08-22-2011 10:18 AM - edited 03-11-2019 02:15 PM
I have a similiar situation to this here (https://supportforums.cisco.com/thread/2064372?referring_site=kapi&channel=smartnav)
What I have is 3 interfaces on my PIX.
- Outside: 216.116.87.0/24 (security level 0)
- 469: 172.16.6.0 /24 (security level 10)
- 571: 192.168.255.0 /24 (security level 1)
My users on 571 need to access a web server on the 469 interface. However, the requirements are that the 571 users can only access the Website using the public FQDN which there is a static NAT from outside to 469.
Here are the pertinent NAT statements.
access-list owadmz_inbound_nat0_acl extended permit ip 172.16.6.0 255.255.255.0 any
global (outside) 571 216.116.87.7
nat (571) 571 192.168.255.0 255.255.255.0
nat (469) 0 access-list owadmz_inbound_nat0_acl outside
static (469,571) 216.116.87.127 172.16.6.15 netmask 255.255.255.255
static (469,outside) 216.116.87.127 172.16.6.15 netmask 255.255.255.255
Here is also the Packet-Tracer and it shows what I expect that the traffic is source from 571 and exits 469. However, the users are not able to access the website.
MMO-DC-FW-01-CORP# packet-tracer input 571 tcp 192.168.255.14 www 216.116.87.127 www detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (469,571) 216.116.87.127 172.16.6.15 netmask 255.255.255.255
nat-control
match ip 469 host 172.16.6.15 571 any
static translation to 216.116.87.127
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface 469
Untranslate 216.116.87.127/0 to 172.16.6.15/0 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 571-acl-in in interface 571
access-list 571-acl-in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x61d4a08, priority=12, domain=permit, deny=false
hits=439447, user_data=0x5ddaba0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x5f089b8, priority=0, domain=permit-ip-option, deny=true
hits=458203, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7247dd0, priority=70, domain=inspect-http, deny=false
hits=179742, user_data=0x5451e50, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x5955070, priority=21, domain=lu, deny=true
hits=179742, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (571) 571 192.168.255.0 255.255.255.0
nat-control
match ip 571 192.168.255.0 255.255.255.0 outside any
dynamic translation to pool 571 (216.116.87.7)
translate_hits = 96, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4b61410, priority=1, domain=host, deny=false
hits=113, user_data=0x583beb0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.255.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (469,571) 216.116.87.127 172.16.6.15 netmask 255.255.255.255
nat-control
match ip 469 host 172.16.6.15 571 any
static translation to 216.116.87.127
translate_hits = 0, untranslate_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
out id=0x6495548, priority=5, domain=nat-reverse, deny=false
hits=0, user_data=0xa9ece78, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=172.16.6.15, mask=255.255.255.255, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (469,571) 216.116.87.127 172.16.6.15 netmask 255.255.255.255
nat-control
match ip 469 host 172.16.6.15 571 any
static translation to 216.116.87.127
translate_hits = 0, untranslate_hits = 1
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7248040, priority=5, domain=host, deny=false
hits=51, user_data=0xa9ece78, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.16.6.15, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x4c02430, priority=0, domain=permit-ip-option, deny=true
hits=163875719, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1000498703, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 12
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.6.15 using egress ifc 469
adjacency Active
next-hop mac address 02bf.ac10.061e hits 152879
Result:
input-interface: 571
input-status: up
input-line-status: up
output-interface: 469
output-status: up
output-line-status: up
Action: allow
Any suggestions/help to point me in the right direction is greatly appreciated.
08-25-2011 10:45 AM
First, here is the configuration. Users on the 571 network are not able to access the web server at 192.168.2.20. This link says it should (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml) so I must be missing something easy.
However, if I create a static NAT for outside users, that does work.
static (469,outside) 216.116.87.127 172.16.6.15 netmask 255.255.255.255
interface Ethernet0/0
nameif Outside
security-level 0
ip address 216.116.87.110 255.255.255.0
!
interface Ethernet0/1
nameif 469
security-level 10
ip address 172.16.6.1 255.255.255.0
!
interface Ethernet0/2
nameif 571
security-level 1
ip address 192.168.255.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list outside extended permit tcp any host 216.116.87.127 eq www
access-list Testing extended permit tcp any host 216.116.87.127 eq www
access-list 571 extended permit ip any any
pager lines 24
logging enable
logging buffer-size 10000
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu 469 1500
mtu 571 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
static (469,571) 192.168.2.20 172.16.6.15 netmask 255.255.255.255
access-group outside in interface Outside
access-group 571 in interface 571
route Outside 0.0.0.0 0.0.0.0 216.116.87.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 469
http 0.0.0.0 0.0.0.0 571
http 192.168.255.0 255.255.255.0 571
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access 571
dhcpd domain unfiltered.jkhy
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
08-25-2011 11:00 AM
Hi Dave,
can you tell me what is this nat statement for??
access-list owadmz_inbound_nat0_acl extended permit ip 172.16.6.0 255.255.255.0 any
nat (469) 0 access-list owadmz_inbound_nat0_acl outside
I ssuspect the return traffic might be falling into this nat. So just as a test, it might or might not solve th issue, but would clarify that this nat is not a problem.
Lets say you are trying from a host whose IP is 192.168.255.14, then add another acl which is:
access-list owadmz_inbound_nat0_acl line 1 extended deny ip 172.16.6.0 255.255.255.0 host 192.168.255.14
this qwould prevent the retur traffic to fall into this nat statement. Its just a test that we can try
Otherwise as informed to you earlier, captures would be the best approach along with logs.
Thanks,
Varun
08-25-2011 03:03 PM
Perhaps there's something wrong with my IIS configured on my laptop. I can only get the web traffic to work if it's coming from public addressing.
This configuration below does not work for Web Traffic (using my laptop as the web server). However, I know the web server is functional because I can hit it locally AND hit it from the outside interface when configured with public addressing.
Both static statements work as I tested them with telnet traffic to the web server.
interface Ethernet0/0
nameif Outside
security-level 0
ip address 172.20.1.2 255.255.255.0
!
interface Ethernet0/1
nameif 571
security-level 40
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
nameif 469
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list outside extended permit tcp any host 172.20.1.10 eq www
access-list outside extended permit tcp any host 172.20.1.10 eq telnet
access-list Testing extended permit tcp any host 216.116.87.127 eq www
access-list 571 extended permit tcp any any
pager lines 24
logging enable
logging buffer-size 10000
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu 571 1500
mtu 469 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (571) 1 192.168.100.0 255.255.255.0
static (469,Outside) 172.20.1.10 10.10.10.10 netmask 255.255.255.255 dns
static (469,571) 172.20.1.10 172.16.6.15 netmask 255.255.255.255
access-group outside in interface Outside
access-group 571 in interface 571
09-08-2011 11:07 AM
Hi,
It might be worthhwile to get captures off of the ASA (both the 469 and 571 interfaces) when trying to access the server in the 469 interface. refer the below link for working with captures:
https://supportforums.cisco.com/docs/DOC-17814
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide