Solved: Allow outside host web access to inside host - Fails

rmunoz10 · ‎03-30-2022

Hello,

I am trying to allow web access to an inside host but for some reason it is getting blocked. Packet-tracer hits the implicit rule (deny all) and drops the call. It seems the ACL rule is not being used. Not sure what I may be missing.

This is what I did:

object network obj_192.168.1.223
host 192.168.1.223
nat (inside,outside) static interface service tcp http http
access-list inbound permit tcp any object obj_192.168.1.223 eq http

Thanks for the help!

Troubleshooting info:

ciscoasa(config)# packet-tracer input inside tcp 68.78.249.19 1234 192.168.1.223 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.223 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)#

ciscoasa(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inbound; 1 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit tcp any object obj_192.168.1.223 eq www (hitcnt=0) 0x0d33139f
access-list inbound line 1 extended permit tcp any host 192.168.1.223 eq www (hitcnt=0) 0x0d33139f
ciscoasa(config)# sh nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj_192.168.1.223 interface service tcp www www
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_192.168.1.0 interface dns
translate_hits = 1422, untranslate_hits = 21

Manual NAT Policies (Section 3)
1 (management) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
ciscoasa(config)#

Rob Ingram · ‎03-30-2022

@rmunoz10 do you actually have that access-list configured inbound on the outside interface? Example:

access-group inbound in interface outside

View solution in original post

Rob Ingram · ‎03-30-2022

@rmunoz10 your packet-tracer is incorrect, you are simulating traffic from outside to inside. So you need to specify the interface as "outside" not inside. Also use the public ip address as the destination not the real/private ip.

MHM Cisco World · ‎03-30-2022

This object NAT so check

show NAT all,

see if there is any NAT above it prevent the nat from outside to your inside host server.

rmunoz10 · ‎03-30-2022

@Rob IngramThanks! packet-tracer went much further this time but still blocked access. Please see results below. Anything else I'm missing? Thanks.

ciscoasa(config)# packet-tracer input outside tcp 68.78.249.19 1234 x.x.x.x 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj_192.168.1.223
nat (inside,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/80 to 192.168.1.223/80

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

@MHM Cisco World- I don't have sh NAT all. But here is the result of sh nat.

ciscoasa(config)# sh nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj_192.168.1.223 interface service tcp www www
translate_hits = 0, untranslate_hits = 36
2 (inside) to (outside) source dynamic obj_192.168.1.0 interface dns
translate_hits = 8132, untranslate_hits = 126

Manual NAT Policies (Section 3)
1 (management) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
ciscoasa(config)#

MHM Cisco World · ‎03-30-2022

ciscoasa(config)# packet-tracer input outside tcp 68.78.249.19 1234 x.x.x.x 80 detail <- this give you which ACL drop the traffic

rmunoz10 · ‎03-30-2022

@MHM Cisco World

The rule is 'Implicit Rule'. So it seems my ACL is not being used?

ciscoasa(config)# sh run access-list
access-list inbound extended permit tcp any object obj_192.168.1.223 eq www
ciscoasa(config)#

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2d1d404330, priority=0, domain=permit, deny=true
hits=4381, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MHM Cisco World · ‎03-30-2022

add to NAT route-lookup.
the NAT may route the traffic to wrong Interface

Rob Ingram · ‎03-30-2022

@rmunoz10 do you actually have that access-list configured inbound on the outside interface? Example:

access-group inbound in interface outside

rmunoz10 · ‎03-31-2022

@Rob IngramI had missed that.

access-group inbound in interface outside

Thank you for pointing me in the right direction.