topic ASA 8.42 nat problems in Network Security

ASA 8.42 nat problems

pbuch — Mon, 11 Mar 2019 21:55:09 GMT

Configuring an asa 5505 with 8.42 software.

I need to access an https server on the inside via the outside interface.

I have moved the http server enable to port 10443

Tried to make a "network object nat rule"

Have even checked the video 🙂

I cant get access.

Packet tracer points to the nat rule.

object network Vejrstation

host 192.168.4.15

object network Vejrstation

nat (any,outside) static interface service tcp https https object network Vejrstation
nat (any,outside) static interface service tcp https https

Where do i do wrong ?

ASA 8.42 nat problems

pbuch — Fri, 25 Nov 2011 13:22:53 GMT

The log says

Nov 25 2011

06:03:49

188.177.226.89

3436

83.89.223.42

443

TCP access denied by ACL from 188.177.226.89/3436 to outside:83.89.223.42/443

access-list outside_access_in extended permit object https any object Vejrstation

but why ?

No hits on the accesslist

ASA 8.42 nat problems

ajay chauhan — Fri, 25 Nov 2011 13:31:55 GMT

nat (inside,outside) use this as you said server is in inside zone .

Thanks

Ajay

ASA 8.42 nat problems

pbuch — Fri, 25 Nov 2011 13:34:29 GMT

I hve tried that, same result exept that the tracer says ok

ASA 8.42 nat problems

ajay chauhan — Fri, 25 Nov 2011 13:37:04 GMT

change you outside ACL as well since packet is not directly coming for 192.168.4.15.

You should allow acl for public IP which is going to be mapped.

ASA 8.42 nat problems

pbuch — Fri, 25 Nov 2011 14:02:55 GMT

Not according to the video.... but i have tried that

ASA 8.42 nat problems

ajay chauhan — Fri, 25 Nov 2011 14:07:38 GMT

Post you full config.

ASA 8.42 nat problems

varrao — Fri, 25 Nov 2011 14:10:58 GMT

Hi,

Thses shpould be your configuration:

object network Vejrstation

host 192.168.4.15

object service tcp_https

service tcp destination eq 443

nat (outside,inside) source static any any destination static interface Vejrstation service tcp_https tcp_https

access-list outside_access_in extended permit any object Vejrstation eq 443

access-group outside_access_in in interface outside

This should do, if not then you would need to check which party is not responding by using captures. Also can you post the output of packet-tracer???

Thanks,

Varun

ASA 8.42 nat problems

pbuch — Fri, 25 Nov 2011 14:11:11 GMT

: Saved
:
ASA Version 8.4(2)
!
hostname xxxxxxxxxx
enable password EnFClNY/JeYR4dhI encrypted
passwd EnFClNY/JeYR4dhI encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.4.6 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.89.223.42 255.255.255.252
!
boot system disk0:/asa842-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.8.0-6
subnet 192.168.8.0 255.255.255.248
object network obj-192.168.18.0
subnet 192.168.18.0 255.255.255.0
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network obj-192.168.15.0
subnet 192.168.15.0 255.255.255.0
object network obj-192.168.251.0
subnet 192.168.251.0 255.255.255.0
object service https
service tcp destination eq https
object service 4001
service tcp destination eq 4001
object network Vejrstation
host 192.168.4.15
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.8.0 255.255.255.248
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 200 extended permit ip 192.168.4.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.4.0 255.255.255.0
access-list outside_access_in extended permit tcp any object Vejrstation eq https
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered warnings
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool vpnklient 192.168.4.51-192.168.4.55
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.4.0 obj-192.168.4.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.8.0-6 obj-192.168.8.0-6 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.18.0 obj-192.168.18.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.15.0 obj-192.168.15.0 no-proxy-arp
nat (inside,any) source static obj-192.168.4.0 obj-192.168.4.0 destination static obj-192.168.251.0 obj-192.168.251.0 no-proxy-arp
nat (inside,outside) source dynamic any interface
!
object network Vejrstation
nat (inside,outside) static interface service tcp https https
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.89.223.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 10443
http 192.168.1.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 inside
http 188.177.226.88 255.255.255.248 outside
http 188.120.69.106 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set vpnswarcolan esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set vpnklientswarco esp-aes-256 esp-md5-hmac
crypto dynamic-map vpnklientswarco 10 set ikev1 transform-set vpnklientswarco
crypto map partnermap 200 match address 200
crypto map partnermap 200 set pfs group1
crypto map partnermap 200 set peer 93.162.119.26 89.88.87.89
crypto map partnermap 200 set ikev1 transform-set vpnswarcolan
crypto map partnermap 65535 ipsec-isakmp dynamic vpnklientswarco
crypto map partnermap interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 28800
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash md5
group 1
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 5
ssh 87.48.245.198 255.255.255.255 outside
ssh 188.120.69.106 255.255.255.255 outside
ssh 188.177.226.88 255.255.255.248 outside
ssh timeout 60
console timeout 0
management-access inside

dhcpd dns 194.239.134.83 193.162.153.164
!
dhcpd address 192.168.4.190-192.168.4.220 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpnklientswarco internal
group-policy vpnklientswarco attributes
dns-server value 194.239.134.83 193.162.153.164
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
username swarco password .FRI9vfYdLduSJia encrypted privilege 15
username jep-it password 1aqZEKKMU1dntc85 encrypted privilege 15
tunnel-group 93.162.119.26 type ipsec-l2l
tunnel-group 93.162.119.26 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group vpnklientswarco type remote-access
tunnel-group vpnklientswarco general-attributes
address-pool vpnklient
default-group-policy vpnklientswarco
tunnel-group vpnklientswarco ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 89.88.87.89 type ipsec-l2l
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dec4c88475f8dd4ceeaebc23b2f4cf94
: end
asdm image disk0:/asdm-645.bin
no asdm history enable

ASA 8.42 nat problems

pbuch — Fri, 25 Nov 2011 14:16:39 GMT

ASA 8.42 nat problems

ajay chauhan — Fri, 25 Nov 2011 14:25:12 GMT

Varun,

Just wondering why it should be nat (outside,inside) as you suggested.

isnt he is trying to map internal ip with interface IP of outside interface for redirection.

I can only see one thing here that the access is blocked from outside .

Also capture should be there sourced from outside.

Thanks

Ajay

ASA 8.42 nat problems

pbuch — Fri, 25 Nov 2011 14:29:58 GMT

Capture was sourced from autside

ASA 8.42 nat problems

pbuch — Fri, 25 Nov 2011 14:31:30 GMT

ASA 8.42 nat problems

ajay chauhan — Fri, 25 Nov 2011 14:33:25 GMT

Do not put private IP that wont work .

Please edit your outside ACL to allow source any destination 83.89.223.42 eq 443

ASA 8.42 nat problems

varrao — Fri, 25 Nov 2011 14:35:01 GMT

Hi Ajay,

8.3 nat is all flow based nat, the one that was used earlier is called auto nat and the one I used i manual nat. My nat statement means, any source coming from outside, should be translated to itself, if it is hitting the outside interface on port 443 and that shoudl be translted to the internal ip. It's still the same thing.

Please try this:

packet-tracer input outside tcp 4.2.2.2 23456 443 detailed.

and please paste that here.

Thanks,

Varun

ASA 8.42 nat problems

varrao — Fri, 25 Nov 2011 14:37:27 GMT

Hi Ajay,

He has done it correct, in 8.3, you don't use public ip of the , instead you use the private ip, because order of operation has changed, first the packet is un-natted and then the access-list is hit.

Thanks,

Varun

ASA 8.42 nat problems

ajay chauhan — Fri, 25 Nov 2011 14:42:24 GMT

Thanks Varun.

Another question comes here as he has shown log any packet comes for public IP (interface) on port 443 is getting denied.

ASA 8.42 nat problems

pbuch — Fri, 25 Nov 2011 14:44:19 GMT

packet-tracer input outside tcp 4.2.2.2 23456 83.89.223.42 443 $ tcp 4.2.2.2 23456 83.89.223.42 443 detailed packet-tracer input outside tcp 4.2.2.2 23456 83.89.223.42 44$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Vejrstation
nat (inside,outside) static interface service tcp https https
Additional Information:
NAT divert to egress interface inside
Untranslate 83.89.223.42/443 to 192.168.4.15/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object Vejrstation eq http
s
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb395078, priority=13, domain=permit, deny=false
hits=8, user_data=0xc94ddbd0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.4.15, mask=255.255.255.255, port=443, dscp=0x0
<--- More ---> input_ifc=outside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb36e208, priority=0, domain=inspect-ip-options, deny=true
hits=200, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb332e68, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=170, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
<--- More ---> src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb3478d8, priority=0, domain=host-limit, deny=false
hits=23, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Vejrstation
nat (inside,outside) static interface service tcp https https
<--- More ---> Additional Information:
Forward Flow based lookup yields rule:
out id=0xcbebe160, priority=6, domain=nat-reverse, deny=false
hits=8, user_data=0xcbebe4d0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.4.15, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb343f80, priority=0, domain=inspect-ip-options, deny=true
hits=35, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
<--- More ---> Result: ALLOW
Config:
Additional Information:
New flow created with id 215, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
<--- More ---> input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

ASA 8.42 nat problems

pbuch — Fri, 25 Nov 2011 15:14:54 GMT

Seems like i have traffic throgh now.

Don't really kbow why 😉

ASA 8.42 nat problems

varrao — Fri, 25 Nov 2011 15:17:02 GMT

The packet-tracer shows everything is fine, is it still not working??

Varun