topic ASA 8.4 Pat RPF-Check and HTTP Server in Network Security

ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman — Mon, 11 Mar 2019 22:28:19 GMT

Hello,

I am moving all of my nat/pat from my 2800 series to my ASA. I have a few things working including multiple outside ip addresses and dynamic nat, as well as outside access for a few servers.

My two probems are as follows:

1).

For the life of me I cannot get pat working when I want to access and internal web server using a different port on the outside interface.

For example I have added this:

network object test.obj

host 192.168.184.11

nat (inside,outside) static outside-ip-100.1.1.1 8080 www

This adds the nat statments into the network object nat list and it all make sense. Then I add the acl:

access-list outside_access_in extended permit tcp any object test.obj eq http-81

I see no hits on the acl when I try from an outside device, and the packet-tracer keeps telling me I have a nat problem with the reverse path forwarding check.

xlate shows this:

5520-fw# show xlate | i 100.1.1.1

TCP PAT from inside:192.168.184.11 80-80 to outside:100.1.1.1 81-81

NAT from inside:192.168.184.11 to outside:100.1.1.1

I have no idea why, I have followed many examples and I still get nothing. I also get no access to the internet on the computer running the web server unless I add another dynamic nat statement pointing a different network object with the same host ip to the same outside ip address. eg:

network object test.obj-dynamic

host 192.168.184.11

nat (inside,outside) dynamic outside-ip-100.1.1.1

Still after that I get no connection from the outside to the web server

2.)

Second problem.

I had moved our main web server over to the asa and access from the outside worked for a few minutes, I think, as I had hits on the acl. Then it stopped working and the logs showed a huge list of teardowns and it looked like they were all dns requests. I am assuming this is a problem with the virtual hosts on the web server and the dns inspection that the asa is doing. So I added the dns command at the end of the nat command and it did not solve my problem. So I am thinking the first problem with the RPF-check is related to this problem.

I have a couple of other web servers going through the asa with no problems but they are not running on apache and using virtual hosts, they are single stand alone web servers.

Any idea what I am doing wrong?

Thanks,

Dan.

ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman — Sun, 12 Feb 2012 15:01:38 GMT

I think there is some kind of bug in the ASA. I setup a test web server (192.168.75.208), and I added two network objects

object network dan-laptop-pat

nat (inside,outside) static interface service tcp www www

object network dan-laptop

nat (any,outside) dynamic interface

So the device can get out onto the internet because of the second statement and I can access it remotely because of the first statement. So everything works fine.....

But when I use packet-tracer and I run a test it says it doesn't work! Yet it actually works....

Proof from the log file that it works:

6|Feb 12 2012|08:59:11|302014|68.171.231.80|43273|192.168.75.208|80|Teardown TCP connection 28185054 for outside:68.171.231.80/43273 to inside:192.168.75.208/80 duration 0:00:01 bytes 5904 TCP FINs

6|Feb 12 2012|08:59:09|302013|68.171.231.80|43273|192.168.75.208|80|Built inbound TCP connection 28185054 for outside:68.171.231.80/43273 (68.171.231.80/43273) to inside:192.168.75.208/80 (217.77.77.77/80)

Any ideas on what is happening?

Dan.

ASA 8.4 Pat RPF-Check and HTTP Server

Julio Carvajal — Mon, 13 Feb 2012 01:57:36 GMT

Hello Dan,

Yeap, you are doing the packet tracer to the private ip address, you should do it to the public ip address of the server.

Do rate helpful posts

Julio

ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman — Mon, 13 Feb 2012 02:08:31 GMT

Thank you for the reply, I have been pulling my hair out on this one....

If I use the public ip as you stated it all looks like it works fine in the packet tracer but in reality it does not work.

For example:

object network dan-laptop

host 192.168.75.208

object network dan-laptop-pat

host 192.168.75.208

This WORKS:

object network laptop-pat

nat (inside,outside) static interface service tcp www www

nat (inside,outside) after-auto source static laptop internet-75

access-list outside_access_in extended permit object http any object dan-laptop-pat

This DOES NOT WORK:

object network laptop-pat

nat (inside,outside) static interface service tcp www 81

nat (inside,outside) after-auto source static laptop internet-75

access-list outside_access_in extended permit object http-81 any object dan-laptop-pat

Am I doing the wrong kind of nat to make this work?

Thanks

Dan.

ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman — Mon, 13 Feb 2012 23:31:16 GMT

Found out it was a problem with the web server not accepting the request like that. I tried a different web server and now the port translation works.

ASA 8.4 Pat RPF-Check and HTTP Server

Julio Carvajal — Mon, 13 Feb 2012 23:36:04 GMT

Hello Dan,

That is correct, As I told you before the configuration its okay.

Please mark the question as answered, so future users can learn from this.

Regards,

Julio

ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman — Tue, 14 Feb 2012 00:36:42 GMT

Sorry I spoke to soon this is not solved and still not working. I cannot PAT anything on my asa using 8.4. Looks like this may be a bug because no scenario works.

