Inside access using FQDN to web server on DMZ

daveofferman · ‎08-22-2011

I have a similiar situation to this here (https://supportforums.cisco.com/thread/2064372?referring_site=kapi&channel=smartnav)

What I have is 3 interfaces on my PIX.
- Outside: 216.116.87.0/24 (security level 0)

- 469: 172.16.6.0 /24 (security level 10)

- 571: 192.168.255.0 /24 (security level 1)

My users on 571 need to access a web server on the 469 interface. However, the requirements are that the 571 users can only access the Website using the public FQDN which there is a static NAT from outside to 469.

Here are the pertinent NAT statements.

access-list owadmz_inbound_nat0_acl extended permit ip 172.16.6.0 255.255.255.0 any
global (outside) 571 216.116.87.7

nat (571) 571 192.168.255.0 255.255.255.0

nat (469) 0 access-list owadmz_inbound_nat0_acl outside

static (469,571) 216.116.87.127 172.16.6.15 netmask 255.255.255.255

static (469,outside) 216.116.87.127 172.16.6.15 netmask 255.255.255.255

Here is also the Packet-Tracer and it shows what I expect that the traffic is source from 571 and exits 469. However, the users are not able to access the website.

MMO-DC-FW-01-CORP# packet-tracer input 571 tcp 192.168.255.14 www 216.116.87.127 www detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (469,571) 216.116.87.127 172.16.6.15 netmask 255.255.255.255

nat-control

match ip 469 host 172.16.6.15 571 any

static translation to 216.116.87.127

translate_hits = 0, untranslate_hits = 1

Additional Information:

NAT divert to egress interface 469

Untranslate 216.116.87.127/0 to 172.16.6.15/0 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 571-acl-in in interface 571

access-list 571-acl-in extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0x61d4a08, priority=12, domain=permit, deny=false

hits=439447, user_data=0x5ddaba0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x5f089b8, priority=0, domain=permit-ip-option, deny=true

hits=458203, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7247dd0, priority=70, domain=inspect-http, deny=false

hits=179742, user_data=0x5451e50, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 6

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x5955070, priority=21, domain=lu, deny=true

hits=179742, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (571) 571 192.168.255.0 255.255.255.0

nat-control

match ip 571 192.168.255.0 255.255.255.0 outside any

dynamic translation to pool 571 (216.116.87.7)

translate_hits = 96, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0x4b61410, priority=1, domain=host, deny=false

hits=113, user_data=0x583beb0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.255.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (469,571) 216.116.87.127 172.16.6.15 netmask 255.255.255.255

nat-control

match ip 469 host 172.16.6.15 571 any

static translation to 216.116.87.127

translate_hits = 0, untranslate_hits = 1

Additional Information:

Forward Flow based lookup yields rule:

out id=0x6495548, priority=5, domain=nat-reverse, deny=false

hits=0, user_data=0xa9ece78, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=172.16.6.15, mask=255.255.255.255, port=0, dscp=0x0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (469,571) 216.116.87.127 172.16.6.15 netmask 255.255.255.255

nat-control

match ip 469 host 172.16.6.15 571 any

static translation to 216.116.87.127

translate_hits = 0, untranslate_hits = 1

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7248040, priority=5, domain=host, deny=false

hits=51, user_data=0xa9ece78, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=172.16.6.15, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x4c02430, priority=0, domain=permit-ip-option, deny=true

hits=163875719, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1000498703, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 12

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 172.16.6.15 using egress ifc 469

adjacency Active

next-hop mac address 02bf.ac10.061e hits 152879

Result:

input-interface: 571

input-status: up

input-line-status: up

output-interface: 469

output-status: up

output-line-status: up

Action: allow

Any suggestions/help to point me in the right direction is greatly appreciated.

daveofferman · ‎08-25-2011

First, here is the configuration. Users on the 571 network are not able to access the web server at 192.168.2.20. This link says it should (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml) so I must be missing something easy.

However, if I create a static NAT for outside users, that does work.

static (469,outside) 216.116.87.127 172.16.6.15 netmask 255.255.255.255

interface Ethernet0/0
nameif Outside
security-level 0
ip address 216.116.87.110 255.255.255.0
!
interface Ethernet0/1
nameif 469
security-level 10
ip address 172.16.6.1 255.255.255.0
!
interface Ethernet0/2
nameif 571
security-level 1
ip address 192.168.255.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list outside extended permit tcp any host 216.116.87.127 eq www
access-list Testing extended permit tcp any host 216.116.87.127 eq www
access-list 571 extended permit ip any any
pager lines 24
logging enable
logging buffer-size 10000
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu 469 1500
mtu 571 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
static (469,571) 192.168.2.20 172.16.6.15 netmask 255.255.255.255
access-group outside in interface Outside
access-group 571 in interface 571
route Outside 0.0.0.0 0.0.0.0 216.116.87.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 469
http 0.0.0.0 0.0.0.0 571
http 192.168.255.0 255.255.255.0 571
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access 571
dhcpd domain unfiltered.jkhy
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

varrao · ‎08-25-2011

Hi Dave,

can you tell me what is this nat statement for??

access-list owadmz_inbound_nat0_acl extended permit ip 172.16.6.0 255.255.255.0 any

nat (469) 0 access-list owadmz_inbound_nat0_acl outside

I ssuspect the return traffic might be falling into this nat. So just as a test, it might or might not solve th issue, but would clarify that this nat is not a problem.

Lets say you are trying from a host whose IP is 192.168.255.14, then add another acl which is:

access-list owadmz_inbound_nat0_acl line 1 extended deny ip 172.16.6.0 255.255.255.0 host 192.168.255.14

this qwould prevent the retur traffic to fall into this nat statement. Its just a test that we can try

Otherwise as informed to you earlier, captures would be the best approach along with logs.

Thanks,

Varun

Thanks,
Varun Rao

daveofferman · ‎08-25-2011

Perhaps there's something wrong with my IIS configured on my laptop. I can only get the web traffic to work if it's coming from public addressing.

This configuration below does not work for Web Traffic (using my laptop as the web server). However, I know the web server is functional because I can hit it locally AND hit it from the outside interface when configured with public addressing.

Both static statements work as I tested them with telnet traffic to the web server.

interface Ethernet0/0
nameif Outside
security-level 0
ip address 172.20.1.2 255.255.255.0
!
interface Ethernet0/1
nameif 571
security-level 40
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif 469
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list outside extended permit tcp any host 172.20.1.10 eq www
access-list outside extended permit tcp any host 172.20.1.10 eq telnet
access-list Testing extended permit tcp any host 216.116.87.127 eq www
access-list 571 extended permit tcp any any
pager lines 24
logging enable
logging buffer-size 10000
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu 571 1500
mtu 469 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (571) 1 192.168.100.0 255.255.255.0
static (469,Outside) 172.20.1.10 10.10.10.10 netmask 255.255.255.255 dns

static (469,571) 172.20.1.10 172.16.6.15 netmask 255.255.255.255
access-group outside in interface Outside
access-group 571 in interface 571

praprama · ‎09-08-2011

Hi,

It might be worthhwile to get captures off of the ASA (both the 469 and 571 interfaces) when trying to access the server in the 469 interface. refer the below link for working with captures:

https://supportforums.cisco.com/docs/DOC-17814

Regards,

Prapanch