topic Re: ASA 8.3 Pat problem in Network Security

ASA 8.3 Pat problem

nelson.mendes — Mon, 11 Mar 2019 19:13:48 GMT

Hello everyone,

I have a customer with a ASA 8.3 version. The customer wants to make pat from the public ASA IP to several internal IP address in the inside interface (diferent ports).

something like, everyone who telnet to port 50030 on public ASA IP is send to port 80 in a private IP address.

I configure the ASA this way:

object network Webserver
host 192.168.100.100

object network Webserver
nat (inside,outside) static interface service tcp 80 50030

access-list outside_access_in extended permit tcp any object Webserver eq 50030

access-group outside_access_in in interface outside

When I type the command «show xlate» I have this result:

show xlate | inc 192.168.100.100

TCP PAT from inside:192.168.100.100 80-80 to outside:194.38.X.X 50030-50030

So I assume the nat is well done. The question is that, from the outside, when I make a telnet to 194.38.X.X port 50030, he doesn´t hit the access-list.

the port 80 in private IP is open and I can telnet him from the inside.

Any help ?

Nelson

Re: ASA 8.3 Pat problem

Jitendriya Athavale — Wed, 24 Nov 2010 13:15:18 GMT

change your access-list to

access-list outside_access_in extended permit tcp any object Webserver eq 80

your translated port is 50030 and original port is 80 correct???

Re: ASA 8.3 Pat problem

nelson.mendes — Wed, 24 Nov 2010 14:12:53 GMT

Many thanks jathaval,

I change the configuration as you suggest:

access-list outside_access_in extended permit tcp any object Webserver eq www

but it still not working and when I telnet to public IP in port 50030, it still not hit the access-list:

access-list outside_access_in line 57 extended permit tcp any object Webserver eq www 0xdbbb2b68
access-list outside_access_in line 57 extended permit tcp any host 192.168.100.100 eq www (hitcnt=0) 0xdbbb2b68

Re: ASA 8.3 Pat problem

Jitendriya Athavale — Wed, 24 Nov 2010 15:58:25 GMT

Can you please run packet tracer and see if it is getting blocked anywhr

Also if it matches any of the rules above this rule in the access-list it will not show hit counts on this one, so please past eyour access-list rules for outside_access_in if it is not too big

Re: ASA 8.3 Pat problem

nelson.mendes — Thu, 25 Nov 2010 14:42:02 GMT

Hello Jathaval,

You right. But I still don´t get it because the packet is droped due to a implicit rule (probably the last one that deny any any right ?):

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

So, why the packet don´t match with the rule we created to this particular packets ?

The access-list applied to outside interface is this one:

access-list outside_access_in extended permit gre host 62.28.X.X any
access-list outside_access_in extended permit gre host 195.245.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 81.193.X.X any
access-list outside_access_in extended permit gre host 82.154.X.X any
access-list outside_access_in extended permit gre host 213.13.X.X any
access-list outside_access_in extended permit icmp any object-group SITES_LAN
access-list outside_access_in extended permit tcp any object Webserver eq www

Re: ASA 8.3 Pat problem

Jitendriya Athavale — Thu, 25 Nov 2010 15:19:25 GMT

Oh the packet is getting dropped here because you are running a packet tracer to the interface ip and also your static looks to be your outside interface ip

If so, In the static nat rules and interface rules use the keyword interface instead of interface ip.

Regards,

Jitendriya

Re: ASA 8.3 Pat problem

nelson.mendes — Thu, 25 Nov 2010 16:22:40 GMT

This is the config I have.

object network Webserver

host 192.168.100.100

access-list outside_access_in extended permit tcp any object Webserver eq www

object network Webserver

nat (inside,outside) static interface service tcp www 50030

access-group outside_access_in in interface outside

I really miss something and I cannot understand what is it

Re: ASA 8.3 Pat problem

Jitendriya Athavale — Fri, 26 Nov 2010 01:00:43 GMT

what test are you doing in packet tracer and while doing real world testing.

please paste the command you use for packet tracer

please move the access-list applied to line 1 in the access-group

Re: ASA 8.3 Pat problem

nelson.mendes — Fri, 26 Nov 2010 09:47:34 GMT

Thanks again for your pacient,

I move the access-list to line 1 but is the same. Nothing hits.

In "real world" I´m doing a telnet from another customer with a ADSL line.

When I make telnet to port 50030 of the public IP, i don´t see anything in the ASDM Real Time Log Viewer. But if I make the same command but to port 80 (it should NOT work) i see the packet being denied in the ASDM Real Time Log Viewer.

The message thar appears is (telnet to ASA outside interface at port 80):

TCP access denied by ACL from 213.58.X.X/17927 to outside:194.38.X.X/80

The same command but to port 50030, nothing apears. It seems like the packets don´t reach the ASA. I make this test from several local and the result is the same.

Regarding the packet tracker command, I´m doing this:

packet-tracer input outside tcp 213.58.X.X 17927 194.38.X.X 50030

The result is this:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 194.38.X.X 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Re: ASA 8.3 Pat problem

cadet alain — Fri, 26 Nov 2010 15:06:40 GMT

Hi,

access-list outside_access_in extended permit tcp any object Webserver eq www

so you are permitting port 80 not port 5030 which is blocked by implicit deny from outside to inside or dmz.

if you want the telnet on port 80 to work then you must change your nat command and leave port 80 and if you want port 5030 to work you must change your ACL to permit this port.

Does it work when doing so?

Regards.

Re: ASA 8.3 Pat problem

Kureli Sankar — Fri, 26 Nov 2010 20:22:36 GMT

If the server 192.168.100.100 listens on port 80 then what you have is correct. If you try the following url from the browser

http://ip_address_of_interface:50030 it should work.

Try to add the access-list as line 1 and give it a shot.

conf t

access-list outside_access_in line 1 extended permit tcp any host 192.168.100.100 eq www

-KS

Re: ASA 8.3 Pat problem

nelson.mendes — Tue, 30 Nov 2010 17:18:34 GMT

Hello Poonguzhali,

I tried your suggestion but it still not work.

Yes, the real port is 80 in IP 192.168.100.100 and the "outside" port is 50030 in outside IP of ASA.

I have:

access-list outside_access_in line 1 extended permit tcp any host 192.168.100.100 eq www (hitcnt=0)

but is strange because I´m making a telnet to outside interface on port 50030. So it should be something like this (also not hit):

access-list outside_access_in line 2 extended permit tcp any host 194.38.X.X eq 50030 (hitcnt=0)

Re: ASA 8.3 Pat problem

nelson.mendes — Tue, 30 Nov 2010 17:59:00 GMT

Another thing that I really don´t undrestand is why when I make a telnet to ASA public IP at port 80 it appears at Real Time Log Viewer (ASDM) and if I make the same telnet but to port 50030 nothing appears. It seems like the packet do not reach ASA.

Re: ASA 8.3 Pat problem

Kureli Sankar — Wed, 01 Dec 2010 03:12:54 GMT

It appears so. A quick capture will prove it.

cap capout int outside match tcp any any eq 50030

Test your telent to the interface IP address on port 50030 and look a the capture to see there are any packets.

sh cap capout

If you do not see any packets you need to check the upstream router to see if it is even sending these packets towards the ASA.

-KS

Re: ASA 8.3 Pat problem

nelson.mendes — Thu, 02 Dec 2010 15:30:53 GMT

You right Sankar,

I test the command you suggest and the packets arrive to ASA:

ASA-Customer-DatacenterC# show capture capout

4 packets captured

   1: 08:18:14.857804 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128
   2: 08:18:17.856599 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128
   3: 08:18:23.857530 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128
   4: 08:18:35.860642 213.58.X.X.29703 > 194.38.X.X.50030: S 1410453446:1410453446(0) win 4128

But it still not hit the access-list

Re: ASA 8.3 Pat problem

nelson.mendes — Thu, 02 Dec 2010 15:39:33 GMT

This is the first entry of my access-list that is applied to outside interface (access-group outside_access_in in interface outside😞

access-list outside_access_in line 1 extended permit tcp any host 194.38.X.X eq 50030 (hitcnt=0)

The packets appear at show capture but don´t hit the entry at access-list. WHY ??????????????

Re: ASA 8.3 Pat problem

cadet alain — Thu, 02 Dec 2010 15:45:19 GMT

Hi,

They don't hit your ACL entry because you are referencing public IP and you must reference real IP.

Regards.

Re: ASA 8.3 Pat problem

nelson.mendes — Thu, 02 Dec 2010 15:51:39 GMT

Hello Cadetalain,

It´s not that because I have all this entrys in access-list:

access-list outside_access_in extended permit tcp any host 194.38.X.X eq 50030
access-list outside_access_in extended permit tcp host 213.58.X.X any eq www - IP 213.58.X.X is the IP of the router from where I´m testing telnet to port
access-list outside_access_in extended permit tcp host 213.58.X.X any eq 50030
access-list outside_access_in extended permit tcp any object Webserver eq 50030
access-list outside_access_in extended permit tcp any object Webserver eq www

the packet don´t hit any of this entrys

Re: ASA 8.3 Pat problem

nelson.mendes — Thu, 02 Dec 2010 16:19:12 GMT

I put this entry at access-list (with the real private IP address) but is exacly the same (no hits):

access-list outside_access_in line 1 extended permit ip any host 192.168.100.100 (hitcnt=0)

Re: ASA 8.3 Pat problem

Kureli Sankar — Thu, 02 Dec 2010 16:51:45 GMT

Ok. This is very interesting. Could you pls. quickly open a TAC case and provide the case number here?

I will take a look.

on the capture command that I gave you, you can include the word "trace" in the end and issue "sh cap capout trace" and see where we are dropping the packet.

-KS