Solved: ASA 8.42 nat problems - Page 2

pbuch · ‎11-25-2011

Hi

Configuring an asa 5505 with 8.42 software.

I need to access an https server on the inside via the outside interface.

I have moved the http server enable to port 10443

Tried to make a "network object nat rule"

Have even checked the video :-)

I cant get access.

Packet tracer points to the nat rule.

object network Vejrstation

host 192.168.4.15

object network Vejrstation

nat (any,outside) static interface service tcp https https object network Vejrstation
nat (any,outside) static interface service tcp https https

Where do i do wrong ?

varrao · ‎11-25-2011

Hi Ajay,

8.3 nat is all flow based nat, the one that was used earlier is called auto nat and the one I used i manual nat. My nat statement means, any source coming from outside, should be translated to itself, if it is hitting the outside interface on port 443 and that shoudl be translted to the internal ip. It's still the same thing.

Please try this:

packet-tracer input outside tcp 4.2.2.2 23456 443 detailed.

and please paste that here.

Thanks,

Varun

Thanks,
Varun Rao

ajay chauhan · ‎11-25-2011

Thanks Varun.

Another question comes here as he has shown log any packet comes for public IP (interface) on port 443 is getting denied.

pbuch · ‎11-25-2011

packet-tracer input outside tcp 4.2.2.2 23456 83.89.223.42 443 $ tcp 4.2.2.2 23456 83.89.223.42 443 detailed packet-tracer input outside tcp 4.2.2.2 23456 83.89.223.42 44$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Vejrstation
nat (inside,outside) static interface service tcp https https
Additional Information:
NAT divert to egress interface inside
Untranslate 83.89.223.42/443 to 192.168.4.15/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object Vejrstation eq http
s
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb395078, priority=13, domain=permit, deny=false
hits=8, user_data=0xc94ddbd0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.4.15, mask=255.255.255.255, port=443, dscp=0x0
<--- More ---> input_ifc=outside, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb36e208, priority=0, domain=inspect-ip-options, deny=true
hits=200, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb332e68, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=170, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
<--- More ---> src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb3478d8, priority=0, domain=host-limit, deny=false
hits=23, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Vejrstation
nat (inside,outside) static interface service tcp https https
<--- More ---> Additional Information:
Forward Flow based lookup yields rule:
out id=0xcbebe160, priority=6, domain=nat-reverse, deny=false
hits=8, user_data=0xcbebe4d0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.4.15, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb343f80, priority=0, domain=inspect-ip-options, deny=true
hits=35, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
<--- More ---> Result: ALLOW
Config:
Additional Information:
New flow created with id 215, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
<--- More ---> input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

pbuch · ‎11-25-2011

Seems like i have traffic throgh now.

Don't really kbow why ;-)

varrao · ‎11-25-2011

The packet-tracer shows everything is fine, is it still not working??

Varun

Thanks,
Varun Rao

pbuch · ‎11-25-2011

I changed the dynamic nat to a network object rule.

Looks like that did a difference.

varrao · ‎11-25-2011

Hi,

In 8.3 nat, the order of operation of traffic for nat rules is, first the manual nat is hit and then the auto nat, when you had configured the dynamic nat as auto nat, it might have been hitting it everytime instead of the static rule that you had configured as object nat, deleting it and moving it down in the nat list made the difference.

Thanks,

Varun

Thanks,
Varun Rao