ASA 8.4 Pat RPF-Check and HTTP Server

Julio Carvajal — Tue, 14 Feb 2012 00:43:13 GMT

Hello Dan,

So you are saying your internal users cannot get PATeed to the outside interface

Please provide sh run nat, then we will start working on captures if I do not see something strange.

Regards,

Julio

ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman — Tue, 14 Feb 2012 00:49:57 GMT

My issue is with outside access in. Not inside access out, that seems to be fine.

For example if I do this:

object network web03

host 10.5.0.13

object network web03-p81

host 10.5.0.13

object service http-proxy

service tcp destination eq 8080

object network internet.77

host 77.77.77.77

object network web03-p81

nat (inside,outside) static internet.77 service tcp www 8080

nat (inside,outside) after-auto source static web03 internet.77

access-list outside_access_in extended permit object http-proxy any object web03-p81

When trying to access the web server using http://77.77.77.77:8080 the log shows that the device is trying to access it using port 80???

18:31:15

106023

68.121.131.81

20347

10.5.0.13

Deny tcp src outside:68.121.131.81/20347 dst inside:10.5.0.13/80 by access-group "outside_access_in" [0x0, 0x0]

If I add an access list that allows port 80 it all works, yet I am typing :8080 in the web address...

ASA 8.4 Pat RPF-Check and HTTP Server

Julio Carvajal — Tue, 14 Feb 2012 01:00:05 GMT

object service http-proxy

no service tcp destination eq 8080

service tcp source eq 8080

Then give it a try!!!

ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman — Tue, 14 Feb 2012 01:14:50 GMT

Still no go. It is still hitting the box using port 80 instead of 8080 according to the logs

Feb 13 2012

19:04:43

106023

68.121.131.80

63464

10.5.0.13

Deny tcp src outside:68.121.131.80/63464 dst inside:10.5.0.13/80 by access-group "outside_access_in" [0x0, 0x0]

I also tried from a different external system and still same problem.

ASA 8.4 Pat RPF-Check and HTTP Server

Julio Carvajal — Tue, 14 Feb 2012 01:21:30 GMT

Hello Dan,

Okay so basically this is what you need: access the ASA using port 8080 And then be redirected to the internal host on port 80 right?

object network web03-p81

host 10.5.0.13

object service http-proxy

service tcp source eq 8080

object service http

service tcp source eq 80

object network internet.77

host 77.77.77.77

Outside ip is 77.77.77.77 and internal box is 10.5.0.13 right?

So lets do it like this:

nat (inside,outside) source static web03-p81 internet.77 service http http-proxy

access-list outside_access_in permit tcp any host 10.5.0.13 eq 80

access-group outside_access_in in interface outside

Regards,

Julio

ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman — Tue, 14 Feb 2012 01:37:59 GMT

Ok, so this works sort of....I can access the site using http://77.77.77.77:8080 now, but I can still access the site using http://77.77.77.77/, but I don't want to be able to do that.

ASA 8.4 Pat RPF-Check and HTTP Server

Julio Carvajal — Tue, 14 Feb 2012 01:39:58 GMT

Hello Dan,

So remove all you configured before related to that and left what I sent you, that is the only one that should work from an outside user!

ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman — Tue, 14 Feb 2012 01:43:50 GMT

Yes, everything was removed and I entered in what you sent But I still can access it on port 80 and 8080 from the outside.

Dan.

ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman — Tue, 14 Feb 2012 01:45:22 GMT

Oh wait, I forgot to remove one other thing. That is the other nat statement that allowed the server to get out to the internet.

Without that the server could not get out.

ASA 8.4 Pat RPF-Check and HTTP Server

Julio Carvajal — Tue, 14 Feb 2012 01:50:54 GMT

Please post entire config, to see why is that happening!

ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman — Tue, 14 Feb 2012 01:58:28 GMT

So your config you sent me works perfectly, but my server cannot get out onto the internet, I think I need another nat statement, but when I add another nat statement then i can access the server using port 80 from the outside, so I must be doing something wrong.

ASA Version 8.4(3)

hostname gvsd-asa-5520-fw

names

dns-guard

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.10.10.10 255.255.255.252

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 77.77.77.70 255.255.255.192

