03-06-2015 03:10 PM - edited 03-11-2019 10:36 PM
Hello,
i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
access-list DMZ_in extended permit ip any any
nat (DMZ,outside) source dynamic obj_any interface
nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP
object network Public_Server
nat (DMZ,outside) static interface service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?
Thank You!
Solved! Go to Solution.
03-08-2015 09:25 AM
It appears you can mark multiple answers as correct which now I come to think about is obvious considering I have had multiple correct answers in a thread.
You would think I would know that after posting for over 10 years now :-)
Jon
03-08-2015 08:48 AM
Confusion indeed Jon. At least it's working :-)
03-08-2015 08:43 AM
I think about the inside VPN NAT rule, the DMZ VPN rule was moved earlier to section 3. One of these rule matched before the port forward.:
nat (Guest,outside) source dynamic obj_any interface
nat (inside,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
I think it was the Guest rule because of the "obj_any" object.
03-08-2015 08:47 AM
Hi. I don't think those rules would have matched, because it's applying to other interfaces, ie. Guest, and inside.
03-08-2015 08:57 AM
But it seems yes :).
I moved this back to section 1.:
nat (Guest,outside) source dynamic obj_any interface
The object is.:
object network obj_any
subnet 0.0.0.0 0.0.0.0
I think i should specify it more.
03-08-2015 08:48 AM
I honestly can't see how because you have defined the specific interface for Guest.
If you had used -
"nat (any,outside) source dynamic obj_any interface"
then yes I would agree but you didn't.
Obviously there is something I am not understanding but your firewall seems to be using the NAT rules differently than I expected
Jon
03-08-2015 08:39 AM
Sorry, ignore my last post, I'm just catching up on all the activity.
You can't leave the VPN NAT rules in section 3 unless you move the section 2 dynamic NAT there as well otherwise you will never get to the VPN rules.
You will have to move the dynamic NAT to section 3 as well for inside to outside and make sure it is after the VPN rules.
Jon
03-08-2015 08:33 AM
Yes. Post it under section 3. Can you please post your object, acl and NAT configs as it is now?
03-08-2015 08:36 AM
Did you also try moving the NAT statement to section 1 ?
If you did and it is still like that can we have another "sh nat" and if you ran packet-tracer what did it show ?
Have you tried hitting the ASA with a very blunt object :-)
Jon
03-08-2015 05:28 AM
Yes, the Public_server is the 10.168.50.5.:
object network Public_Server
host 10.168.50.5
I deleted them, currently.:
Manual NAT Policies (Section 1)
1 (Guest) to (outside) source dynamic obj_any interface
translate_hits = 45, untranslate_hits = 0
2 (inside) to (outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static Public_Server interface service tcp www www
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 0, untranslate_hits = 0
Yes, that NAT rule makes internet access for the clients in DMZ.
03-08-2015 05:40 AM
You can ping the web server from the ASA ?
After you deleted the section 3 NAT rules what does a packet-tracer show ?
Jon
03-08-2015 05:45 AM
Yes, of course, i can ping, and also from VPN. And also the web service works from VPN, local. Tha packet-tracer said the same, the implicit deny catch it.:
packet-tracer input outside tcp 8.8.8.8 http OUTIFIP http det
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2a1718, priority=1, domain=permit, deny=false
hits=89868, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in OUTIFIP 255.255.255.255 identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad071248, priority=1, domain=nat-per-session, deny=true
hits=1199, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2a23b8, priority=0, domain=permit, deny=true
hits=883, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
03-08-2015 05:51 AM
Okay try using a section 1 rule for your web server eg.
nat (DMZ,outside) source static Public_Server interface service http http
and retest.
Jon
03-08-2015 05:57 AM
Hi Jon
I think we posted that at the same time :-)
03-08-2015 06:03 AM
Hi Andre
Actually I would be interested to see if the changing from www to http works.
I have just asked for the NAT rule to be moved to section 1 but I used http so if it works we won't know whether it was because we moved the rule or because of your suggestion.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide