Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2494
Views
9
Helpful
19
Replies

ASA 8.4 Pat RPF-Check and HTTP Server

Go to solution
dan.letkeman
Level 4
Level 4

‎02-11-2012 07:47 PM - edited ‎03-11-2019 03:28 PM

Hello,

I am moving all of my nat/pat from my 2800 series to my ASA.  I have a few things working including multiple outside ip addresses and dynamic nat, as well as outside access for a few servers.

My two probems are as follows:

1).

For the life of me I cannot get pat working when I want to access and internal web server using a different port on the outside interface.

For example I have added this:

network object test.obj

host 192.168.184.11

nat (inside,outside) static outside-ip-100.1.1.1 8080 www

This adds the nat statments into the network object nat list and it all make sense.  Then I add the acl:

access-list outside_access_in extended permit tcp any object test.obj eq http-81

I see no hits on the acl when I try from an outside device, and the packet-tracer keeps telling me I have a nat problem with the reverse path forwarding check.

xlate shows this:

5520-fw# show xlate | i 100.1.1.1

TCP PAT from inside:192.168.184.11 80-80 to outside:100.1.1.1 81-81

NAT from inside:192.168.184.11 to outside:100.1.1.1

I have no idea why, I have followed many examples and I still get nothing.  I also get no access to the internet on the computer running the web server unless I add another dynamic nat statement pointing a different network object with the same host ip to the same outside ip address.  eg:

network object test.obj-dynamic

host 192.168.184.11

nat (inside,outside) dynamic outside-ip-100.1.1.1

Still after that I get no connection from the outside to the web server

2.)

Second problem.

I had moved our main web server over to the asa and access from the outside worked for a few minutes, I think, as I had hits on the acl.  Then it stopped working and the logs showed a huge list of teardowns and it looked like they were all dns requests.  I am assuming this is a problem with the virtual hosts on the web server and the dns inspection that the asa is doing.  So I added the dns command at the end of the nat command and it did not solve my problem.  So I am thinking the first problem with the RPF-check is related to this problem. 

I have a couple of other web servers going through the asa with no problems but they are not running on apache and using virtual hosts, they are single stand alone web servers.

Any idea what I am doing wrong?

Thanks,

Dan.

Labels:
0 Helpful
19 Replies 19

Go to solution
dan.letkeman
Level 4
Level 4
In response to dan.letkeman

‎02-13-2012 05:45 PM

Oh wait, I forgot to remove one other thing.  That is the other nat statement that allowed the server to get out to the internet.

Without that the server could not get out.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to dan.letkeman

‎02-13-2012 05:50 PM

Please post entire config, to see why is that happening!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
dan.letkeman
Level 4
Level 4
In response to Julio Carvajal

‎02-13-2012 05:58 PM

So your config you sent me works perfectly, but my server cannot get out onto the internet, I think I need another nat statement, but when I add another nat statement then i can access the server using port 80 from the outside, so I must be doing something wrong.

ASA Version 8.4(3)

!

hostname gvsd-asa-5520-fw

names

dns-guard

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.10.10.10 255.255.255.252

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 77.77.77.70 255.255.255.192

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 172.16.0.102

name-server 172.16.0.101

domain-name domain.com

object network 10.20.10.1

host 10.20.10.1

description Astaro Web Filter  

object network 172.16.0.0

range 172.16.0.0 172.16.254.254

description Data Network  

object network 192.168.0.0

subnet 192.168.0.0 255.255.0.0

object network 10.10.10.1

host 10.10.10.1

description gw-2821-01  

object network 10.10.10.9

host 10.10.10.9

description gw-2821-02  

object network NETWORK_OBJ_10.250.0.0_28

subnet 10.250.0.0 255.255.255.240

description VPN Test

object network 172.16.187.0

subnet 172.16.187.0 255.255.255.0

description GVC Wifi  

object network 10.7.0.0

subnet 10.7.0.0 255.255.0.0

description Guest Network  

object network 10.10.10.46

host 10.10.10.46

description astarogw  

object network 10.11.0.0

subnet 10.11.0.0 255.255.0.0

description GVSD I.T Network

object network 10.11.200.0

subnet 10.11.200.0 255.255.255.0

description DO I.T Network

object network merlin-67.75

host 77.77.77.75

description Merlin-67.75

object network helpdesk.domain.com

host 10.5.0.125

description Helpdesk Server for HTTP site

object network merlin-67.123

host 77.77.77.123

object network 10.5.0.0

subnet 10.5.0.0 255.255.255.0

description GVSD Server Network

object network intermapper.domain.com

host 10.5.0.150

description intermapper.domain.com

object network merlin-67.120

host 77.77.77.120

object network merlin-67.105

host 77.77.77.105

object network merlin-67.106

host 77.77.77.106

object network merlin-67.116

host 77.77.77.116

object network merlin-67.117

host 77.77.77.117

object network merlin-67.118

host 77.77.77.118

object network merlin-67.121

host 77.77.77.121

object network merlin-67.122

host 77.77.77.122

object network merlin-67.95

host 77.77.77.95

object network merlin-67.99

host 77.77.77.99

object network merlin-67.68

host 77.77.77.68

object network merlin-67.69

host 77.77.77.69

object network merlin-67.70

host 77.77.77.70

object network merlin-67.71

host 77.77.77.71

object network 172.16.187.22

host 172.16.187.22

description GVC Test Host

object network library.domain.com

host 10.5.0.85

description Library Server

object network netstorage.domain.com

host 10.5.0.35

description Netstorage server

object network sm.domain.com

host 10.5.0.87

description Sucess Maker Server

object network vibe.domain.com

host 10.5.0.27

description Vibe Server

object network mobilesync.domain.com

host 10.5.0.32

description Mobilesync Server

object network powerschool.domain.com

host 10.5.0.181

description PowerSchool Application Server

object service powerschool-5071

service tcp source eq 5071 destination eq 5071

object service powerschool-7880

service tcp source eq 7880 destination eq 7880

object service powerschool-7980

service tcp source eq 7980 destination eq 7980

object network astaro-mail

host 10.30.10.2

object service http-81

service tcp destination eq 81

object service http-82

service tcp destination eq 82

object service http-83

service tcp destination eq 83

object service http-84

service tcp destination eq 84

object service http-85

service tcp destination eq 85

object network merlin-67.77

host 77.77.77.77

object network dan-laptop

host 192.168.75.208

object service http-proxy

service tcp source eq 8080

object service http-proxy-2

service tcp destination eq 8080

object network web03-p8080

host 10.5.0.13

object service http-8080

service tcp source eq 8080

object service www

service tcp source eq www

object-group service ff-system udp

description ff system management

port-object eq 1091

object-group service http-81-1 tcp

port-object eq 81

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit object http-81 any object dan-laptop

access-list outside_access_in remark helpdesk webiste

access-list outside_access_in extended permit tcp any object helpdesk.domain.com eq www

access-list outside_access_in extended permit tcp any object library.domain.com eq www

access-list outside_access_in extended permit tcp any object netstorage.domain.com eq https

access-list outside_access_in extended permit tcp any object sm.domain.com eq www

access-list outside_access_in extended permit tcp any object sm.domain.com eq https inactive

access-list outside_access_in extended permit tcp any object mobilesync.domain.com eq https

access-list outside_access_in extended permit tcp any object powerschool.domain.com eq www

access-list outside_access_in extended permit tcp any object powerschool.domain.com eq https

access-list outside_access_in extended permit object powerschool-5071 any object powerschool.domain.com

access-list outside_access_in extended permit object powerschool-7880 any object powerschool.domain.com

access-list outside_access_in extended permit object powerschool-7980 any object powerschool.domain.com

access-list outside_access_in extended permit tcp any object astaro-mail eq smtp inactive

access-list outside_access_in extended permit tcp any object vibe.domain.com eq https

access-list outside_access_in extended permit tcp any object intermapper.domain.com eq www

