Solved: Re: ASA 8.2 Packet tracer syntax for outside traffic - Page 2

marktaylor47 · ‎10-18-2012

hi,

what will be packet-tracer syntax to check if outside interface traffic is allowed to get to inside networks

thanks

mark

Julio Carvajal · ‎10-19-2012

Hello Mark,

I mean right now all we are testing is a HTTP connection to the 10.1.1.57 ( in this case pointing to the outside interface on port 80) from 10.170.0.5

access-list acl-outside extended permit ip 10.170.0.0 255.255.255.0 host 10.8.8.1

That will do it,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

marktaylor47 · ‎10-19-2012

Hi Julio,

it worked, still can't ping from 10.1.1.57

asa# packet-tracer input outside tcp 10.170.0.5 1025 10.8.8.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp interface www 10.1.1.57 www netmask 255.255.255.255

match tcp inside host 10.1.1.57 eq 80 outside any

static translation to 10.8.8.1/80

translate_hits = 0, untranslate_hits = 4

Additional Information:

NAT divert to egress interface inside

Untranslate 10.8.8.1/80 to 10.1.1.57/80 using netmask 255.255.255.255

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl-outside in interface outside

access-list acl-outside extended permit ip 10.170.0.0 255.255.255.0 host 10.8.8.1

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect http

service-policy global_policy global

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) tcp interface www 10.1.1.57 www netmask 255.255.255.255

match tcp inside host 10.1.1.57 eq 80 outside any

static translation to 10.8.8.1/80

translate_hits = 0, untranslate_hits = 4

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp interface www 10.1.1.57 www netmask 255.255.255.255

match tcp inside host 10.1.1.57 eq 80 outside any

static translation to 10.8.8.1/80

translate_hits = 0, untranslate_hits = 4

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 545, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

asa#

thks

mark

Julio Carvajal · ‎10-19-2012

Hello Mark,

What do you mean by

still can't ping from 10.1.1.57

What are you trying to do now??

Remember to rate all of the post that help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

marktaylor47 · ‎10-19-2012

Hi Julio,

I am trying to access 10.170.0.5 & other IP's in outside-acl, I can ping from firewall but not from 10.1.1.57.

This is the server which all remote devices in outside-acl will access. I can only ping 10.8.8.2 from 10.1.1.57.

thks

mark

Julio Carvajal · ‎10-19-2012

Hello Mark,

If you want to ping outside users from inside hosts

do nat (inside) 1 0 0

Then try it.

Remember to rate all of the post that help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

marktaylor47 · ‎10-19-2012

Hi Julio,

it works :-) , thank you for all your help, can you please explain what this command did & access from outside networks to 10.1.1.57 will work now ?

should I remove these commands as they were added for testing:

static (inside,outside) tcp interface www 10.1.1.57 www netmask 255.255.255.255

access-list acl-outside extended permit ip 10.170.0.0 255.255.255.0 host 10.8.8.1

thks

mark

Julio Carvajal · ‎10-19-2012

Hello Mark,

static (inside,outside) tcp interface www 10.1.1.57 www netmask 255.255.255.255

access-list acl-outside extended permit ip 10.170.0.0 255.255.255.0 host 10.8.8.1

You are trying to connect from the lowest security level interface ( outside) to the highest security level interface (inside).

So by default the traffic will be denied unless you configure an ACL allowing the traffic on the outside interface.

So we will need to create one ACL for this traffic.

Now let's talk about the NAT.

There are different kinds of NAT rules. Ones will work unidirectional and others bidirectional.

In this case as the connection will be innitiated on the outside world we need one that allows Inbound connections on our ASA, and we will use a port-mapping rule to do it. So a Port-forwarding ( will be uniderectional and inbound) so that is what we will do

static (inside,outside) tcp interface www 10.1.1.57 www netmask 255.255.255.255 says:

If the ASA receives a packet on port 80 on the outside interface forward it to the host 10.1.1.57 on port 80, this if the connection is allowed via an ACL.

So the ACL access-list acl-outside extended permit ip 10.170.0.0 255.255.255.0 host 10.8.8.1 is required.

That's it! please check your inbox here on the cisco support comunity

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

marktaylor47 · ‎10-19-2012

Hi Julio,

Thank you for all your time & help.

mark

marktaylor47 · ‎10-19-2012

Hi Julio,

One more question, if I need access-list for 10.170.0.0, then I will need to add all outside networks to it ?

& can you explain" nat (inside) 1 0 0 "

thks

mark

Julio Carvajal · ‎10-19-2012

Hello,

1) Yes, but the ACl should point to the Natted IP address.

2)Nat (inside) 1 0 0 is used to translate all the internal users to the outside interface when they attempt to connect to an outside user

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC