cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
692
Views
0
Helpful
2
Replies

Users unable to access server access thru firewall

tsrader
Level 1
Level 1

Users complaining unable to access servers thru firewall however, packet-tracer showing traffic flow working fine.

Any help to verify my config and confirm?

=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
:
ASA Version 8.0(4) <context>
!
hostname ASA

names
!
interface GigabitEthernet0/0.521
nameif outside
security-level 0
ip address 10.21.1.1 255.255.255.240
!
interface GigabitEthernet0/1.541
nameif inside
security-level 100
ip address 172.16.191.148 255.255.255.240
!
object-group network ae_license_srvs
network-object 172.16.174.6255.255.255.255
network-object 172.16.174.7 255.255.255.255
network-object 172.16.174.8 255.255.255.255
network-object 172.16.172.16 255.255.255.255
network-object 172.16.172.17 255.255.255.255
network-object 172.16.172.18 255.255.255.255
network-object 172.16.193.163 255.255.255.255
object-group service license_servers_ports tcp
port-object eq 28510
port-object eq 28062
port-object eq 28060
port-object eq 28512
port-object eq 28612
port-object eq 28600
port-object eq 28602
port-object eq 27010
port-object eq 28690
port-object eq 28692
port-object eq 28230
port-object eq 28232
port-object eq 28610
port-object eq 28710
port-object eq 28712
port-object eq 28590
port-object range 50000 60000
object-group network outside_hosts_real
network-object 10.21.1.3 255.255.255.255
network-object 10.21.1.4 255.255.255.255
network-object 10.21.1.5 255.255.255.255
network-object 10.21.1.6 255.255.255.255
network-object 10.21.1.7 255.255.255.255
network-object 10.21.1.8 255.255.255.255
network-object 10.21.1.9 255.255.255.255
network-object 10.21.1.10 255.255.255.255
network-object 10.21.1.11 255.255.255.255
network-object 10.21.1.12 255.255.255.255
network-object 10.21.1.13 255.255.255.255
network-object 10.21.1.14 255.255.255.255
object-group service ras_permitted_udp udp
port-object eq pcanywhere-status
object-group service ras_permitted_tcp tcp
port-object eq 3389
port-object eq 5900
port-object eq pcanywhere-data
access-list outside_in extended permit tcp object-group outside_hosts_real object-group ae_license_srvs object-group license_servers_ports
access-list outside_in extended permit icmp any any
access-list inside_in extended permit tcp any any eq 5900        <<<<<<  permit any inside host access to outside host using VNC
pager lines 24
mtu outside 1500
mtu inside 1500
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.16.174.6 172.16.174.6 netmask 255.255.255.255                   <<<<<   server being accessed on inside network
static (inside,outside) 10.21.1.3 172.16.191.149 netmask 255.255.255.255    <<<<<<  outside hosts static nat'd to inside "routable" ip address
static (inside,outside) 10.21.1.5 172.16.191.151 netmask 255.255.255.255    <<<<<<  outside hosts static nat'd to inside "routable" ip address
access-group outside_in in interface outside
access-group inside_in in interface inside
route inside 0.0.0.0 0.0.0.0 172.16.191.145 1

=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=

PACKET TRACER RESULTS

packet-tracer input outside tcp 10.21.1.3 28610 172.16.174.6 28610 detailed  <<<<<<  outside host access to license server on port 28610

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 172.16.174.6 172.16.174.6netmask 255.255.255.255
  match ip inside host 172.16.174.6outside any
    static translation to 172.16.174.6
    translate_hits = 3, untranslate_hits = 8
Additional Information:
NAT divert to egress interface inside
Untranslate 172.16.174.6/0 to 172.16.174.6/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit tcp object-group outside_hosts_real object-group ae_license_srvs object-group license_servers_ports
object-group network outside_hosts_real
network-object 10.21.1.3 255.255.255.255
network-object 10.21.1.4 255.255.255.255
network-object 10.21.1.5 255.255.255.255
network-object 10.21.1.6 255.255.255.255
network-object 10.21.1.7 255.255.255.255
network-object 10.21.1.8 255.255.255.255
network-object 10.21.1.9 255.255.255.255
network-object 10.21.1.10 255.255.255.255
network-object 10.21.1.11 255.255.255.255
network-object 10.21.1.12 255.255.255.255
network-object 10.21.1.13 255.255.255.255
network-object 10.21.1.14 255.255.255.255
object-group network ae_license_srvs
network-object 172.16.174.6255.255.255.255
network-object 172.16.174.7 255.255.255.255
network-object 172.16.174.8 255.255.255.255
network-object 172.16.172.16 255.255.255.255
network-object 172.16.172.17 255.255.255.255
network-object 172.16.172.18 255.255.255.255
network-object 172.16.193.163 255.255.255.255
object-group service license_servers_ports tcp
port-object eq 28510
port-object eq 28062
port-object eq 28060
port-object eq 28512
port-object eq 28612
port-object eq 28600
port-object eq 28602
port-object eq 27010
port-object eq 28690
port-object eq 28692
port-object eq 28230
port-object eq 28232
port-object eq 28610
port-object eq 28710
port-object eq 28712
port-object eq 28590
port-object range 50000 60000
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb143c48, priority=12, domain=permit, deny=false
hits=4, user_data=0xcac7fe48, cs_id=0x0, flags=0x0, protocol=6
src ip=10.21.1.3, mask=255.255.255.255, port=0
dst ip=172.16.174.6, mask=255.255.255.255, port=28610, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb0ff498, priority=0, domain=permit-ip-option, deny=true
hits=168307, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 172.16.174.6172.16.174.6netmask 255.255.255.255
  match ip inside host 172.16.174.6outside any
    static translation to 172.16.174.6
    translate_hits = 3, untranslate_hits = 8
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb3ea380, priority=5, domain=nat-reverse, deny=false
hits=6, user_data=0xcb3c0320, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=172.16.174.6, mask=255.255.255.255, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 172.16.174.6172.16.174.6netmask 255.255.255.255
  match ip inside host 172.16.174.6outside any
    static translation to 172.16.174.6
    translate_hits = 3, untranslate_hits = 8
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xcb3ea400, priority=5, domain=host, deny=false
hits=19, user_data=0xcb3c0320, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.16.174.6, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xcb0aa3a8, priority=0, domain=permit-ip-option, deny=true
hits=31572, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 890160, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.191.145 using egress ifc inside
adjacency Active
next-hop mac address 0000.0c07.ac01 hits 12925

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

2 Replies 2

Hi,

What do users complain about?

I mean, you have the static and ACL to allow the inbound traffic and packet-tracer shows it's being permitted.

The problem could be the application itself not working?

What kind of application are they trying to use and if there's any error that they receive?

Federico.

Jitendriya Athavale
Cisco Employee
Cisco Employee

now let me take a wild guess, probably your users are complaining that they are not abel to access anything which has a static nat, correct

me if i am wrong

check if the next hop on outside has arp entries to these statically natted ip's and that the mac is pointing to firewall as firewall should proxy arp

also apply captures and see if the packets are coming to the firewall

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml#s1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: