topic Re: Simple 8.3 firewall rules issue in Network Security

Simple 8.3 firewall rules issue

anowell — Mon, 11 Mar 2019 19:31:30 GMT

I am new to 8.3 and any help is much appreciated!

I need to allow access from any IP on the internet to a server on the inside but my firewall is denying access due to an access-list issue (I believe). I need users on the internet to use the IP address that is applied to my outside interface, specify TCP port 24499 and NAT them through to a server on the inside. When I configured the outside ACL and a corresponding NAT rule the connection is being blocked due to the ACL. I am testing from the internet and using the capture feature to view the connection. I am also using the "packet-tracer" and the firewall tells me that the connection fails due to an ACL issue. Here is my config, captures and packet-tracer.

Thanks in advance!

++++++++++

CONFIG

access-list OUTSIDE extended permit tcp any host 10.10.10.6 eq 24499

access-group OUTSIDE in interface OUTSIDE

object network SYNC_SERVER
host 10.10.10.6

object network SYNC_SERVER
nat (INSIDE,OUTSIDE) static interface service tcp 24499 24499

++++++++++++

PACKET_TRACER

ASA# packet-tracer input OUTSIDE tcp 65.33.3.3 4444 98.26.6.21 24499

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 98.26.6.21 255.255.255.255 identity

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

+++++++++++++

CAPTURE

ASA# sh access-list pcap
access-list pcap; 1 elements; name hash: 0x39c806fe
access-list pcap line 1 extended permit tcp any any eq 24499 (hitcnt=7) 0x3795d772

ASA# sh capture
capture tony type raw-data access-list tony interface OUTSIDE [Capturing - 122 bytes]

ASA# sh capture pcap

7 packets captured

   1: 18:30:32.556978 802.1Q vlan#1 P0 63.23.2.99.32389 > 98.26.6.21.24499: S 3527242145:3527242145(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
    2: 18:30:35.561097 802.1Q vlan#1 P0 63.23.2.99.32389 > 98.26.6.21.24499: S 3527242145:3527242145(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
    3: 18:30:41.554750 802.1Q vlan#1 P0 63.23.2.99.32389 > 98.26.6.21.24499: S 3527242145:3527242145(0) win 16384 <mss 1260,nop,nop,nop,nop>
    4: 18:31:00.722679 802.1Q vlan#1 P0 63.23.2.99.3303 > 98.26.6.21.24499: S 3106203956:3106203956(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
    5: 18:31:03.716881 802.1Q vlan#1 P0 63.43.2.99.3303 > 98.26.6.21.24499: S 3106203956:3106203956(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
    6: 18:31:09.791661 802.1Q vlan#1 P0 63.23.2.99.3303 > 98.26.6.21.24499: S 3106203956:3106203956(0) win 16384 <mss 1260,nop,nop,nop,nop>

+++++++++++++

After running the test I am not seeing any hit counts on my outside ACL.

ASA# sh access-list OUTSIDE
access-list OUTSIDE; 1 elements; name hash: 0x97f9426
access-list OUTSIDE line 1 extended permit tcp any host 10.10.10.6 eq 24499 log informational interval 300 (hitcnt=0) 0xc73bec9a

Re: Simple 8.3 firewall rules issue

manish arora — Fri, 07 Jan 2011 00:59:26 GMT

Can you check few things :-

1> There isn't any access list applied to the inside interface.

2> the server is listening on the port 24499 internally.

Manish

Re: Simple 8.3 firewall rules issue

anowell — Fri, 07 Jan 2011 01:45:11 GMT

No access-list on the inside interface and I was able to verify that the server is listening on port TCP 24499.

Thanks so much for taking a look. Any other ideas?

Re: Simple 8.3 firewall rules issue

manish arora — Fri, 07 Jan 2011 01:56:30 GMT

Can you run the packet tracer again with a random ip rather then using 63.x.x.x ip ?

I am running a packet tracer right now and the outside acl is checked after the NAT process.

Please post output using some other public ip address, just to see the difference. Also clear xlate before doing that.

Manish

Re: Simple 8.3 firewall rules issue

anowell — Fri, 07 Jan 2011 02:09:10 GMT

Manish,

Thanks so much for all the help! Here is the info you requested.

++++++++++

ASA# clear xlate
INFO: 29 xlates deleted
ASA#
ASA# packet-tracer input OUTSIDE tcp 54.33.22.3 4444 98.26.6.21 24499

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 98.26.6.21 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Re: Simple 8.3 firewall rules issue

manish arora — Fri, 07 Jan 2011 02:33:08 GMT

anowell

try this in the global config mode :-

nat (inside,outside) after-auto source dynamic any interface

Manish

Re: Simple 8.3 firewall rules issue

anowell — Fri, 07 Jan 2011 02:41:59 GMT

Okay, here is what I got.

ASA(config)# clear xlate

INFO: 12 xlates deleted

ASA(config)# packet-tracer input OUTSIDE tcp 54.33.22.3 4444 98.26.6.21 24499

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 98.26.6.21 255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ASA(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list OUTSIDE; 1 elements; name hash: 0x97f9426

access-list OUTSIDE line 1 extended permit tcp any host 10.10.10.6 eq 24499 log informational interval 300 (hitcnt=0) 0xc73bec9a

+++++++

ASA(config)# sh run nat

nat (OUTSIDE,OUTSIDE) source dynamic obj-10.10.11.0 interface

nat (INSIDE,any) source static any any destination static obj-10.10.11.0 obj-10.10.11.0

nat (INSIDE,any) source static obj-10.10.11.0 obj-10.10.11.0

object network obj-10.10.11.0

nat (OUTSIDE,OUTSIDE) dynamic interface

object network obj-10.10.10.0

nat (INSIDE,OUTSIDE) dynamic interface

object network SYNC_SERVER

nat (INSIDE,OUTSIDE) static interface service tcp 24499 24499

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

ASA(config)# show nat

Manual NAT Policies (Section 1)

1 (OUTSIDE) to (OUTSIDE) source dynamic obj-10.10.11.0 interface