Solved: ASA 5510 versin 8.4 - Page 2

chigumbab · ‎08-22-2011

Hi Guys how do i enable port forwarding on the CLI for ASA 5510. outside subnet is 192.168.1.0/27. when i try to ping another IP with that range i can't access.

varrao · ‎08-22-2011

Lets just test this nat statement first, we need to apply captures for:

object network betx0-RDP

nat (DMZ,outside) static 196.33.156.37 service tcp 3389 3389

access-lismt cap permit ip host 196.33.156.37 any

access-lismt cap permit ip any host 196.33.156.37

access-lismt cap permit ip any host 10.0.4.2 any

access-lismt cap permit ip any any host 10.0.4.2

cap capdmz access-list cap interface DMZ

cap capin access-list cap interface inside

After applying these captures, you need to try and access the server from outside, when teh connection is denied, collect the outputs of show cap capdmz and show cap capin.

Also plz provide me the output of :

packet-tracer input outside tcp 1.1.1.1 23456 192.33.156.37 3389 detailed

The third thing to collect is the logs from the time of the issue.

These information would atleast point where the issue is.

Thanks,

Varun

Thanks,
Varun Rao

chigumbab · ‎08-23-2011

betxfirewall# $ tcp 192.168.1.46 2345 196.33.156.37 3389 det

betxfirewall# packet-tracer input outside tcp 192.168.1.46 2345 196.33.156.37 $

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad6a2498, priority=1, domain=permit, deny=false

hits=15870, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network betx0-RDP

nat (DMZ,outside) static 196.33.156.37 service tcp 3389 3389

Additional Information:

NAT divert to egress interface DMZ

Untranslate 196.33.156.37/3389 to 10.0.4.2/3389

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group betx0OUTSIDE_IN in interface outside

access-list betx0OUTSIDE_IN extended permit tcp any host 10.0.4.2 eq 3389

Additional Information:

Forward Flow based lookup yields rule:

in id=0xa92c4668, priority=13, domain=permit, deny=false

hits=0, user_data=0xaa7cf040, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.0.4.2, mask=255.255.255.255, port=3389, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad6a61a0, priority=0, domain=inspect-ip-options, deny=true

hits=540, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network betx0-RDP

nat (DMZ,outside) static 196.33.156.37 service tcp 3389 3389

Additional Information:

Forward Flow based lookup yields rule:

out id=0xad72a060, priority=6, domain=nat-reverse, deny=false

hits=1, user_data=0xad7294b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.0.4.2, mask=255.255.255.255, port=3389, dscp=0x0

input_ifc=outside, output_ifc=DMZ

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xad6c9f88, priority=0, domain=inspect-ip-options, deny=true

hits=204, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=DMZ, output_ifc=any

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 489, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

betxfirewall#

i can't enter those acls. Still checking logs

varrao · ‎08-23-2011

HI,

You need to get into the config terminal mode to enter those commands, y r u facing issues adding those acl's??

-Varun

Thanks,
Varun Rao

chigumbab · ‎08-23-2011

Hi you included an m on one of your acl statemenets that's why they were refusing. I thought it was some new command i dont know abt. I removed the m from your acl. I guess it was just a typo.

You gave me the acls statements like this,

access-lismt cap permit ip host 196.33.156.37 any

access-lismt cap permit ip any host 196.33.156.37

access-lismt cap permit ip any host 10.0.4.2 any

access-lismt cap permit ip any any host 10.0.4.2.

Will paste results shortly

varrao · ‎08-23-2011

M really sorry, that was a typo , you need these acl's:

access-list cap permit ip host 196.33.156.37 any

access-list cap permit ip any host 196.33.156.37

access-list cap permit ip host 10.0.4.2 any

access-list cap permit ip any host 10.0.4.2

-Varun

Thanks,
Varun Rao

huongmuahe_ht101088 · ‎08-23-2011

I think Varun Rao right.

Chiqumbad can send your network diagram.

Tks.

chigumbab · ‎08-23-2011

Any reason why i can't ping the other IP from the firewall( 196.33.156.x)

varrao · ‎08-23-2011

You won,t be able to ping 196.33.156.x from the firewall, you should ping the private ip of the servers, let me know if you are able to ping private ip of servers.

-Varun

Thanks,
Varun Rao

chigumbab · ‎08-23-2011

I can ping private IPs from the firewall and they are responding.

chigumbab · ‎08-23-2011

Hi Guys, attached is my network diagram, so on the outside interface i have 196.33.156.32/27 and all IP have tto be accessible from outside and i have static nat to the internal IPs.

betxfirewall# sh cap capdmz

5 packets captured

1: 02:50:29.973735 10.0.4.1 > 10.0.4.15: icmp: echo request

2: 02:50:29.974543 10.0.4.1 > 10.0.4.15: icmp: echo request

3: 02:50:29.975108 10.0.4.1 > 10.0.4.15: icmp: echo request

4: 02:50:29.975672 10.0.4.1 > 10.0.4.15: icmp: echo request

5: 02:50:29.976191 10.0.4.1 > 10.0.4.15: icmp: echo request

5 packets shown

betxfirewall# show cap capin

5 packets captured

1: 02:50:29.973735 10.0.4.1 > 10.0.4.15: icmp: echo request

2: 02:50:29.974528 10.0.4.1 > 10.0.4.15: icmp: echo request

3: 02:50:29.975108 10.0.4.1 > 10.0.4.15: icmp: echo request

4: 02:50:29.975672 10.0.4.1 > 10.0.4.15: icmp: echo request

5: 02:50:29.976191 10.0.4.1 > 10.0.4.15: icmp: echo request

5 packets shown

betxfirewall#

varrao · ‎08-23-2011

HI,

Could you apply these captures as well:

cap capout access-list cap interface outside

and try again.

Can youa lso tell me from where are you pinging these servers, is it from the firewall???

Varun

Thanks,
Varun Rao

chigumbab · ‎08-23-2011

Ok will do it now.

I was pinging from the firewall and from outside the firewall and still the same thing. Is my diagram clear

varrao · ‎08-23-2011

Hi,

Yes, you should be able to ping the servers from the firewall and also the ASA from the servers. I have gone through teh network diagram and everything looks fine, on the servers make sure the default gateway is the ASA DMZ interface.

For pinging from outside, you should be try and ping the public ip of the servers.

Let me know, what are the results of the above two steps, along with the captures.

Thanks,

Varun

Thanks,
Varun Rao

chigumbab · ‎08-23-2011

Varun, i can ping from internal network.

see attached logs ad advise.

varrao · ‎08-23-2011

The logs do not include, show cap capo

Are you able to ping the servers from the firewall??

The two captures that I would need is show cap capdmz and show cao capo, you can delete show cap capin

-Varun

Thanks,
Varun Rao