cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1062
Views
10
Helpful
9
Replies

ACL problem on ASA-5505

sergioloporto
Level 1
Level 1

Hello, I have a device that needs to be reached from outside on port 443.

I am trying to redirect all the requests that come from outside on port 443, to 192.168.1.25 on port 443.

I configured it in ASDM, however I see this in the logs:

4 May 22 2016 16:42:32 106023 x.x.x.x 50278 192.168.1.25 443 Deny tcp src outside:x.x.x.x/50278 dst inside:192.168.1.25/443 by access-group "outside_access_in_1" [0x0, 0x0]

(x.x.x.x) is an external public IP of a port checker

In ACL manager I have a rule that says:

2 True outside 192.168.1.25 Port443 Permit Default 

Can anybody help?

1 Accepted Solution

Accepted Solutions

There are two things going wrong in your config:

object-group service Port443 tcp
group-object Port3333

You are referencing the object Port3333 instead of using a "port-object eq 443".

access-list outside_access_in_1 extended permit tcp interface outside object 443_Device object-group Port443 

Here you specify a source of the interface which has to be "any":

access-list outside_access_in_1 extended permit tcp any object 443_Device object-group Port443

View solution in original post

9 Replies 9

Please post the output of the following command (just insert the public IP that you use in your NAT):

packet-tracer input outside tcp 1.2.3.4 1234 YOUR_PUBLIC_IP_FOR_THE_SERVER 443

Here it is:

Result of the command: "packet-tracer input outside tcp 1.2.3.4 1234 8x.x.x.x 443"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.0.1, outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

It doesn't match your NAT-rule. Please check them or post the output of "show run nat".

Here it is:

Result of the command: "show run nat"
!
object network obj_any
nat (inside,outside) dynamic interface
object network SSH_2222_Device
nat (inside,outside) static interface service tcp 2222 2222
object network 443_Device
nat (inside,outside) static interface service tcp https https 

The strange thing is that the port 2222 forwarding works fine. If I check with a port scanner from the internet it says that 2222 is open

But 443 is open only if I test it within the LAN, not from the internet.

Check the object "443_Device". It shoud be the following:

object network 443_Device
 host 192.168.1.25

It looks like it is there as you said:

ASA Version 9.2(3)4 
!
hostname MYHOSTNAME
enable password MYPASS encrypted
passwd MYPASSSS encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa923-4-k8.bin
ftp mode passive
clock timezone Rome 1
clock summer-time Rome recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network SSH_2222_Device
host 192.168.1.25
description Device
object service port_100
service tcp destination eq 100
object service port_443
service tcp destination eq https
object network 443_Device
host 192.168.1.25
object-group service Port2222 tcp
port-object eq 2222
object-group service Port3333 tcp
port-object eq 3333
object-group service Port443 tcp
group-object Port3333
access-list outside_access_in_1 extended permit tcp any object SSH_2222_Device object-group Port2222
access-list outside_access_in_1 extended permit tcp interface outside object 443_Device object-group Port443
pager lines 24
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-741.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network SSH_2222_Device
nat (inside,outside) static interface service tcp 2222 2222
object network 443_Device
nat (inside,outside) static interface service tcp https https
access-group outside_access_in_1 in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.1.26,CN=MYasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca XXXXXXXXXXXXXXXX
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate XXXXXXXXXXXXX
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcprelay server 192.168.1.1 outside
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0
username MYNAME password MYPASSSS encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:c34e38e523b98e9ssc40026424e15801
: end

There are two things going wrong in your config:

object-group service Port443 tcp
group-object Port3333

You are referencing the object Port3333 instead of using a "port-object eq 443".

access-list outside_access_in_1 extended permit tcp interface outside object 443_Device object-group Port443 

Here you specify a source of the interface which has to be "any":

access-list outside_access_in_1 extended permit tcp any object 443_Device object-group Port443

Thank you!! It works fine now.

What if I want to change the mapping. For example:

People will be able to reach the Device which is configured with port 443, but they should reach it to 888 for example.

http://mypublicIP:888 will drive all the traffic to 443_Device on Port 443.

What should I change if I want to have this?

object network 443_Raspberry_Pi
nat (inside,outside) static interface service tcp https 888

Would be enough?

object network 443_Raspberry_Pi
nat (inside,outside) static interface service tcp https 888

yes, that's all that has to be done. The ACL stays the same as there the real port/IP on the server is used, which is already allowed.

Review Cisco Networking for a $25 gift card