03-14-2015 08:17 AM - edited 03-11-2019 10:38 PM
Hello,
I try to configure my ASA firewall to redirect http port from outside (outside-OVH) to inside (vlan1).
Please find here the following configuration:
object network NAT-SERVEUR-HTTP-IN nat (VLAN1,outside-OVH) static interface service tcp www www
access-list outside-OVH_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_1 eq www
object-group network DM_INLINE_NETWORK_1 network-object object NAT-SERVEUR-HTTP-IN network-object object SRV-SERVEUR
object network NAT-SERVEUR-HTTP-IN host 192.168.1.2
However, I get this logs from ASDM:
3 | Mar 14 2015 | 16:06:12 | 710003 | 80.12.35.21 | 52108 | 109.190.13.144 | 80 | TCP access denied by ACL from 80.12.35.21/52108 to outside-OVH:109.190.13.144/80 |
Can you please help me about it?
Thank you for advance,
Best regards
Solved! Go to Solution.
03-14-2015 11:01 AM
Hi. Can you please provide all your NAT statements......... or your entire running config. That will make it easier to troubleshoot.
03-14-2015 11:01 AM
Hi. Can you please provide all your NAT statements......... or your entire running config. That will make it easier to troubleshoot.
03-14-2015 11:03 AM
Can you post the output of -
"packet-tracer input outside tcp 8.8.8.8 12345 <public IP of web server> 80"
and
"sh nat"
and also your ASA configuration.
Jon
03-14-2015 11:57 AM
03-14-2015 12:04 PM
I don't understand.
Your NAT output and your running config does not show the static statements in your original post ?
Did you remove them ?
Anyway, put them back in and change this statement -
nat (VLAN1,outside-OVH) source dynamic NET-VLAN1 interface
to be
nat (VLAN1,outside-OVH) after-auto source dynamic NET-VLAN1 interface
and try again.
Jon
03-14-2015 12:13 PM
Thank for your reply.
That didn't work anyway. Please find the new sh run in attached.
I get the same error:
3 | Mar 14 2015 | 20:13:10 | 710003 | 80.12.35.21 | 52470 | 109.190.13.144 | 80 | TCP access denied by ACL from 80.12.35.21/52470 to outside-OVH:109.190.13.144/80 |
Indeed, I removed my previous nat for testing.
Arthur
03-14-2015 12:17 PM
Can you do a "sh nat" again and post the output.
And from the CLI can you run the packet-tracer command, I made a mistake on the interface name so -
"packet-tracer input outside-OVH tcp 8.8.8.8 12345 <public IP of web server> 80"
Jon
03-14-2015 12:44 PM
03-14-2015 01:14 PM
The problem is it is not using your static NAT statements which usually means it is matching one of your rules before that.
Although I can't see which rule it would be matching.
Can you try doing a "clear xlate" and retesting.
Jon
03-14-2015 02:29 PM
I send a "clear xlate" command, but it remain the same issue (syslog id 710003).
Maybe is the issue occur because I try to NAT outside to inside with the same IP address that the outside-OVH interface?
Arthur
03-15-2015 05:21 AM
Arthur
You mean this line -
nat (outside-OVH,VLAN1) source dynamic any interface destination static NET-VLAN1 NET-VLAN1
yes, I did wonder whether that was the line that was somehow matching but as far as I understand it that should only match if the destination IP was 192.168.1.x but it won't be.
The incoming packet should have an public IP, the IP of the outside interface.
You can try removing it temporarily to see what effect it has.
Bear in mind that even if it had matched the static PAT statement it would not then have gone back to the above rule so you wouldn't have translated all the source IPs (internet IPs) to the inside interface.
Or at least that's my understanding of it.
It you do remove it and it does work then I really don't understand 8.3 NAT as well as I thought I did :-)
Jon
03-15-2015 06:27 AM
Jon,
I disable this line:
nat (outside-OVH,VLAN1) 3 source dynamic any interface destination static NET-VLAN1 NET-VLAN1 inactive
But problem is already here :(
I don't really understand why "TCP access denied by ACL", or at least by which ACL...
However, please keep in mind that my ASA is in version 9.3, not 8.3 !
Arthur
03-15-2015 06:34 AM
Yes sorry, I meant post 8.3 NAT which is when it all changed :-)
Your packet-tracer output is talking about an acl but that is because it hasn't matched a NAT rule. It can be a bit misleading in terms of reading it.
What you should see in packet tracer is a specific NAT statement showing the translation but you aren't.
Can you try changing the "any" interface in your static statement to the specific interface and then retest.
Can you also post your running config again as it is now and I will have another look to see if there is anything obvious I have missed.
Jon
03-15-2015 06:47 AM
03-15-2015 07:13 AM
Is there any traffic going through the ASA at the moment or this is a downtime period for you ?
If there isn't traffic we need to work out where the NAT is failing so can you -
1) run a "sh nat" and save the output
2) straight after that try and connect to the web server
3) run a "sh nat" again
we might be able to see which rule has increased in terms of translations which would give us a clue as to what is happening.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide