10-05-2013 04:50 PM - edited 03-11-2019 07:47 PM
Hi!
I want to access to an inside machine: 192.168.67.245 on tcp port 80, from the outside using my plublic IP: 1.1.1.1 (example)
Here is what i did:
access-list outisde_access_in permit tcp any host 192.168.67.245 eq 80
access-list outisde_access_in permit tcp any host 1.1.1.1 eq 80
object network My_inside_machine
host 192.168.67.245
nat (inside,outside) static interface service tcp 80 80
When i try to browse: http://1.1.1.1 from outside (My home), i have something like:
3 | Oct 06 2013 | 00:02:50 | my_home_ip | 18159 | 1.1.1.1 | 80 | TCP access denied by ACL from my_home_ip/18159 to outside:1.1.1.1/80 |
What is wrong whith my config ?
ASA 5505
ASDM 7.1
ASA 9.1
Solved! Go to Solution.
10-05-2013 05:19 PM
Hi,
Well the configurations looks otherwise good but I have a doubt about your ACL
The name is "outisde_access_in" though I would imagine that it should usually be "outside_access_in". Now that the ACL name matters but just thinking if the ACL is at all attached to an interface.
I would check the output of the following command
show run access-group
This will tell what ACLs (name) are attached to which interface and in which direction.
I am wondering if the ACL is attached to the interface?
You can also use "packet-tracer" commands to test the ASA rules
packet-tracer input outside tcp
This commands output should tell if there is some problem with the ASA configurations.
- Jouni
10-05-2013 05:53 PM
Hi,
As you can see you have not attached the ACL you mention in the original post to any interface.
You have only configure an ACL named "global_access" and it applies to all interfaces on the ASA.
However I think you should see an UN-NAT phase in the "packet-tracer" but that is not true in the above. So I think there might be a problem with some other NAT configurations
Would need to see the output of
show run nat
- Jouni
10-05-2013 06:01 PM
Hi,
This NAT rule if overriding the Static PAT you have configured for the port TCP/80
nat (inside,outside) source dynamic any interface
You will have to remove it and add it in another format
no nat (inside,outside) source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
You will also have to make the ACL rule to allow the traffic since as I mentioned above you have another ACL attached on the device compared to the one you have mentioned in the original post
- Jouni
10-05-2013 05:19 PM
Hi,
Well the configurations looks otherwise good but I have a doubt about your ACL
The name is "outisde_access_in" though I would imagine that it should usually be "outside_access_in". Now that the ACL name matters but just thinking if the ACL is at all attached to an interface.
I would check the output of the following command
show run access-group
This will tell what ACLs (name) are attached to which interface and in which direction.
I am wondering if the ACL is attached to the interface?
You can also use "packet-tracer" commands to test the ASA rules
packet-tracer input outside tcp
This commands output should tell if there is some problem with the ASA configurations.
- Jouni
10-05-2013 05:49 PM
Result of the command: "show run access-group"
access-group global_access global
Result of the command: "packet-tracer input outside tcp my_home_ip 12345 Public_IP 80"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in Public_IP 255.255.255.255 identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Which rule is configured to deny the traffic ??!
10-05-2013 05:53 PM
Hi,
As you can see you have not attached the ACL you mention in the original post to any interface.
You have only configure an ACL named "global_access" and it applies to all interfaces on the ASA.
However I think you should see an UN-NAT phase in the "packet-tracer" but that is not true in the above. So I think there might be a problem with some other NAT configurations
Would need to see the output of
show run nat
- Jouni
10-05-2013 05:57 PM
Result of the command: "show run nat"
nat (any,any) source static NETWORK_OBJ_172.19.16.0_20 NETWORK_OBJ_172.19.16.0_20
nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.16.0_20 NETWORK_OBJ_172.19.16.0_20 no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.67.248_29 NETWORK_OBJ_192.168.67.248_29 no-proxy-arp route-lookup
!
object network My_inside_machine
nat (inside,outside) static interface service tcp www www
10-05-2013 06:01 PM
Hi,
This NAT rule if overriding the Static PAT you have configured for the port TCP/80
nat (inside,outside) source dynamic any interface
You will have to remove it and add it in another format
no nat (inside,outside) source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
You will also have to make the ACL rule to allow the traffic since as I mentioned above you have another ACL attached on the device compared to the one you have mentioned in the original post
- Jouni
10-05-2013 06:17 PM
Everything seems to be okey
Thank you very much JouniForss.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: