Solved: Re: allow outside vendor server access to their inside server

ethan12345 · ‎02-07-2013

hi everyone we have an outside vendor requesting access to a server they manage through our firewall. They are asking for 3 ports open from their public ip range. They have a unix server that needs to connect to their unix server inside our network that they support.

On the asdm 6.4 I set up network objects for their public IP range, ports requested, and the internal server. I added an access rule for the outside interface to allow their source > inside server > tcp ports. They are able to ping our outside public IP, but when attempting to initiate a connection from their server to ours, it is timing out. How can I troubleshoot this ACL? when they ping or attempt the connection, nothing appears in the asdm syslog messages. I have turned all logging to informational and pushed it to my desktop and nowhere in the log does it show any of their IP's. The hitcount on the access list is zero. The list entry is enabled. Pasted below is a sanitized [hopefully] firewall config. Thanks in advance for any help.

: Call-home enabled from prompt by enable_15 at 18:19:21 UTC Sep 30 2012

!

ASA Version 8.4(3)

!

hostname XX-xx-1

domain-name xxxxxx.com

enable password xxxxxxx encrypted

passwd xxxx.xxxx encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xx.xx.xx.147 255.255.255.240 standby xx.xx.xx.148

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.100.241 255.255.255.0 standby 192.168.100.242

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name xxxxxx.com

dns server-group defaultdns

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Exchange

host 192.168.100.19

description mail server

object network xxxcrystal

host 192.168.100.34

object network crystal

host 192.168.100.50

object network xx-crystal

host 192.168.100.14

object network NETWORK_OBJ_192.168.22.96_

27
subnet 192.168.22.96 255.255.255.224
object network VENDORXXX_server
host 192.168.100.1
description VENDORXXX server
object network vendorxxx_external
range xx.xx.57.160 xx.xx.57.168
description vendorxxx public IP's
object-group service VENDORXXX_service_group
description One object to group together mulitple ports and services for outside VENDORXXX IP objects to access inside VENDORXXX server object
service-object tcp destination eq 1026
service-object tcp destination eq 4433
service-object tcp destination eq 4434
access-list ISP-INBOUND extended permit icmp any any echo-reply
access-list ISP-INBOUND extended permit icmp any any unreachable
access-list ISP-INBOUND extended permit icmp any any echo
access-list ISP-INBOUND extended permit icmp any any time-exceeded
access-list ISP-INBOUND extended permit tcp host xx.xx.xx.151 eq www any inactive
access-list ISP-INBOUND extended permit tcp host xx.xx.xx.151 eq 6338 any inactive
access-list ISP-INBOUND extended permit udp host xx.xx.xx.151 eq 6338 any inactive
access-list ISP-INBOUND extended permit tcp host xx.xx.xx.149 eq smtp any
access-list ISP-INBOUND extended permit tcp host xx.xx.xx.149 eq www any
access-list ISP-INBOUND extended permit tcp host xx.xx.xx.149 eq https any
access-list ISP-INBOUND extended deny tcp any host xx.xx.xx.149 eq 3389
access-list ISP-INBOUND extended deny tcp any host xx.xx.xx.151 eq 3389
access-list ISP-INBOUND extended permit udp any eq domain any
access-list ISP-INBOUND extended permit tcp any host xx.xx.xx.151 eq 1433 inactive
access-list ISP-INBOUND extended permit tcp any host xx.xx.xx.151 eq 8080 inactive
access-list ISP-INBOUND extended permit tcp any host xx.xx.xx.151 eq 6400 inactive
access-list ISP-INBOUND extended permit tcp any host xx.xx.xx.150 eq www inactive
access-list ISP-INBOUND extended permit tcp any host xx.xx.xx.150 eq 6338 inactive
access-list ISP-INBOUND extended permit udp any host xx.xx.xx.150 eq 6338 inactive
access-list ISP-INBOUND extended permit tcp any host xx.xx.xx.150 eq 1433 inactive
access-list ISP-INBOUND extended permit tcp any host xx.xx.xx.150 eq 8080 inactive
access-list ISP-INBOUND extended permit tcp any host xx.xx.xx.150 eq 6400 inactive
access-list ISP-INBOUND extended deny ip any host xx.xx.xx.151 log
access-list ISP-INBOUND extended deny ip any host xx.xx.xx.150 log
access-list ISP-INBOUND extended permit ip any any
access-list ISP-INBOUND extended permit tcp host xx.xx.xx.153 eq 2427 any inactive
access-list ISP-INBOUND extended permit udp host xx.xx.xx.153 eq 2427 any inactive
access-list ISP-INBOUND extended permit udp host xx.xx.xx.153 range 16400 16990 any inactive
access-list ISP-INBOUND extended permit ip host xx.221.32.59 any inactive
access-list ISP-INBOUND extended permit ip host xx.250.71.186 host xx.xx.xx.151 inactive
access-list ISP-INBOUND extended permit ip host xx.7.229.50 host xx.xx.xx.150 inactive
access-list ISP-INBOUND extended permit ip host xx.7.229.50 host xx.xx.xx.151 inactive
access-list ISP-INBOUND remark Allows specific services from external vendorxxx IP's access to the internal vendorxxx server
access-list ISP-INBOUND extended permit object-group VENDORXXX_service_group object vendorxxx_external object VENDORXXX_server log
access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.180.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.180.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.180.0 255.255.255.0
access-list NO-NAT remark - Do not NAT traffic from any site to xxxx LAN
access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.150.0 255.255.255.0
access-list NO-NAT remark - Do not NAT traffic from any site to xxxxLAN
access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.160.0 255.255.255.0
access-list NO-NAT remark - Do not NAT traffic from any site to xxxx LAN
access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.140.0 255.255.255.0
access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxLAN
access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.110.0 255.255.255.0
access-list NO-NAT remark - Do not NAT traffic from any site to xxxxx LAN
access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.170.0 255.255.255.0
access-list NO-NAT remark - Don't NAT xxxxxLAN to remote sites' PIX/ASA networks
access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.140.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.160.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list NO-NAT remark - Don't NAT office LANs to VPN clients
access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list NO-NAT extended permit ip 192.168.105.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list NO-NAT extended permit ip 192.168.110.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list NO-NAT extended permit ip 192.168.120.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list NO-NAT extended permit ip 192.168.130.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list NO-NAT extended permit ip 192.168.140.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list NO-NAT extended permit ip 192.168.150.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list NO-NAT extended permit ip 192.168.160.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list NO-NAT extended permit ip 192.168.170.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list NO-NAT remark - Rules to remove after all sites are migrated
access-list NO-NAT remark - Do not NAT traffic from any site to xxxxxLAN
access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.105.0 255.255.255.0
access-list NO-NAT remark - Do not NAT traffic from any site to xx xxxxLAN
access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.120.0 255.255.255.0
access-list NO-NAT remark - Do not NAT traffic from any site to xx LAN
access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.130.0 255.255.255.0
access-list NO-NAT remark - Do not NAT traffic from any site to xxx Center LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxx xxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxxx xxxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxxx Center LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxxx xxxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxxxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxxx xxxxx LAN
access-list NO-NAT remark - Don't NAT xxxx xxxx LAN to remote sites' PIX/ASA networks
access-list NO-NAT remark - Don't NAT office LANs to VPN clients
access-list NO-NAT remark - Rules to remove after all sites are migrated
access-list NO-NAT remark - Do not NAT traffic from any site to xxx xxxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxx xx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxxxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxx xxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxxx LAN
access-list NO-NAT remark - Do not NAT traffic from any site to xxxx xxx LAN
access-list NO-NAT extended permit ip 192.168.100.0 255.255.255.0 192.168.190.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.190.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list NO-NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.190.0 255.255.255.0
access-list ALLOW-ALL extended permit ip any any
access-list SPLIT-TUNNEL extended permit ip 192.168.100.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list SPLIT-TUNNEL extended permit ip 192.168.105.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list SPLIT-TUNNEL extended permit ip 192.168.110.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list SPLIT-TUNNEL extended permit ip 192.168.120.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list SPLIT-TUNNEL extended permit ip 192.168.130.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list SPLIT-TUNNEL extended permit ip 192.168.140.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list SPLIT-TUNNEL extended permit ip 192.168.150.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list SPLIT-TUNNEL extended permit ip 192.168.160.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list SPLIT-TUNNEL extended permit ip 192.168.170.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list SPLIT-TUNNEL extended permit ip 192.168.180.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list SPLIT-TUNNEL extended permit ip 192.168.190.0 255.255.255.0 192.168.22.96 255.255.255.224
access-list standard-split-tunnel-test remark testing split tunnel
access-list standard-split-tunnel-test standard permit 192.168.0.0 255.255.0.0
access-list standard-split-tunnel-test remark testing split tunnel
access-list global_mpc extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging standby
logging console informational
logging monitor informational
logging buffered informational
logging trap informational
logging history informational
logging asdm informational
logging mail informational
logging device-id hostname
logging host inside 192.168.100.10
logging debug-trace
no logging message 313005
no logging message 305012
no logging message 305011
no logging message 710005
no logging message 715075
no logging message 733100
no logging message 715047
no logging message 715046
no logging message 304001
no logging message 715036
no logging message 111005
no logging message 713236
no logging message 609002
no logging message 609001
flow-export destination inside 192.168.100.10 2055
flow-export delay flow-create 60
mtu outside 1500
mtu inside 1500
ip local pool vpn-pool 192.168.22.96-192.168.22.127 mask 255.255.255.224
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover link failover Ethernet0/3
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.22.96_27 NETWORK_OBJ_192.168.22.96_27 no-proxy-arp route-lookup
!
object network xxxcrystal
nat (inside,outside) static xx.xx.xx.152
object network xxxx
nat (inside,outside) static xx.xx.xx.151
object network xx-xxxx
nat (inside,outside) static xx.xx.xx.150
object network exchange
nat (inside,outside) static xx.xx.xx.149
!
nat (inside,outside) after-auto source dynamic any interface
access-group ISP-INBOUND in interface outside
access-group ALLOW-ALL in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.145 1
route inside xxxxxxxxxxx 255.255.255.252 192.168.100.254 1
route inside 192.168.100.0 255.255.255.0 192.168.100.254 1
route inside 192.168.105.0 255.255.255.0 192.168.100.254 1
route inside 192.168.110.0 255.255.255.0 192.168.100.254 1
route inside 192.168.120.0 255.255.255.0 192.168.100.254 1
route inside 192.168.130.0 255.255.255.0 192.168.100.254 1
route inside 192.168.140.0 255.255.255.0 192.168.100.254 1
route inside 192.168.150.0 255.255.255.0 192.168.100.254 1
route inside 192.168.160.0 255.255.255.0 192.168.100.254 1
route inside 192.168.170.0 255.255.255.0 192.168.100.254 1
route inside 192.168.180.0 255.255.255.0 192.168.100.254 1
route inside 192.168.190.0 255.255.255.0 192.168.100.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host xxxxxx
server-port 636
ldap-base-dn ou=users,dc=xxxxxx,dc=com
ldap-naming-attribute sAMAccountName
ldap-login-password xxxxxx
ldap-login-dn xxxxxx\xxxxxxx
ldap-over-ssl enable
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.100.10 255.255.255.255 inside
http 192.168.100.135 255.255.255.255 inside
http 192.168.100.13 255.255.255.255 inside
http redirect outside 80
snmp-server host inside 192.168.100.96 community xxxxxx version 2c
snmp-server location xxxx
snmp-server contact xxxxxx@xxxxxx.com
snmp-server community xxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
ssh xxxxx 255.255.255.0 outside
ssh xxxxxxxx0 255.255.255.0 inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.100.0 255.255.255.0
threat-detection scanning-threat shun duration 7200
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 132.249.20.88 source outside prefer
x
username xxxxattributes
service-type remote-access
username vendorxxxuser passwordxxxxxencrypted privilege 3
username vendorxxxuser attributes
service-type remote-access
username xxxxpassword xxxxxencrypted privilege 3
username xxxxxxattributes
service-type remote-access
username xxxxpassword xxxxencrypted privilege 3
username xxxxxxattributes
service-type remote-access
username xxxxxpassword xxxxxencrypted privilege 15
username xxxxxpassword xxxxxxencrypted privilege 15
username xxxxpassword xxxxx. encrypted privilege 15
username xxxxpassword xxxxencrypted privilege 15
username xxxxxpassword xxxxxencrypted privilege 5
username xxxxattributes
service-type remote-access
username xxxxpassword FFN.xxxxxencrypted privilege 3
username xxxxxxattributes
vpn-group-policy "GroupPolicy_anyconnect vpn"
service-type remote-access
username xxxxpassword Pj.xxxxencrypted privilege 3
username xxxxattributes
service-type remote-access
username xxxxxpassword /xxxxencrypted privilege 3
username xxxxxxattributes
service-type remote-access
username xxxxxxpassword xxxxxxxxxxxencrypted privilege 3
username xxxxxxattributes
service-type remote-access
username xxxxpassword xxxxencrypted privilege 3
username xxxxattributes
service-type remote-access
username xxxxpassword xxxxx.wS.2jUn encrypted privilege 3
username xxxxattributes
service-type remote-access
username xxxxxpassword xxxxencrypted privilege 3
username xxxxxattributes
service-type remote-access
tunnel-group "anyconnect vpn" type remote-access
tunnel-group "anyconnect vpn" general-attributes
address-pool vpn-pool
default-group-policy "GroupPolicy_anyconnect vpn"
tunnel-group "anyconnect vpn" webvpn-attributes
group-alias "anyconnect vpn" enable
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description netflow to 192.168.100.10
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class global-class
flow-export event-type all destination 192.168.100.10
class class-default
user-statistics accounting
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxxxxx

Jouni Forss · ‎02-07-2013

Hi,

I would say as long as you have free public IP addresses I would use them for the LAN servers when they need to be accessed from the Internet.

To configure the Static NAT you can use the following format

object network VENDORXXX_server

host 192.168.100.1

nat (inside,outside) static dns

Notice that since you already have the object you ONLY need to add the NAT configuration with the new free public IP address.

Alternatively the Port Forward NAT configuration would be

object network SERVER-TCP-1234

host 192.168.100.1

nat (inside,outside) static interface service tcp 1234 1234

object network SERVER-TCP-5678

host 192.168.100.1

nat (inside,outside) static interface service tcp 5678 5678

And so on for the needed ports.

But as I said if you can spare a public IP address for this, it would be much simpler and cleaner configuration wise.

- Jouni

View solution in original post

Jouni Forss · ‎02-07-2013

Hi,

It seems you might be using the Public NAT IP address of your servers as the destination IP address in the ISP-INBOUND ACL

From ASA software 8.3 onwards you need to use the Real IP Address of the LAN host as the destination. Even when opening traffic from the Internet

Notice that you can actually use the "object network" in the ACL too instead of "host x.x.x.x"

Format could for example be

access-list permit tcp any object

- Jouni

ethan12345 · ‎02-07-2013

ok so Im using the asdm 6.4 and alot of this was written [messy I know] by the asdm gui application. As you can see above I created 3 objects in the asdm. 1 object for the internal verndor server 192.168.100.1, another object for the ports to be opened, and a 3rd object for the public IP range of the vendors outside servers. When I created those objects, the asdm wrote the following to the config:

object network VENDORXXX_server

host 192.168.100.1

description VENDORXXX server

object network vendorxxx_external

range xx.xx.57.160 xx.xx.57.168

description vendorxxx public IP's

object-group service VENDORXXX_service_group

description One object to group together mulitple ports and services for outside VENDORXXX IP objects to access inside VENDORXXX server object

service-object tcp destination eq 1026

service-object tcp destination eq 4433

service-object tcp destination eq 4434

Then, in the asdm I added a new line to the ACL on the outside interface, and it automatically added it to the ISP-INBOUND ACL which looks like the following when written to the config by the asdm:

access-list ISP-INBOUND remark Allows specific services from external vendorxxx IP's access to the internal vendorxxx server

access-list ISP-INBOUND extended permit object-group VENDORXXX_service_group object vendorxxx_external object VENDORXXX_server log

Im trying to understand your suggestion, but looks like the asdm already wrote some things to the config.

please advise, thanks again

Jouni Forss · ‎02-07-2013

Hi,

The above configuration does look like it would allow the traffic to the LAN server 192.168.100.1

Can you tell what NAT configuration that host has?

I can see the object with the IP address 192.168.100.1 but not the NAT configuration under the object for it?

- Jouni

ethan12345 · ‎02-07-2013

I have asked the vendor to connect to our public IP address and assumed that the acl that I added would allow their specified IP's in to the inside server which is the 192.168.100.1 address. The public IP is our internet facing IP. Until this point, no one has ever tried to reach the 192.168.100.1 server from the outside. There is no NAT from the outside interface to the 192.168.100.1 server that I know of. I have an available public IP I can use, should I set another IP up for just this server or can I use the existing public IP on the outside interface?

Jouni Forss · ‎02-07-2013

Hi,

I would say as long as you have free public IP addresses I would use them for the LAN servers when they need to be accessed from the Internet.

To configure the Static NAT you can use the following format

object network VENDORXXX_server

host 192.168.100.1

nat (inside,outside) static dns

Notice that since you already have the object you ONLY need to add the NAT configuration with the new free public IP address.

Alternatively the Port Forward NAT configuration would be

object network SERVER-TCP-1234

host 192.168.100.1

nat (inside,outside) static interface service tcp 1234 1234

object network SERVER-TCP-5678

host 192.168.100.1

nat (inside,outside) static interface service tcp 5678 5678

And so on for the needed ports.

But as I said if you can spare a public IP address for this, it would be much simpler and cleaner configuration wise.

- Jouni

Jouni Forss · ‎02-07-2013

By the way,

You have the following line in your ACL from Internet to LAN

access-list ISP-INBOUND extended permit ip any any

This will allow ALL traffic from Internet through your firewall (for all the Static NATed host)

I would suggest removing it so that your firewall isnt completely open. Instead open only the TCP/UDP ports to the hosts needed.

Theres also alot of "inactive" rules in the configuration.

- Jouni

ethan12345 · ‎02-07-2013

Yes I will take care of that asap thank you! I kind of inherited this so Im doing my best. I added a spare public IP and NATed it to 192.168.100.1, and left the ACL as is. I will ask the vendor to test tomorrow AM. thanks!!!!

Jouni Forss · ‎02-07-2013

Ok,

Please let us know if it worked and if it did mark the question as answered

If it doesnt work we could check the configuration again.

- Jouni

ethan12345 · ‎02-07-2013

it worked. So I gave them their own public IP. You were right, there was no NATing being done from the outside to this server. The objects and the ACL was correct, I just needed to burn that public IP and add it to the 192.168.100.1 object. Fortunately we had one to spare and everything was already working with the ISP. Thanks again! You are hired and I am fired lol.