10-17-2013 08:33 AM - edited 03-11-2019 07:53 PM
Hello All,
I am new here and in the ASA world.
I have a small issue with allowing access to my webserver from the Internet.
Internet -------- Router COLT ---------- ASA ---------- MyLan
I have created an access-list :
access-list acl-out extended permit tcp any object WebServer eq www
I have created a NAT rule :
nat (LANColt,DMZCarax) source static any any destination static WebServer WebServer
The website is reachable when I plugged between the Route Colt and the ASA but not when I try from the Internet ...
Do you have any idea ???
Thanks
Cedric
Solved! Go to Solution.
10-20-2013 11:40 PM
Hi,
This is the problem
no nat (DMZCarax,LANColt) source dynamic OBJ_GENERIC_ALL interface
You would have to remove this command which would essentially cause a small outage to all users that use the Dynamic PAT
Then you would enter it with
nat (DMZCarax,LANColt) after-auto source dynamic OBJ_GENERIC_ALL interface
And then the new Static PAT (Port Forward) would work
- Jouni
10-17-2013 08:49 AM
Do you have Internet access from the inside? Is the IP address that you're translating to publicly routable? Is the translated IP address the same as the outside network of the ASA?
Also, this belongs in the Security --> Firewalling section. You should move it.
Sachin
10-17-2013 09:00 AM
Hi Sachin,
Yes I do have Internet access from the inside.
Yes the ip address is publicly routable.
Here is a quick description :
62.23.x.x ------ Router Colt [192.168.1.1] ---- [192.168.1.3] ASA [192.168.10.2] ------- [192.168.10.4] Webserver
10-17-2013 09:08 AM
Hi,
The provided information is not all we need.
Since your router actually holds the public IP address (and not the ASA) then your options to create a NAT configuraiton for the Web server would either be
OR
So first we need to know if the router will see the actual 192.168.10.0/xx network (NONAT on ASA) or will it just see the ASA outside IP address 192.168.1.3
The correct configuraiton format for Static PAT on ASA is for example
object network STATIC-PAT
host 192.168.10.x
nat (inside,outside) static interface service tcp 80 80
This would forward the port TCP/80 if connections are coming to the "interface" IP address of "outside" with that destination port.
- Jouni
10-17-2013 09:40 AM
Hi Jouni,
Thanks for your reply.
The router only see the ASA on 192.168.1.3 and there is a NAT to this IP
(ip nat inside source static 192.168.1.3 62.23.xx.xx)
There is a NAT between ASAs inside and ouside interfaces.
I have tried to create the static PAR on the ASA. But I still cannot reach the web server from the Internet.
Is the access-list I wrote fine ?
cedric
10-17-2013 10:03 AM
Hi,
Either post the configuration or post the output of this "packet-tracer" command
packet-tracer input outside tcp 8.8.8.8 12345 192.168.1.3 80
Or use the destination port "443" if that is the one you are using
- Jouni
10-20-2013 10:52 PM
Hello Jouni,
Sorry for the time to reply.
Here is the output of the packet tracer :
ciscoasa# packet-tracer input LANColt tcp 8.8.8.8 12345 192.168.1.3 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.3 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: LANColt
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Packets are drop by an ACL.
Here is "sh access-list" :
ciscoasa# sh access-list
access-list cached ACL log flows: total 397, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list LANColt_access_in; 4 elements; name hash: 0xa28dded0
access-list LANColt_access_in line 1 extended permit icmp any any object-group obj-i-all log informational interval 300 (hitcnt=0) 0x1507d1f7
access-list LANColt_access_in line 1 extended permit icmp any any echo log informational interval 300 (hitcnt=0) 0x188a9836
access-list LANColt_access_in line 1 extended permit icmp any any echo-reply log informational interval 300 (hitcnt=0) 0xada2a22a
access-list LANColt_access_in line 1 extended permit icmp any any time-exceeded log informational interval 300 (hitcnt=19) 0xaf99f695
access-list LANColt_access_in line 2 extended permit tcp any any eq www (hitcnt=0) 0x25780758
access-list DMZCarax_access_in; 3 elements; name hash: 0xef6085d
access-list DMZCarax_access_in line 1 extended permit ip any any log debugging interval 300 (hitcnt=20007537) 0x563bb185
access-list DMZCarax_access_in line 2 extended permit icmp any any log informational interval 300 (hitcnt=0) 0x3ddebcbf
access-list DMZCarax_access_in line 3 extended permit udp host 192.168.2.2 any (hitcnt=0) 0xa1c4ec7c
access-list CARAX; 2 elements; name hash: 0xf5e4518b
access-list CARAX line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xc362eb9d
access-list CARAX line 2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xdc4e01b7
access-list LANEurex_access_in; 3 elements; name hash: 0x77b8262a
access-list LANEurex_access_in line 1 extended permit ip object obj-h-Eurex object-group gobj-n-Global-Carax 0x741dc2a6
access-list LANEurex_access_in line 1 extended permit ip host 193.29.93.173 192.168.20.0 255.255.255.0 (hitcnt=0) 0xbf558d64
access-list LANEurex_access_in line 1 extended permit ip host 193.29.93.173 192.168.10.0 255.255.255.0 (hitcnt=0) 0xe6964c68
access-list LANEurex_access_in line 2 extended permit ip any any inactive (hitcnt=0) (inactive) 0xe0241ced
access-list LANAbn_access_in; 5 elements; name hash: 0xfc8d5221
access-list LANAbn_access_in line 1 extended permit ip object-group gobj-h-ABN object-group gobj-n-Global-Carax inactive (inactive) 0xe7ef84f4
access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.102 192.168.20.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0x13f4adc8
access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.102 192.168.10.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xd1e47353
access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.103 192.168.20.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xc6f7ec02
access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.103 192.168.10.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0x0e46a02e
access-list LANAbn_access_in line 2 extended permit ip any any (hitcnt=2) 0x0fdd7231
access-list LANBloom_access_in; 1 elements; name hash: 0xcc39ac70
access-list LANBloom_access_in line 1 extended permit ip any any (hitcnt=7872) 0xc86a3df1
access-list acl-out; 6 elements; name hash: 0x12815e8f
access-list acl-out line 1 extended permit icmp any any object-group obj-i-all (hitcnt=0) 0xc838e767
access-list acl-out line 1 extended permit icmp any any echo (hitcnt=0) 0x9ab79491
access-list acl-out line 1 extended permit icmp any any echo-reply (hitcnt=0) 0xa2377349
access-list acl-out line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0xcb4b3851
access-list acl-out line 2 extended permit gre any host 192.168.10.221 (hitcnt=0) 0xdeafcf2f
access-list acl-out line 3 extended permit tcp any host 192.168.10.221 eq pptp (hitcnt=0) 0xdb7d38da
Thanks in advance.
10-20-2013 11:14 PM
Hi,
You should use your external interface as the input interface of this test. Not your LAN interface which you are using now. The hosts on the Internet wont be using that as the input interface.
- Jouni
10-20-2013 11:18 PM
Or,
If this was the interface connected to the router then you either are missing a NAT configuration or you have an overriding NAT configuration in your current configuration which is most likely a Dynamic PAT configuration.
- Jouni
10-20-2013 11:28 PM
LANColt is the interface facing the router Colt. It is the 192.168.1.3 interface.
ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (DMZCarax) to (LANColt) source dynamic OBJ_GENERIC_ALL interface
translate_hits = 18933401, untranslate_hits = 1516833
2 (DMZCarax) to (LANBloom) source static obj-LANCarax obj-LANCarax destination static obj-LANBloom obj-LANBloom
translate_hits = 0, untranslate_hits = 15244
3 (DMZCarax) to (LANEurex) source static obj-LANCarax obj-LANCarax destination static obj-LANEurex obj-LANEurex
translate_hits = 0, untranslate_hits = 0
4 (DMZCarax) to (LANAbn) source static obj-LANCarax obj-LANCarax destination static obj-LANAbn obj-LANAbn
translate_hits = 0, untranslate_hits = 21955
5 (DMZCarax) to (LANMonaco) source static obj-LANCarax obj-LANCarax destination static obj-LANMonaco obj-LANMonaco
translate_hits = 0, untranslate_hits = 0
6 (LANMonaco) to (DMZCarax) source static obj-LANMonaco obj-LANMonaco destination static obj-LANCarax obj-LANCarax
translate_hits = 0, untranslate_hits = 138065
7 (LANMonaco) to (LANBloom) source static obj-LANMonaco obj-LANMonaco destination static obj-LANBloom obj-LANBloom
translate_hits = 0, untranslate_hits = 23
8 (LANMonaco) to (LANAbn) source static obj-LANMonaco obj-LANMonaco destination static obj-LANAbn obj-LANAbn
translate_hits = 0, untranslate_hits = 0
9 (LANBloom) to (DMZCarax) source static obj-LANBloom obj-LANBloom destination static obj-LANCarax obj-LANCarax
translate_hits = 0, untranslate_hits = 89964
10 (LANBloom) to (LANMonaco) source static obj-LANBloom obj-LANBloom destination static obj-LANMonaco obj-LANMonaco
translate_hits = 0, untranslate_hits = 0
11 (LANEurex) to (DMZCarax) source static obj-LANEurex obj-LANEurex destination static obj-LANCarax obj-LANCarax
translate_hits = 0, untranslate_hits = 96
12 (LANEurex) to (LANMonaco) source static obj-LANEurex obj-LANEurex destination static obj-LANMonaco obj-LANMonaco
translate_hits = 0, untranslate_hits = 0
13 (LANAbn) to (DMZCarax) source static obj-LANAbn obj-LANAbn destination static obj-LANCarax obj-LANCarax
translate_hits = 0, untranslate_hits = 49854
14 (LANAbn) to (LANMonaco) source static obj-LANAbn obj-LANAbn destination static obj-LANMonaco obj-LANMonaco
translate_hits = 0, untranslate_hits = 0
15 (DMZCarax) to (DMZCarax) source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
16 (LANColt) to (DMZCarax) source static any any destination static WebServer.Int WebServer.Int inactive
translate_hits = 0, untranslate_hits = 0
17 (DMZCarax) to (LANColt) source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (DMZCarax) to (LANColt) source static STATIC-PAT interface service tcp www www
translate_hits = 0, untranslate_hits = 0
10-20-2013 11:32 PM
Hi,
Can you rather post the output of
show run nat
- Jouni
10-20-2013 11:35 PM
Sure
Here it is :
ciscoasa# show run nat
nat (DMZCarax,LANColt) source dynamic OBJ_GENERIC_ALL interface
nat (DMZCarax,LANBloom) source static obj-LANCarax obj-LANCarax destination static obj-LANBloom obj-LANBloom
nat (DMZCarax,LANEurex) source static obj-LANCarax obj-LANCarax destination static obj-LANEurex obj-LANEurex
nat (DMZCarax,LANAbn) source static obj-LANCarax obj-LANCarax destination static obj-LANAbn obj-LANAbn
nat (DMZCarax,LANMonaco) source static obj-LANCarax obj-LANCarax destination static obj-LANMonaco obj-LANMonaco
nat (LANMonaco,DMZCarax) source static obj-LANMonaco obj-LANMonaco destination static obj-LANCarax obj-LANCarax
nat (LANMonaco,LANBloom) source static obj-LANMonaco obj-LANMonaco destination static obj-LANBloom obj-LANBloom
nat (LANMonaco,LANAbn) source static obj-LANMonaco obj-LANMonaco destination static obj-LANAbn obj-LANAbn
nat (LANBloom,DMZCarax) source static obj-LANBloom obj-LANBloom destination static obj-LANCarax obj-LANCarax
nat (LANBloom,LANMonaco) source static obj-LANBloom obj-LANBloom destination static obj-LANMonaco obj-LANMonaco
nat (LANEurex,DMZCarax) source static obj-LANEurex obj-LANEurex destination static obj-LANCarax obj-LANCarax
nat (LANEurex,LANMonaco) source static obj-LANEurex obj-LANEurex destination static obj-LANMonaco obj-LANMonaco
nat (LANAbn,DMZCarax) source static obj-LANAbn obj-LANAbn destination static obj-LANCarax obj-LANCarax
nat (LANAbn,LANMonaco) source static obj-LANAbn obj-LANAbn destination static obj-LANMonaco obj-LANMonaco
nat (DMZCarax,DMZCarax) source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup
nat (LANColt,DMZCarax) source static any any destination static WebServer.Int WebServer.Int inactive
nat (DMZCarax,LANColt) source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup
!
object network STATIC-PAT
nat (DMZCarax,LANColt) static interface service tcp www www
10-20-2013 11:40 PM
Hi,
This is the problem
no nat (DMZCarax,LANColt) source dynamic OBJ_GENERIC_ALL interface
You would have to remove this command which would essentially cause a small outage to all users that use the Dynamic PAT
Then you would enter it with
nat (DMZCarax,LANColt) after-auto source dynamic OBJ_GENERIC_ALL interface
And then the new Static PAT (Port Forward) would work
- Jouni
10-20-2013 11:57 PM
Thank Jouni,
I will do this this evening because users are already here browsing the web.
10-21-2013 10:30 PM
Hi,
I have done what you recommand but it still not working :
ciscoasa(config)# sh run nat
nat (DMZCarax,LANBloom) source static obj-LANCarax obj-LANCarax destination static obj-LANBloom obj-LANBloom
nat (DMZCarax,LANEurex) source static obj-LANCarax obj-LANCarax destination static obj-LANEurex obj-LANEurex
nat (DMZCarax,LANAbn) source static obj-LANCarax obj-LANCarax destination static obj-LANAbn obj-LANAbn
nat (DMZCarax,LANMonaco) source static obj-LANCarax obj-LANCarax destination static obj-LANMonaco obj-LANMonaco
nat (LANMonaco,DMZCarax) source static obj-LANMonaco obj-LANMonaco destination static obj-LANCarax obj-LANCarax
nat (LANMonaco,LANBloom) source static obj-LANMonaco obj-LANMonaco destination static obj-LANBloom obj-LANBloom
nat (LANMonaco,LANAbn) source static obj-LANMonaco obj-LANMonaco destination static obj-LANAbn obj-LANAbn
nat (LANBloom,DMZCarax) source static obj-LANBloom obj-LANBloom destination static obj-LANCarax obj-LANCarax
nat (LANBloom,LANMonaco) source static obj-LANBloom obj-LANBloom destination static obj-LANMonaco obj-LANMonaco
nat (LANEurex,DMZCarax) source static obj-LANEurex obj-LANEurex destination static obj-LANCarax obj-LANCarax
nat (LANEurex,LANMonaco) source static obj-LANEurex obj-LANEurex destination static obj-LANMonaco obj-LANMonaco
nat (LANAbn,DMZCarax) source static obj-LANAbn obj-LANAbn destination static obj-LANCarax obj-LANCarax
nat (LANAbn,LANMonaco) source static obj-LANAbn obj-LANAbn destination static obj-LANMonaco obj-LANMonaco
nat (DMZCarax,DMZCarax) source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup
nat (LANColt,DMZCarax) source static any any destination static WebServer.Int WebServer.Int inactive
nat (DMZCarax,LANColt) source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup
!
object network STATIC-PAT
nat (DMZCarax,LANColt) static interface service tcp www www
!
nat (DMZCarax,LANColt) after-auto source dynamic OBJ_GENERIC_ALL interface
ciscoasa(config)# packet-tracer input LANColt tcp 8.8.8.8 12354 192.168.1.3 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network STATIC-PAT
nat (DMZCarax,LANColt) static interface service tcp www www
Additional Information:
NAT divert to egress interface DMZCarax
Untranslate 192.168.1.3/80 to 192.168.10.4/80
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: LANColt
input-status: up
input-line-status: up
output-interface: DMZCarax
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa(config)#
Thanks
- Ceders
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide