ASA 5505 ACLs, code 8.4(2)

plaethos75 · ‎02-18-2015

I'm going to present this as laymen as possible in hopes the understanding doesn't get convoluted. This question is based off my previous link, which I can't see to get to work. https://supportforums.cisco.com/discussion/12419431/asa-5505-nat-and-acl-running-841 diagram also available at this link as well...

1. Whether it's webservices or other ports being used, if I want to use my single, public IP address assigned by a cable modem company, which is being assigned by DHCP, I will:

assign it on the "outside" interface,
The ACL I place, will always look like (in the cli)

access-group *acl-name* in interface outside

2. if I want the access to go to an internal server or device, whether it's telnet, www, or generic port, would the IP I reference be:

the next hop?
The private IP of the device?
another IP which gets nat'd to my end device?

3. If I am specificly targeting this port/public IP and I see ZERO (0) hits on my acl, could there be something else preventing it from traversing the network?

From an ASDM standpoint, (permit on outside interface) Source = any destination address = "private IP address of device" destination port = tcp/88

Why am I not seeing any hits?

Here's the copy of my cli if this is easier to digest:

access-list allowed_wan_services extended permit tcp any host 172.16.0.5 eq 88 log debugging
access-list allowed_wan_services extended permit udp any host 172.16.0.5 eq 88 log debugging
access-list allowed_wan_services extended permit udp any host 192.168.250.2 eq 88 log debugging

access-list allowed_wan_services extended permit tcp any host 192.168.250.2 eq 88 log debugging

access-list allowed_wan_services extended permit tcp any host 192.168.254.3 eq 88 log debugging
access-list allowed_wan_services extended permit udp any host 192.168.254.3 eq 88 log debugging

access-list allowed_wan_services extended permit tcp any host *publicIP* eq 88 log debugging
access-list allowed_wan_services extended permit udp any host *publicIP* eq 88 log debugging

access-group allowed_wan_services in interface outside

nat (outside,inside) after-auto source static Pub-Cam Priv-Cam service tcp-88 tcp-88
nat (outside,inside) after-auto source static Pub-Cam next-hop service tcp-88 tcp-88
nat (outside,inside) after-auto source static Pub-Cam distsw service tcp-88 tcp-88

I get 0 hits on any of the above.

I've also included a screen shot of my NAT via ASDM.... Thoughts/Suggestions?

Jouni Forss · ‎02-19-2015

Hi,

With any software 8.3 or above the ACL will always reference the local IP address and NOT the NAT IP address.

I am actually not sure if an ACL hit is registered if some part of the NAT configuration drops the connection.

Best place to start troubleshooting would be that you take a "packet-tracer" output from CLI of the ASA and we will see if the ASA drops it. If it does then we will need to determine if the problem is on the WAN or LAN side.

You could use this command format for example

packet-tracer input outside tcp 8.8.8.8 12345 <public NAT ip> <port>

The source IP address and port can be anything. I just have the habit of using the above.

- Jouni

plaethos75 · ‎02-21-2015

Thank you for this. I will try this tonight. Been a crazy week for me.

plaethos75 · ‎02-22-2015

packet-tracer input outside tcp 8.8.8.8 12345 xx.xxx.xxx.xx 88

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in xx.xxx.xxx.xx 255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

plaethos75 · ‎02-22-2015

ok -- I'm pretty sure I figured it out.

sysopt noproxyarp

access-list allowed_wan_services extended permit tcp any interface outside eq 88 log debugging
access-list allowed_wan_services extended permit udp any interface outside eq 88 log debugging

nat (outside,inside) source static any interface destination static interface Priv-Cam service tcp-88 tcp-88

access-group allowed_wan_services in interface outside

Thank you for your input and I will mark this correct answer if in fact this works. I'm now having an issue getting to my private IP or pinging it....so once I get that, I think I'll be able to test correctly and upload my findings.