255.255.255.240

object service http_8888

service tcp destination eq 8888

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object icmp

protocol-object udp

protocol-object tcp

protocol-object ip

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.69.96_28 any

access-list outside_access_in extended permit object-group TCPUDP any object telephone_ip eq sip

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit object http_8888 any object server1

access-list outside_access_in extended permit tcp any host 192.168.1.20 eq 8888

access-list outside_access_in extended permit tcp any host 192.168.1.20

access-list inside_access_in extended permit ip any any

access-list nonat remark ACL for Nat Bypass

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0

access-list lan standard permit 192.168.1.0 255.255.255.0

access-list SplitTunnel_ACL standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn-pool 192.168.69.100-192.168.69.110 mask 255.255.255.0

ipv6 icmp permit any inside

ipv6 icmp permit any outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source static lan lan destination static vpn vpn

nat (inside,outside) source dynamic lan interface

nat (outside,outside) source dynamic any interface destination static server1 server1 service http_8888 http_8888

object network server1

nat (outside,inside) static interface service tcp 8888 8888

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

Re: cannot reach special port from internet

Karsten Iwen — Tue, 03 Jul 2012 20:51:22 GMT

your NAT-config is probably incorrect. Keep in mind that the NAT-statements are processed top down. And the NAT for the Server has to be changed:

object network server1

nat (inside,outside) static interface service tcp 8888 8888

Re: cannot reach special port from internet

jonathan.borgeaud — Tue, 03 Jul 2012 20:53:50 GMT

ok so can you tell me how i can correct my nat setup(topdown) ?

Thanks you.

I've got this log always in logging :

%ASA-7-710005: TCP request discarded from MYISPIP/64667 to outside:IPOFTHEOUTSIDEINTERFACE/8888

cannot reach special port from internet

Julio Carvajal — Tue, 03 Jul 2012 20:54:35 GMT

Hello Jonathan,

Lets do it different

object network server1

no nat (outside,inside) static interface service tcp 8888 8888

object network Internal_host

host 192.168.1.20

object service 8888

Service tcp source eq 8888

nat (inside,outside) source static Internal_host interface service 8888 8888

Regards,

Julio

Re: cannot reach special port from internet

jonathan.borgeaud — Tue, 03 Jul 2012 21:00:01 GMT

Julio, i try your config but same problem.

Log :

%ASA-7-710005: TCP request discarded from MYISPIP/64667 to outside:IPOFTHEOUTSIDEINTERFACE/8888

Re: cannot reach special port from internet

Julio Carvajal — Tue, 03 Jul 2012 21:04:49 GMT

Please provide the following:

packet-tracer input outside tcp 4.2.2.2 1025 interface_ip eq 8888

Regards,

Re: cannot reach special port from internet

jonathan.borgeaud — Tue, 03 Jul 2012 21:12:19 GMT

ok here is the result.

btw now i got new log :

Deny TCP (no connection) from MYISPIP/64842 to ASAOUTSIDEIP/8888 flags FIN PSH ACK on interface outside

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static Internal_host interface service 8888 8888

Additional Information:

NAT divert to egress interface inside

Untranslate ipoutsideinterface/8888 to 192.168.1.20/8888

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp object obj_any object supernova eq 8888

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static Internal_host interface service 8888 8888

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 4820, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Re: cannot reach special port from internet

Julio Carvajal — Tue, 03 Jul 2012 21:21:57 GMT

Hello Jonathan,

Packet tracer looks good,

Next test:

- capture asp type asp-drop all circular-buffer

Then try to connect to the port 8888 and provide the following outputs:

sh cap asp | include outside_ip

Regards,

Julio

Re: cannot reach special port from internet

jonathan.borgeaud — Tue, 03 Jul 2012 21:40:38 GMT

Ok here is the next:

anyway thx for help

check your pm.

Re: cannot reach special port from internet

jonathan.borgeaud — Tue, 03 Jul 2012 21:53:46 GMT

i've do some test, when i push the nat rules at the 1rst place get that :

Deny TCP (no connection) from MYISPIP/64842 to ASAOUTSIDEIP/8888 flags FIN PSH ACK on interface outside

when i push the nat rules at the last place get that :

%ASA-7-710005: TCP request discarded from MYISPIP/64667 to outside:IPOFTHEOUTSIDEINTERFACE/8888

Re: cannot reach special port from internet

Julio Carvajal — Tue, 03 Jul 2012 22:31:44 GMT

Hello Jonathan,

I checked my PM and I already know what the problem is.

Looks like you are facing a Asymetric routing issue.

The ASA is receiving the first tcp packet and this is not a SYN packet.

To make it work do the following:

access-list test permit tcp any host outside_ip_address eq 8888

class-map test

match access-group test

policy-map global_policy

class test

set connection advanced-options tcp-state-bypass

Let me know if this works?

Regards,

Julio

Re: cannot reach special port from internet

jonathan.borgeaud — Tue, 03 Jul 2012 22:45:21 GMT

hmm are you sure it's

match access-group test ?

the only one command i can do is

match access-list test

Anyway it's not working...

same error syn,ack etc

Question, this nat rule must be the first on the list ?

i send you pm with my route print

Re: cannot reach special port from internet

Julio Carvajal — Tue, 03 Jul 2012 22:52:16 GMT

Hello,

Sorry is match access-list!

No, we do not need it at the first place.

Please do the following

clear cap asp

And then try to connect one more time,

Send me the cap one more time

Re: cannot reach special port from internet

jonathan.borgeaud — Tue, 03 Jul 2012 22:57:23 GMT

in your mail 😃

Re: cannot reach special port from internet

jonathan.borgeaud — Tue, 03 Jul 2012 23:28:02 GMT

Hmm do you think it's possible that all my problem come because i must spoof the mac adress to get dhcp from isp because he do mac filtering ?

so i must drop that in interface vlan 2 :

interface Vlan2

mac-address a44c.1156.90b2

nameif outside

So i think we will continue tomorrow because it's 1:40 in the morning here and i must sleep.

Have a nice day

Jon

Re: cannot reach special port from internet

Julio Carvajal — Tue, 03 Jul 2012 23:49:07 GMT

Hello John,

Sure, if you want send me the config on a private message, I will resolve this for you.

Regards,

Julio

Re: cannot reach special port from internet

jonathan.borgeaud — Tue, 03 Jul 2012 23:50:39 GMT

yes i send it to you now

Re: cannot reach special port from internet

Julio Carvajal — Wed, 04 Jul 2012 00:04:51 GMT

Hello,

Check the changes.

If that does not work, please send the configuration with the changes I did

Re: cannot reach special port from internet

jonathan.borgeaud — Wed, 04 Jul 2012 00:16:27 GMT

done look your pm

Re: cannot reach special port from internet

Julio Carvajal — Wed, 04 Jul 2012 00:19:53 GMT

I just answered that