03-06-2015 03:10 PM - edited 03-11-2019 10:36 PM
Hello,
i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
access-list DMZ_in extended permit ip any any
nat (DMZ,outside) source dynamic obj_any interface
nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP
object network Public_Server
nat (DMZ,outside) static interface service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?
Thank You!
Solved! Go to Solution.
03-08-2015 04:43 AM
The "Public_Server" object is still 10.168.50.5. I don't see it in your amended rule order above. It's strange that you're getting lots of hits on the "after-auto" rule. But not on the Object rule....... which should apply first.
Just to test, can you try this?
Make sure the object Public_Server is set as host 10.168.50.5, then the NAT rule as you have it in the post above. Then remove the 2 DMZ "after-auto" rules. Then test again.
That section 3 number1 rule is bothering me a bit. What is the purpose of that rule? To provide internet access for traffic sourced from the DMZ?
03-08-2015 05:51 AM
Okay try using a section 1 rule for your web server eg.
nat (DMZ,outside) source static Public_Server interface service http http
and retest.
Jon
03-06-2015 04:05 PM
It is probably the order of your NAT.
Can you post a "sh nat" from the ASA ?
And what is the object Public_Server, is it 10.168.50.5 ?
Jon
03-06-2015 11:13 PM
Hello, of course.
sh nat
Manual NAT Policies (Section 1)
1 (Guest) to (outside) source dynamic obj_any interface
translate_hits = 91968, untranslate_hits = 61972
2 (DMZ) to (outside) source dynamic obj_any interface
translate_hits = 1734, untranslate_hits = 0
3 (inside) to (outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
translate_hits = 7, untranslate_hits = 7
4 (DMZ) to (outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
translate_hits = 1, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static Public_Server interface service tcp www www
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 42230, untranslate_hits = 20999
Yes, here is the public server object.:
object network Public_Server
host 10.168.50.5
And here is the HTTP service object.:
object service HTTP
service tcp destination eq www
03-07-2015 05:12 AM
The problem is NAT and the sections ie. you have section 1 and 2 NAT. The ASA with 8.3 or later uses the sections in order so it is using the dynamic NAT statement you have for your DMZ in section 1 for the translation and never gets to the section 2 static statement.
There are two solutions -
1) move your dynamic NAT to section 2 where your static should take precedence
or
2) move your dynamic NAT to section 3 so the static is matched first.
The recommendation is to use section 3 for dynamic NAT so you need to replace -
nat (DMZ,outside) source dynamic obj_any interface
with this -
nat (DMZ,outside) after-auto source dynamic obj_any interface
the "after-auto" keyword moves it to section 3.
For full details of how it all works see this document by Jouni Forss -
Jon
03-07-2015 05:31 AM
Hello,
now the sh nat looks like.:
sh nat
Manual NAT Policies (Section 1)
1 (Guest) to (outside) source dynamic obj_any interface
translate_hits = 92926, untranslate_hits = 62078
2 (inside) to (outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
translate_hits = 18, untranslate_hits = 14
3 (DMZ) to (outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
translate_hits = 12, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static Public_Server interface service tcp www www
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 47339, untranslate_hits = 21519
Manual NAT Policies (Section 3)
1 (DMZ) to (outside) source dynamic obj_any interface
translate_hits = 11, untranslate_hits = 0
But it dont work :(. The packet-tracer said the the implicit deny catch it, but as you can see also there isnt hit on the NAT rule.
03-07-2015 10:02 AM
Can you post the packet-tracer output ?
Are you accessing the server from the outside of the ASA ?
What is the IP address you are coming from ?
What is this meant to be doing -
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP
Jon
03-07-2015 10:15 AM
Here it is.:
packet-tracer input outside tcp 1.1.1.1 http OUTSIDEINTERFACEIP http det
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in <OUTSIDE IF> 255.255.255.255 identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad070ce8, priority=1, domain=nat-per-session, deny=true
hits=250632, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2a1370, priority=0, domain=permit, deny=true
hits=116843, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Uh, that's interesting. That was a nat rule which with I made debug, but currently that rule is not in the running config.
I coming from a random public IP, in the packet racer i tried the 1.1.1.1.
03-07-2015 10:25 AM
Okay can you run -
"packet-tracer input outside 8.8.8.8 12345 <outside interface IP> http"
and post results.
Jon
03-07-2015 10:32 AM
I had to define also the tcp.
packet-tracer input outside tcp 8.8.8.8 12345 OUTIP http
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in OUTIP 255.255.255.255 identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
03-07-2015 10:46 AM
Can you post full ASA config and -
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP
what is the above for ?
Jon
03-07-2015 11:19 AM
03-07-2015 11:50 AM
Can't see anything wrong with your configuration now.
This NAT rule -
3 (DMZ) to (outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
translate_hits = 12, untranslate_hits = 0
have you actually generated traffic that would hit that rule ?
It should have no effect on what you are trying to do but just wondering as it would be checked before your static.
Other than that perhaps a reload if you can.
Like I say I can't see anything wrong with it now.
Jon
03-07-2015 10:33 PM
Good day. Just a thought here. You have sorted your NAT issue as per Jon. I assume your webserver is in your DMZ. However, is your ACL entry allowing traffic from the Outside to the DMZ? It seems the "permit www" traffic statement is on the " outside access in" access rule. Can you try to add a permit access rule from outside to dmz?
03-07-2015 10:51 PM
As you can see on the outside interface there are many ACLs whichs permit the traffic (more then one because of test), and currently on the DMZ interface there is a permit any any rule.
03-07-2015 10:48 PM
I reloaded it, and re-ordered the NAT rules like.:
nat (Guest,outside) source dynamic obj_any interface
nat (inside,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network Public_Server
nat (DMZ,outside) static interface service tcp www www
!
nat (DMZ,outside) after-auto source dynamic obj_any interface
nat (DMZ,outside) after-auto source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
But it still dont works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide