Solved: These two lines are not

szczyrk80 · ‎03-23-2015

Hi All,

I have a problem with allowing outside hosts ping, telnet or access on port '80' to inside hosts.

In the current configuration none of the outside hosts can ping, telnet or access inside host with the ip 192.168.64.176, static mapping is configured as well as acls

Configuration below:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 88.151.aaa.aaa 255.255.255.240

interface GigabitEthernet0/1

nameif inside
security-level 100
ip address 192.168.64.1 255.255.255.0

object network Test-DNS
host 192.168.64.176

access-list acl_out extended permit icmp any any unreachable
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp any any time-exceeded
access-list acl_out extended permit icmp any host 88.151.aaa.bbb echo
access-list acl_out extended permit icmp any host 88.151.aaa.bbb echo-reply

access-list acl_out extended permit tcp any object Test-DNS eq www
access-list acl_out extended permit tcp any object Test-DNS eq telnet

object network Test-DNS
nat (inside,outside) static 88.151.aaa.bbb

access-group acl_out in interface outside

Thank you,

Kind Regards,

S

Karsten Iwen · ‎03-23-2015

These two lines are not needed as the ACL needs the real-IP, not the translated:

access-list acl_out extended permit icmp any host 88.151.aaa.bbb echo
access-list acl_out extended permit icmp any host 88.151.aaa.bbb echo-reply

Is the address 88.151.aaa.bbb in the ip subnet of 88.151.aaa.aaa 255.255.255.240? If not, it's very likely that you need the command

arp permit-nonconnected

This ACL-Line is also not needed:

access-list acl_out extended permit icmp any any echo-reply

returning echo-replys should be allowed by making ICMP stateful:

policy-map global_policy
 class inspection_default
  inspect icmp

The rest looks ok, what is the output of the following command:

packet-tracer input outside tcp 1.2.3.4 1234 88.151.aaa.bbb 80

View solution in original post

Karsten Iwen · ‎03-23-2015

These two lines are not needed as the ACL needs the real-IP, not the translated:

access-list acl_out extended permit icmp any host 88.151.aaa.bbb echo
access-list acl_out extended permit icmp any host 88.151.aaa.bbb echo-reply

Is the address 88.151.aaa.bbb in the ip subnet of 88.151.aaa.aaa 255.255.255.240? If not, it's very likely that you need the command

arp permit-nonconnected

This ACL-Line is also not needed:

access-list acl_out extended permit icmp any any echo-reply

returning echo-replys should be allowed by making ICMP stateful:

policy-map global_policy
 class inspection_default
  inspect icmp

The rest looks ok, what is the output of the following command:

packet-tracer input outside tcp 1.2.3.4 1234 88.151.aaa.bbb 80

szczyrk80 · ‎03-23-2015

Hi Karsten,

Thank you for your response

88.151.aaa.bbb is in the subnet of Public IPs,

The output of packet-tracer is below:

ASA# packet-tracer input outside tcp 1.2.3.4 1234 88.151.aaa.bbb 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Test-DNS
nat (inside,outside) static 88.151.aaa.bbb
Additional Information:
NAT divert to egress interface inside
Untranslate 88.151.aaa.bbb/80 to 192.168.64.176/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_out in interface outside
access-list acl_out extended permit tcp any object Test-DNS eq www
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2902909, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

The problem is out 3rd party needs to monitor the server on tcp port 80 and they can not get any response, trying telnet on 80 as well as ping, however from the output above it looks like all is fine?

I haven't applied this yet:

policy-map global_policy
 class inspection_default
  inspect icmp

Thank you,

Karsten Iwen · ‎03-23-2015

looks fine. Also troubleshoot if you 3rd party can send any traffic in your direction.

szczyrk80 · ‎03-23-2015

Great, thank you,

So far I can see they tried:

access-list acl_out line 21 extended permit tcp any object Test-DNS eq www (hitcnt=286) 0x552a4a47
access-list acl_out line 21 extended permit tcp any host 192.168.64.176 eq www (hitcnt=286) 0x552a4a47
access-list acl_out line 22 extended permit tcp any object Test-DNS eq telnet (hitcnt=2377) 0xb2e2cdba
access-list acl_out line 22 extended permit tcp any host 192.168.64.176 eq telnet (hitcnt=2377) 0xb2e2cdba

However no response is received at the other end,

Should I try to implement te below:

policy-map global_policy
 class inspection_default
  inspect icmp

The question I have got is, if I want to use port e.g. 80 or 1720 for tcp monitoring, icmp has to be enabled?

Karsten Iwen · ‎03-23-2015

The config in the policy-map is only for pinging through the ASA. It's not needed for other traffic like HTTP.

Other things to test:

Does the server work from the inside?
try the commad: ping tcp 192.168.64.176 80
correct default-gateway/subnet-mask on the Server?

szczyrk80 · ‎03-25-2015

Thank you,

All working fine now

Kind Regards,

S

ASA 9.1(2) - Allowing ping,telnet or access to inside hosts from outside hosts