topic Re: ASA5505 8.4.2 nat (outside,inside) black hole in Network Security

ASA5505 8.4.2 nat (outside,inside) black hole

mellison — Mon, 11 Mar 2019 21:55:42 GMT

I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.

The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. Would someone please take a look at my config file and tell me what I'm doing wrong and what I need to change in order to make it work?

Attached is the RDP packet trace and the config file. Thanks in advance for your help

ASA5505 8.4.2 nat (outside,inside) black hole

Julio Carvajal — Mon, 28 Nov 2011 02:17:09 GMT

Hello Michael,

I work with this scenarios every day and I can tell you that the nat statements using ANY can generate a lot of issues, so I would recommend you to be more specific and instead of using ANY use the right interface name (Inside,Outside,etc)

Now the problem here is this part of the configuration:

object service RDP

service tcp destination eq 3389

You are going to nat the source IP and Port so instead of service tcp destination it should be source.

Please try that and let me know the result.

Please rate helpful posts.

Julio

ASA5505 8.4.2 nat (outside,inside) black hole

mellison — Mon, 28 Nov 2011 02:56:41 GMT

Julio,

Thank you for your reply. I don't understand what you mean. Kindly please give me an example of your suggestion based on the RDP section of my configuration file.

ASA5505 8.4.2 nat (outside,inside) black hole

Julio Carvajal — Mon, 28 Nov 2011 18:06:37 GMT

Hello Michael,

The configuration its fine, the only problem I could see is the Object service configuration, instead of using :

service tcp destination eq 3389

USE

service tcp source eq 3389

Regards,

Please rate helpful posts

Julio

ASA5505 8.4.2 nat (outside,inside) black hole

mellison — Mon, 28 Nov 2011 22:23:02 GMT

Julio,

I have applied your suggested change:

object service RDP

service tcp source eq 3389

I then copied running config to startup config, cleared xlate and reloaded. Port forwarding is still not working.

I can ping the outside interface, I have remote access by vpn client but no port forwarding pleasure.

Any other suggestions?

Regards,

I look forward to fully rating a helpful post.

Michael

ASA5505 8.4.2 nat (outside,inside) black hole

Julio Carvajal — Mon, 28 Nov 2011 22:39:37 GMT

Hello Michael,

Here is what you need to have on the configuration, until you have this, the connections coming from the outside to port 3389 on the outside IP address are not going to work:

object network SBS-RDP

host 192.168.23.18

object service RDP

service tcp source eq 3389

no nat (outside,inside) source static any any destination static interface SBS-RDP service RDP RDP

nat (inside,outside) 1 source static SBS-RDP interface service RDP RDP

192.168.5.0/24

Regards,

Julio

Re: ASA5505 8.4.2 nat (outside,inside) black hole

mellison — Tue, 29 Nov 2011 00:12:02 GMT

Thanks for your timely reply Julio,

I have enthusiastically applied your suggested changes but no happy ending . Here is a sample of the config file with your suggestions in bold itialics:

object network NETWORK_OBJ_192.168.23.0_24

subnet 192.168.23.0 255.255.255.0

object network NETWORK_OBJ_10.10.10.0_24

subnet 10.10.10.0 255.255.255.0

description IPSec VPN

object network SBS-SMTP

host 192.168.23.18

object service RDP

service tcp source eq 3389

object service SMTP

service tcp destination eq smtp

object service 987

service tcp destination eq 987

object service HTTPS444

service tcp destination eq 444

object network SBS-RDP

host 192.168.23.18

object network SBS-HTTPS444

host 192.168.23.18

object network SBS-987

host 192.168.23.18

access-list SPS-Remote_SplitTunnelAcl standard permit 192.168.23.0 255.255.255.0

access-list SPS-Remote_SplitTunnelAcl standard permit 10.10.10.0 255.255.255.0

access-list outside_access_in extended permit tcp any object SBS-SMTP eq smtp

access-list outside_access_in extended permit tcp any object SBS-RDP eq 3389

access-list outside_access_in extended permit tcp any object SBS-HTTPS444 eq 444

access-list outside_access_in extended permit tcp any object SBS-987 eq 987

access-list outside_Nat0_outbound extended permit ip any 192.168.23.0 255.255.255.0

access-list inside_Nat0_outbound extended permit ip any 192.168.23.0 255.255.255.0

access-list inside_Nat0_outbound_1 extended permit ip 192.168.23.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.0 192.168.23.0 255.255.255.0

access-list inside_access_in remark Allow VPN traffic inside

access-list inside_access_in extended permit ip 192.168.23.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_access_in_1 extended permit ip object NETWORK_OBJ_10.10.10.0_24 192.168.23.0 255.255.255.0

access-list outside_access_in_2 extended permit object RDP any any log alerts

access-list outside_access_in_2 extended permit object SMTP any any

access-list outside_access_in_2 extended permit object 987 any any

access-list outside_access_in_2 extended permit object HTTPS444 any any

access-list outside_access_in_2 extended permit ip object NETWORK_OBJ_10.10.10.0_24 object NETWORK_OBJ_192.168.23.0_24

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN-Pool 10.10.10.1-10.10.10.254 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

asdm history enable

arp timeout 14400

nat (inside,outside) source static SBS-RDP interface service RDP RDP

nat (any,any) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static NETWORK_OBJ_192.168.23.0_24 NETWORK_OBJ_192.168.23.0_24

nat (outside,inside) source static any any destination static interface SBS-SMTP service SMTP SMTP

nat (outside,inside) source static any any destination static interface SBS-HTTPS444 service HTTPS444 HTTPS444

nat (outside,inside) source static any any destination static interface SBS-987 service 987 987

nat (inside,outside) source dynamic any interface

access-group inside_access_in in interface inside

access-group outside_access_in_2 in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

What could possibly be missing or in need of changing? The ASDM Syslog shows internal and vpn connected activity. How do I configure ASDM to show me the dropped packets from tcp/3389 outside traffic?

Regards,

Michael

Re: ASA5505 8.4.2 nat (outside,inside) black hole

Julio Carvajal — Tue, 29 Nov 2011 00:36:09 GMT

Hello Michael,

Is there a way that we could use another IP address instead of the Outside ip address on the Nat.

This traffic is not being sourced from a VPN tunnel right, it is regular traffic comming from the internet.

Now lets do a capture to see what is going on because this should be up and running, in the access-list the xxx is the outside IP address.

access-list capin permit tcp host 76.185.77.99 host 192.168.23.18

access-list capin permit tcp host 192.168.23.18 host 76.185.77.99

access-list capout permit tcp host 76.185.77.99 host xxxxxx

access-list capout permit tcp host xxxx host 76.185.77.99

capture capin access-list capin interface inside

capture capout access-list capout interface outside

capture asp type asp-drop all

Provide the following outputs.

show capture capin

show capture capout

show capture asp

Regards,

Julio

Re: ASA5505 8.4.2 nat (outside,inside) black hole

mellison — Tue, 29 Nov 2011 01:04:33 GMT

Julio, this traffic is not being sourced from a VPN tunnel. It is regular traffic traversing the internet. There are some other IP addresses provided by my ISP. I could try another if you think the one I'm using is defective. I do not have the luxury of a different public network however.

I have applied your suggested changes (making sure to replace the XXX's with the ISP provided public outside address and here are the results:

Result of the command: "show capture capin"

0 packet captured

0 packet shown

Result of the command: "show capture capout"

0 packet captured

0 packet shown

Result of the command: "show capture asp"

413 packets captured

1: 18:47:26.728798 9afd.43ad.b4c9 1503.0100.1630 0x80e9 27: Drop-reason: (np-socket-closed) Dropped pending packets in a closed socket

2: 18:47:26.729469 802.1Q vlan#1 P0 192.168.23.5.4438 > 192.168.23.3.443: F 2125777054:2125777054(0) ack 2832524426 win 64836 Drop-reason: (tcp-not-syn) First TCP packet not SYN

etcetera, etcetera

72: 18:49:25.494954 802.1Q vlan#1 P0 192.168.23.5.137 > 192.168.23.255.137: udp 50

73: 18:49:26.244677 802.1Q vlan#1 P0 192.168.23.5.137 > 192.168.23.255.137: udp 50

Regards,

Michael

Re: ASA5505 8.4.2 nat (outside,inside) black hole

Julio Carvajal — Tue, 29 Nov 2011 01:07:25 GMT

Hello Michael,

As you can see on the capture: capin and capout there are no packets, that means the rdp requests are not getting into your ASA.

That is the problem, there is something outhere blocking those packets.

Regards,

Please rate helpful posts.

Julio

Re: ASA5505 8.4.2 nat (outside,inside) black hole

mellison — Tue, 29 Nov 2011 03:08:21 GMT

Hello Julio,

That something out there blocking the packets happens to be the ASA5505! I can ping the outside address of the ASA as well as connect to it using the Cisco VPN and SSL client but 3389 wont pass.

I changed the outside address of the ASA to each of the other available addresses in the range provided by my ISP with the same negative result.

I configured a Checkpoint router to forward tcp 3389 with the outside address that had been originally assigned to the ASA and it successfully forwards the service and continues to do so when configured with any of the other public addresses provided by my ISP.

If the configuration file is correct then something is wrong with either the ASA5505 or the ASA software.

Your thoughts?

Re: ASA5505 8.4.2 nat (outside,inside) black hole

Julio Carvajal — Tue, 29 Nov 2011 17:02:46 GMT

Hello Michael,

You got to focus on this, you are saying the ASA is the one dropping the packets but on the packet we could saw there are no packets going to the outside interface on port 3389. so witch packets are being dropped by the ASA.

Do you see my point???

Regards,

Julio

ASA5505 8.4.2 nat (outside,inside) black hole

mellison — Tue, 29 Nov 2011 18:00:30 GMT

Hello Julio,

That is exactly what I am saying: The ASA5505 is dropping the packets going to outside interface on port 3389. When I connect a Checkpoint, or DLink, or Juniper, or Netgear or Sonicwall router configured to forward port 3389 I have success. When I connect the ASA5505 I have failure.

So yes, only the ASA5505 and no other brand of router of mine is dropping the packets going to the outside interface on port 3389.

What do I need to do to make this work?

Regards,

Michael

ASA5505 8.4.2 nat (outside,inside) black hole

Julio Carvajal — Tue, 29 Nov 2011 18:13:04 GMT

Hello Michael,

I think you do not understand my point, how is the ASA going to drop this packets if those packets are not arriving to the outside interface,

If the ASA were dropping the packets we should be able to see the packets on the outside interface but none on the inside interface, and this is not the case, we are not seeing packets on any of the ASA interfaces.

Can you do a show capture asp | include xx.xx.xx (xx.xx.xx. is the source ip address of the connection)

This is going to show us the packets being dropped by the asa regarding that particular IP address.

Can you attached the updated and complete configuration file.

Regards,

Julio

Re: ASA5505 8.4.2 nat (outside,inside) black hole

mellison — Tue, 29 Nov 2011 19:41:13 GMT

Thank you for your patience Julio,

Attached is the updated running config and the results of my capture.

ciscoasa# show capture asp | include 76.185.77.99

54: 13:14:06.303542 802.1Q vlan#2 P0 76.185.77.99.2274 > 69.15.25.70.3389: S 3941159061:3941159061(0) win 8192

55: 13:14:09.277909 802.1Q vlan#2 P0 76.185.77.99.2274 > 69.15.25.70.3389: S 3941159061:3941159061(0) win 8192

56: 13:14:15.261400 802.1Q vlan#2 P0 76.185.77.99.2274 > 69.15.25.70.3389: S 3941159061:3941159061(0) win 8192

332: 13:20:58.395334 802.1Q vlan#2 P0 76.185.77.99.1276 > 69.15.25.70.3389: S 2667809503:2667809503(0) win 8192

334: 13:21:01.387553 802.1Q vlan#2 P0 76.185.77.99.1276 > 69.15.25.70.3389: S 2667809503:2667809503(0) win 8192

335: 13:21:07.377711 802.1Q vlan#2 P0 76.185.77.99.1276 > 69.15.25.70.3389: S 2667809503:2667809503(0) win 8192

Regards,

Michael

Re: ASA5505 8.4.2 nat (outside,inside) black hole

Julio Carvajal — Tue, 29 Nov 2011 20:10:35 GMT

Hello Michael,

Please take out the attached filled( your configuration) this in order to provide security to your company.

The configuration seems the one required to me, have you tried to do RDP from another PC on the outside?

On the ASP drop we are able to see that the ASA is the one dropping the connections, can you enable logging and then try to make the connections and see the logs being generated by this connection.

Logging enable

logging monitor 7

and then show loggin | include xxxx ( Ip address of the outside interface)

I think there is something that it is not expected or secure enough for the ASA on that particular connection.

Regards,

Julio

ASA5505 8.4.2 nat (outside,inside) black hole

mellison — Tue, 29 Nov 2011 20:51:50 GMT

Julio,

Here is the log report from my ISP connection and that of someone else on a different ISP connection:

4 Nov 29 2011 14:44:07 64.46.169.26 2715 192.168.23.18 3389 Deny tcp src outside:64.46.169.26/2715 dst inside:192.168.23.18/3389 by access-group "outside_access_in_2" [0x0, 0x0]

4 Nov 29 2011 14:44:01 76.185.77.99 1845 192.168.23.18 3389 Deny tcp src outside:76.185.77.99/1845 dst inside:192.168.23.18/3389 by access-group "outside_access_in_2" [0x0, 0x0]

Regards,

Michael

ASA5505 8.4.2 nat (outside,inside) black hole

Julio Carvajal — Tue, 29 Nov 2011 21:07:25 GMT

Hello Michael,

Logs never lie, seems like the access-group is dropping the packets.

Please create the following line:

access-list outside_access_in_2 line 1 permit tcp host 76.185.77.99 host 192.168.23.18 eq 3389.

Try this ASAP and let me know the result,

I will be waiting in order to help.

Regards,

Julio

ASA5505 8.4.2 nat (outside,inside) black hole

mellison — Tue, 29 Nov 2011 21:17:22 GMT

Julio,

Exito! (success) Me agradesco mucho. I greatly appreciate your efforts. 5 stars for you!

Regards,

Michael

ASA5505 8.4.2 nat (outside,inside) black hole

Julio Carvajal — Tue, 29 Nov 2011 21:21:05 GMT

Hello Michael,

Great to hear that now everything is working, finally we got into the bottom of the issue.

Hope you have a good one.

Julio