access-list outside_access_in extended permit tcp any host 10.5.0.13 eq www

access-list inside_access_in extended deny ip object 172.16.187.22 any inactive

access-list inside_access_in remark blsd - web accesss

access-list inside_access_in extended permit tcp object 10.7.0.0 any eq 88

access-list inside_access_in extended deny udp object 10.7.0.0 range 1 65535 any range 1 65535

access-list inside_access_in extended deny tcp object 10.7.0.0 range 1 65535 any range 1 65535

access-list inside_access_in extended permit ip any any

access-list inside_access_out extended permit ip any any

access-list outside_access_out extended permit ip any any

access-list netflow-hosts extended permit ip any any

access-list http-s extended permit tcp any any eq www inactive

pager lines 24

logging enable

logging asdm informational

flow-export destination inside 10.11.200.104 2055

flow-export destination inside 10.11.200.193 2055

flow-export template timeout-rate 1

flow-export delay flow-create 30

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool VPN-L2TP-IPSEC-POOL 10.250.0.4-10.250.0.14 mask 255.255.255.224

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static web03-p8080 merlin-67.77 service www http-8080

!

object network 172.16.0.0

nat (inside,outside) dynamic interface

object network 10.10.10.1

nat (inside,outside) dynamic interface

object network 10.10.10.9

nat (inside,outside) dynamic interface

object network 10.7.0.0

nat (inside,outside) dynamic interface

object network 10.10.10.46

nat (inside,outside) dynamic interface

object network 10.11.0.0

nat (inside,outside) dynamic interface

object network helpdesk.domain.com

nat (any,any) static merlin-67.123

object network intermapper.domain.com

nat (any,any) static merlin-67.120

object network library.domain.com

nat (any,any) static merlin-67.121

object network netstorage.domain.com

nat (any,any) static merlin-67.122

object network sm.domain.com

nat (any,any) static merlin-67.116

object network vibe.domain.com

nat (any,any) static merlin-67.117

object network mobilesync.domain.com

nat (any,any) static merlin-67.118

object network powerschool.domain.com

nat (any,any) static merlin-67.106

object network astaro-mail

nat (any,any) static merlin-67.106

!

nat (inside,outside) after-auto source static dan-laptop merlin-67.75

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

!

router eigrp 100

no auto-summary

eigrp stub receive-only

network 10.10.10.8 255.255.255.252

passive-interface outside

!

route outside 0.0.0.0 0.0.0.0 77.77.77.65 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

snmp-server host inside 10.5.0.150 community public version 2c udp-port 161

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

!

class-map type regex match-any http

match regex youtube

class-map type inspect http match-any http_inspect_regex

match request uri regex class http

class-map http-s

match access-list http-s

class-map type regex match-any URLBlockList

description Match Traffic for Inspection

match regex Torrent-Info_Hash

class-map type inspect http match-all asdm_medium_security_methods

match not request method head

match not request method post

match not request method get

class-map inspection_default

match default-inspection-traffic

class-map netflow-traffic

match access-list netflow-hosts

class-map type regex match-any class-limit

match regex dropbox

class-map type inspect http match-all BlockURLsClass

match request uri regex class URLBlockList

!

!

policy-map type inspect http URL

parameters

match request uri regex dropbox

  reset

policy-map global_policy

class http-s

  inspect http URL

class inspection_default

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect dns

class netflow-traffic

  flow-export event-type all destination 10.11.200.104

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map test_pol

!

service-policy global_policy global

smtp-server 10.5.0.20

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

0 Helpful

Go to solution
dan.letkeman
Level 4
Level 4
In response to dan.letkeman

‎02-13-2012 06:12 PM

I think I have it figured out now.  I guess I deleted too many things.  I added the nat statement back for the orginal object and now I can get out to the internet again and I can only access the server using port 8080.

object network web03.domain.com

nat (inside,outside) dynamic internet.77

Without this the server could not get out onto the internet. 

Thank you very much for your time, this has helped me very much.

Dan.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to dan.letkeman

‎02-13-2012 06:42 PM

I think I have it figured out now

Sure, glad I could help¨

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card