topic Re: Allowing External Traffic on Cisco ASA in Network Security

Allowing External Traffic on Cisco ASA

jweier_elys — Fri, 21 Feb 2020 16:40:27 GMT

Hi - I have a Cisco ASA and I'm really struggling with something very simple. I have an outside interface and I would like to allow traffic to hit the outside interface on TCP Port 81 and get NAT'd to a private IP on a webserver. I believe I have the NAT piece of the equation solved but the ACL is processed first and I can't figure out the ACL for the life of me. Here's what I have:

On the outside interface, I created an incoming rule with any source, any destination and a service of TCP Port 81. However, when I run a Packet Tracer from any public IP to the IP of the outside interface on Port 81 the packet is dropped via an implicit rule.

I'm running ASA 9.9, thoughts?

Re: Allowing External Traffic on Cisco ASA

Rob Ingram — Thu, 17 Jan 2019 16:43:40 GMT

Hi,
Not 100% sure of your exact configuration, but you would specify the real IP address and port in the ACL. See example:-

object nat SRV1
host 10.2.2.5
nat (inside,outside) static 96.89.224.197 service tcp 80 81
access-list OUTSIDE_IN permit tcp any host 10.2.2.5 eq 80

HTH

Re: Allowing External Traffic on Cisco ASA

Sheraz.Salim — Thu, 17 Jan 2019 17:05:13 GMT

You need this.

object network SERVER
host 10.2.2.5
nat (inside,outside) static interface service tcp 80 81
!
access-list outside_in permit tcp any host 10.2.2.5 eq 80
access-group outside_in in interface outside
!
packet tracer input outside tcp 8.8.8.8 1234 10.2.2.5 eq 81
!

Re: Allowing External Traffic on Cisco ASA

jweier_elys — Thu, 17 Jan 2019 18:46:06 GMT

So, unfortunately I'm having trouble with the NAT statement you suggested. I think via my Googling I've found that 8.3+ requires a new NAT format and syntax. Here is what I typed to try to get it as close to yours as possible:

nat (inside,outside) source static any interface service Port80 Port81

I had to create Service Objects as it wouldn't let me specify the port explicitly. I also had to add the source parameter before the word static.

Unfortunately, even with this command and the the access-list/access-group commands I still get dropped packets via an implicit rule.

Config snippets:

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.1.2.0_26 NETWORK_OBJ_10.1.2.0_26 no-proxy-arp route-lookup
nat (inside,outside) source dynamic obj_any interface
nat (wlan,outside) source dynamic obj_any interface
nat (inside,outside) source static any interface service Port80 Port81

object service Port80
service tcp source eq www destination eq www

object service Port81
service tcp destination eq 81

access-list outside_in extended permit tcp any host 10.1.1.79 eq www

access-group outside_access_out out interface outside
access-group inside_access_in_1 in interface inside
access-group inside_access_out_1 out interface inside
access-group wlan_access_in_1 in interface wlan
access-group wlan_access_out out interface wlan

I've attached the entire config file if that would be more helpful.

Thanks!

Re: Allowing External Traffic on Cisco ASA

Rob Ingram — Thu, 17 Jan 2019 20:37:44 GMT

You've defined your nat statement globally, rather than under the object "Utility1", the ACL is also wrong, you need to reference the real port not the natted port. Example:-

object network Utility1
host 10.1.1.79
nat (INSIDE,OUTSIDE) static interface service tcp www 81

access-list outside_access_in extended permit tcp any object Utility1 eq 80

You don't have an access-group inbound on the outside interface. E.g-

"access-group outside_access_in in interface outside"

Remove the old configuration:-
no access-list outside_access_in extended permit tcp any host 10.1.1.79 range 81 81
no nat (inside,outside) source static any interface service Port80 Port81

Re: Allowing External Traffic on Cisco ASA

Sheraz.Salim — Thu, 17 Jan 2019 19:46:38 GMT

can you test this.

object network SERVER
host 10.1.1.79
!
nat (inside,outside) 1 source static SERVER interface service Port80 Port81

no access-list outside_access_in extended permit tcp any host 10.1.1.79 range 81 81
no nat (inside,outside) source static any interface service Port80 Port81

access-list outside_access_in extended permit tcp any object SERVER eq 80

access-group outside_access_in in interface outside

(OR)

as i stated in my earlier post

object network SERVER
host 10.1.1.79
nat (inside,outside) static interface service tcp 80 81
!
access-list outside_in permit tcp any host 10.1.1.79 eq 80
access-group outside_in in interface outside

no access-list outside_access_in extended permit tcp any host 10.1.1.79 range 81 81
no nat (inside,outside) source static any interface service Port80 Port81

Re: Allowing External Traffic on Cisco ASA

Sheraz.Salim — Thu, 17 Jan 2019 19:49:41 GMT

@Rob Ingram
is that typo error
access-list outside_access_in extended permit tcp any object Utility1 10.1.1.79 eq 80
<-------------->

Re: Allowing External Traffic on Cisco ASA

Rob Ingram — Thu, 17 Jan 2019 20:38:11 GMT

Good spot, amended original post

Re: Allowing External Traffic on Cisco ASA

jweier_elys — Fri, 18 Jan 2019 19:49:34 GMT

Hi - Unfortunately that didn't seem to make a difference. My packet-tracer still fails with an implicit rule drop.

Here are the snippets from my config:

object network Utility1
host 10.1.1.79

access-list outside_access_in extended permit tcp any object Utility1 eq www

object network Utility1
nat (inside,outside) static interface service tcp www 81

access-group outside_access_in in interface outside

Thoughts?

Re: Allowing External Traffic on Cisco ASA

Rob Ingram — Fri, 18 Jan 2019 19:54:59 GMT

If you provide the output of the packet-tracer (run it from the CLI) we might be able to determine what the issue is.
My guess is possibly there is another NAT rule above the new NAT rule which it is matching against and therefore failing.

You could also run "show nat" and check the output

Re: Allowing External Traffic on Cisco ASA

jweier_elys — Fri, 18 Jan 2019 19:57:00 GMT

Hey - Below is my show NAT and the packet tracer output. Thanks again for all of the help!

ciscoasa(config)# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.1.2.0_26 NETWORK_OBJ_10.1.2.0_26 no-proxy-arp route-lookup
translate_hits = 818, untranslate_hits = 881
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 292844, untranslate_hits = 14867
3 (wlan) to (outside) source dynamic obj_any interface
translate_hits = 4092438, untranslate_hits = 308198

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Utility1 interface service tcp www 81
translate_hits = 0, untranslate_hits = 0
2 (any) to (outside) source dynamic obj_any interface
translate_hits = 15869, untranslate_hits = 0

ciscoasa# packet-tracer input outside tcp 8.8.8.8 1234 10.1.1.79 81

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.1.79 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#

Re: Allowing External Traffic on Cisco ASA

Sheraz.Salim — Fri, 18 Jan 2019 20:00:18 GMT

object network SERVER
host 10.1.1.79
!
nat (inside,outside) 1 source static SERVER interface service Port80 Port81

no access-list outside_access_in extended permit tcp any host 10.1.1.79 range 81 81
no nat (inside,outside) source static any interface service Port80 Port81

Apply these config as mentioned above it will work

Re: Allowing External Traffic on Cisco ASA

Rob Ingram — Fri, 18 Jan 2019 20:01:29 GMT

It's probably being natted on this rule:-

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.1.2.0_26 NETWORK_OBJ_10.1.2.0_26 no-proxy-arp route-lookup
translate_hits = 818, untranslate_hits = 881
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 292844, untranslate_hits = 14867

which would be processed before the new nat rule

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Utility1 interface service tcp www 81
translate_hits = 0, untranslate_hits = 0

Try removing the Manual NAT rule #2, and configure a global nat rule that would be processed after the Auto NAT rules, this would move the rule to Section 3. e.g:-

nat (INSIDE,OUTSIDE) after-auto source dynamic obj_any interface interface

Re: Allowing External Traffic on Cisco ASA

Sheraz.Salim — Fri, 18 Jan 2019 20:03:25 GMT

corret if you apply these it will work and fix your issue

object network SERVER
host 10.1.1.79
!
nat (inside,outside) 1 source static SERVER interface service Port80 Port81

Re: Allowing External Traffic on Cisco ASA

Sheraz.Salim — Fri, 18 Jan 2019 20:04:41 GMT

@Rob Ingramwhy you putting the rule in section 3. it should be in section 1.

object network SERVER
host 10.1.1.79
!
nat (inside,outside) 1 source static SERVER interface service Port80 Port81

Re: Allowing External Traffic on Cisco ASA

jweier_elys — Fri, 18 Jan 2019 21:40:28 GMT

Unfortunately, neither of the new NAT rules worked using the after-auto or "1" command to specify the order. I still get the same results of a dropped packet via an implicit rule. I also don't see any hits on the NAT rule or ACL. It's my understanding that the ACL is processed before the NAT rule so I'm wondering if that's where the issue resides...there has to be something I'm missing though...

Updated NAT table and packet-tracer below:

ciscoasa# show nat

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.1.2.0_26 NETWORK_OBJ_10.1.2.0_26 no-proxy-arp route-lookup
translate_hits = 818, untranslate_hits = 881
2 (wlan) to (outside) source dynamic obj_any interface
translate_hits = 4103849, untranslate_hits = 314450

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic obj_any interface
translate_hits = 0, untranslate_hits = 0

ciscoasa# packet-tracer input outside tcp 8.8.8.8 1234 10.1.1.79 81

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.1.79 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Re: Allowing External Traffic on Cisco ASA

Rob Ingram — Fri, 18 Jan 2019 22:04:16 GMT

Your packet-tracer syntax was to the private ip address of the server not the public ip address. Change that and try again.
Did you actually test accessing the server over the internet?

Can you provide the updated configuration acl, nat, objects etc.

Re: Allowing External Traffic on Cisco ASA

Sheraz.Salim — Sat, 19 Jan 2019 11:53:57 GMT

I have lab this up. your configuration were wrong. here is the right configuration.

object network SERVER
host 10.1.1.79

object service CUSTOM80
service tcp source eq 80
!
object service CUSTOM81
service tcp source eq 81
!
nat (inside,outside) source static SERVER interface service CUSTOM80 CUSTOM81
!
access-list outside_access_in extended permit tcp any object SERVER eq 80
access-group outside_access_in in interface outside

packet-tracer input outside tcp 8.8.8.8 1234 96.89.224.197 81

Re: Allowing External Traffic on Cisco ASA

jweier_elys — Mon, 21 Jan 2019 12:47:46 GMT

Hi - I appreciate the help. Unfortunately, this didn't seem to work either. Although, this time the packet-tracer hits the NAT and gets through it but is stopped by the ACL. I've also re-attached the config.

ciscoasa# packet-tracer input outside tcp 8.8.8.8 1234 96.89.224.197 81

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.89.224.197 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Allowing External Traffic on Cisco ASA

Sheraz.Salim — Mon, 21 Jan 2019 13:05:35 GMT

can you try this and give us the output. the reason i said in our access-list we allow www (80) not 81

ciscoasa# packet-tracer input outside tcp 8.8.8.8 1234 96.89.224.197 80