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 172.16.0.102

name-server 172.16.0.101

domain-name domain.com

object network 10.20.10.1

host 10.20.10.1

description Astaro Web Filter

object network 172.16.0.0

range 172.16.0.0 172.16.254.254

description Data Network

object network 192.168.0.0

subnet 192.168.0.0 255.255.0.0

object network 10.10.10.1

host 10.10.10.1

description gw-2821-01

object network 10.10.10.9

host 10.10.10.9

description gw-2821-02

object network NETWORK_OBJ_10.250.0.0_28

subnet 10.250.0.0 255.255.255.240

description VPN Test

object network 172.16.187.0

subnet 172.16.187.0 255.255.255.0

description GVC Wifi

object network 10.7.0.0

subnet 10.7.0.0 255.255.0.0

description Guest Network

object network 10.10.10.46

host 10.10.10.46

description astarogw

object network 10.11.0.0

subnet 10.11.0.0 255.255.0.0

description GVSD I.T Network

object network 10.11.200.0

subnet 10.11.200.0 255.255.255.0

description DO I.T Network

object network merlin-67.75

host 77.77.77.75

description Merlin-67.75

object network helpdesk.domain.com

host 10.5.0.125

description Helpdesk Server for HTTP site

object network merlin-67.123

host 77.77.77.123

object network 10.5.0.0

subnet 10.5.0.0 255.255.255.0

description GVSD Server Network

object network intermapper.domain.com

host 10.5.0.150

description intermapper.domain.com

object network merlin-67.120

host 77.77.77.120

object network merlin-67.105

host 77.77.77.105

object network merlin-67.106

host 77.77.77.106

object network merlin-67.116

host 77.77.77.116

object network merlin-67.117

host 77.77.77.117

object network merlin-67.118

host 77.77.77.118

object network merlin-67.121

host 77.77.77.121

object network merlin-67.122

host 77.77.77.122

object network merlin-67.95

host 77.77.77.95

object network merlin-67.99

host 77.77.77.99

object network merlin-67.68

host 77.77.77.68

object network merlin-67.69

host 77.77.77.69

object network merlin-67.70

host 77.77.77.70

object network merlin-67.71

host 77.77.77.71

object network 172.16.187.22

host 172.16.187.22

description GVC Test Host

object network library.domain.com

host 10.5.0.85

description Library Server

object network netstorage.domain.com

host 10.5.0.35

description Netstorage server

object network sm.domain.com

host 10.5.0.87

description Sucess Maker Server

object network vibe.domain.com

host 10.5.0.27

description Vibe Server

object network mobilesync.domain.com

host 10.5.0.32

description Mobilesync Server

object network powerschool.domain.com

host 10.5.0.181

description PowerSchool Application Server

object service powerschool-5071

service tcp source eq 5071 destination eq 5071

object service powerschool-7880

service tcp source eq 7880 destination eq 7880

object service powerschool-7980

service tcp source eq 7980 destination eq 7980

object network astaro-mail

host 10.30.10.2

object service http-81

service tcp destination eq 81

object service http-82

service tcp destination eq 82

object service http-83

service tcp destination eq 83

object service http-84

service tcp destination eq 84

object service http-85

service tcp destination eq 85

object network merlin-67.77

host 77.77.77.77

object network dan-laptop

host 192.168.75.208

object service http-proxy

service tcp source eq 8080

object service http-proxy-2

service tcp destination eq 8080

object network web03-p8080

host 10.5.0.13

object service http-8080

service tcp source eq 8080

object service www

service tcp source eq www

object-group service ff-system udp

description ff system management

port-object eq 1091

object-group service http-81-1 tcp

port-object eq 81

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit object http-81 any object dan-laptop

access-list outside_access_in remark helpdesk webiste

access-list outside_access_in extended permit tcp any object helpdesk.domain.com eq www

access-list outside_access_in extended permit tcp any object library.domain.com eq www

access-list outside_access_in extended permit tcp any object netstorage.domain.com eq https

access-list outside_access_in extended permit tcp any object sm.domain.com eq www

access-list outside_access_in extended permit tcp any object sm.domain.com eq https inactive

access-list outside_access_in extended permit tcp any object mobilesync.domain.com eq https

access-list outside_access_in extended permit tcp any object powerschool.domain.com eq www

access-list outside_access_in extended permit tcp any object powerschool.domain.com eq https

access-list outside_access_in extended permit object powerschool-5071 any object powerschool.domain.com

access-list outside_access_in extended permit object powerschool-7880 any object powerschool.domain.com

access-list outside_access_in extended permit object powerschool-7980 any object powerschool.domain.com

access-list outside_access_in extended permit tcp any object astaro-mail eq smtp inactive

access-list outside_access_in extended permit tcp any object vibe.domain.com eq https

access-list outside_access_in extended permit tcp any object intermapper.domain.com eq www

access-list outside_access_in extended permit tcp any host 10.5.0.13 eq www

access-list inside_access_in extended deny ip object 172.16.187.22 any inactive

access-list inside_access_in remark blsd - web accesss

access-list inside_access_in extended permit tcp object 10.7.0.0 any eq 88

access-list inside_access_in extended deny udp object 10.7.0.0 range 1 65535 any range 1 65535

access-list inside_access_in extended deny tcp object 10.7.0.0 range 1 65535 any range 1 65535

access-list inside_access_in extended permit ip any any

access-list inside_access_out extended permit ip any any

access-list outside_access_out extended permit ip any any

access-list netflow-hosts extended permit ip any any

access-list http-s extended permit tcp any any eq www inactive

pager lines 24

logging enable

logging asdm informational

flow-export destination inside 10.11.200.104 2055

flow-export destination inside 10.11.200.193 2055

flow-export template timeout-rate 1

flow-export delay flow-create 30

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool VPN-L2TP-IPSEC-POOL 10.250.0.4-10.250.0.14 mask 255.255.255.224

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static web03-p8080 merlin-67.77 service www http-8080

object network 172.16.0.0