03-14-2015 08:17 AM - edited 03-11-2019 10:38 PM
Hello,
I try to configure my ASA firewall to redirect http port from outside (outside-OVH) to inside (vlan1).
Please find here the following configuration:
object network NAT-SERVEUR-HTTP-IN nat (VLAN1,outside-OVH) static interface service tcp www www
access-list outside-OVH_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_1 eq www
object-group network DM_INLINE_NETWORK_1 network-object object NAT-SERVEUR-HTTP-IN network-object object SRV-SERVEUR
object network NAT-SERVEUR-HTTP-IN host 192.168.1.2
However, I get this logs from ASDM:
3 | Mar 14 2015 | 16:06:12 | 710003 | 80.12.35.21 | 52108 | 109.190.13.144 | 80 | TCP access denied by ACL from 80.12.35.21/52108 to outside-OVH:109.190.13.144/80 |
Can you please help me about it?
Thank you for advance,
Best regards
Solved! Go to Solution.
03-15-2015 07:26 AM
This is a downtime periode for me (few server remain up, but is not critical trafic).
Please find the first output "shnat1" and the second (after trying) "shnat2".
It seems that we don't match the NAT object from outside to inside trafic on http.
I believe that is not normal... An error in the config?
Arthur
03-15-2015 07:42 AM
Well it looks like it is simply skipping the static NAT in section 2 and going straight to section 3.
Why it's doing that I have no idea :-)
So we can try a couple of things.
Firstly let's move your section 3 dynamic NAT to section 2. Static takes precedence over dynamic so your statics should be used first. I just want to see if section 2 is being used at all.
So replace -
nat (VLAN1,outside-OVH) after-auto source dynamic NET-VLAN1 interface
with this -
object network NET-VLAN1
nat (VLAN1,outside-OVH) dynamic interface
then do a "sh nat" and it should show both the static and dynamic NAT entries in section 2 now.
Record the "sh nat" as before, retest and see what happens.
Jon
03-15-2015 08:02 AM
03-15-2015 08:12 AM
Arthur
We'll hopefully get there in the end :-)
Can you remove the static statement you currently have and add this -
nat (VLAN1,outside-OVH) source static NAT-SERVEUR-HTTP-IN NAT-SERVEUR-HTTP-IN service http http
and do the "sh nat" outputs and retest.
Jon
03-15-2015 08:21 AM
03-15-2015 08:29 AM
Yes we may have to.
Before you do anything else can you run another packet-tracer eg.
"packet-tracer input outside-OVH tcp 8.8.8.8 12345 <public IP> 80"
and post results. I suspect it will show the same but just want to check.
Then can you revert to back to where we were before. So -
1) remove the static NAT statement you just added and put it back as it was in section 2.
2) remove the dynamic NAT from section 2 and move it back to section 3.
then run a "sh nat" and post together with the packet-tracer output.
Then if possible can you save the configuration, reboot the firewall and run the same packet-tracer command again.
I don't like rebooting devices but every now and then it does help.
Apologies for all the messing around but it's not obvious (at least to me) why this isn't working.
Jon
03-15-2015 10:31 AM
03-15-2015 11:00 AM
I cannot see a single thing wrong with your configuration.
The only thing I can suggest, although I am not too hopeful, is to create an entirely new object for the server and try that eg.
object network HTTP-SERVER
host 192.168.1.2
nat (VLAN1,outside-OVH) static interface service tcp http http
Jon
03-15-2015 11:31 AM
It reassure me that I did'nt make anything wrong :-)
However that's nice...
I try to delete and recreate a new HTTP-SERVER object, and I keep the same issue...
Maybe a bug? I don't have see similar issue in the release note but, maybe can I try an update if you think that can help us about this issue?
Arthur
03-15-2015 11:48 AM
It might be a bug but I didn't find any mention of one specific to this in the release notes.
I notice you are running PPPoE and I have never used that but I can't see why that would stop it working.
Also noticed you have other services setup for external access but as you have no static statements I assume they are not working ?
If it was me I would cut the configuration down to a bare minimum just to test ie. no NAT rules that weren't currently in use and an acl that had a line simply for the server.
As far as I can tell the issue is that every "sh nat" has shown your static statement being skipped and it matches the dynamic one instead and I can't understand why it is doing that.
I assume you are testing by accessing from an internet IP but even if there was an issue there the packet tracer output should have shown something and it didn't.
If there is anything else you can think of I'm only too happy to try and work this through with you but I am not seeing what the problem is at the moment.
Jon
03-15-2015 12:17 PM
OK for the RN, that confirm that I read.
PPPoE work fine for another thing: I can access to the internet from inside, remote VPN is up and running fine.
For the other service, I try to configure but I have the same issue.
Indeed I am testing from a mobile network, and I get a log in RealTime monitoring with syslog id 71003.
I try to update the firewall and make some test, maybe the problem can be solved by this way. Or maybe another readers can have an idea?
I keep you inform.
Arthur
03-16-2015 12:12 AM
Good day. I am assuming that "shrun3" and "shnat5" are the last changes you made and are the current configurations on your ASA. If so, please see below?
nat (VLAN1,outside-OVH) source static NET-VLAN1 NET-VLAN1 destination static NETWORK_OBJ_10.0.33.0_24 NETWORK_OBJ_10.0.33.0_24 no-proxy-arp route-lookup
object network NET-VLAN1
nat (VLAN1,outside-OVH) dynamic interface
nat (outside-OVH,VLAN1) source dynamic any interface destination static NET-VLAN1 NET-VLAN1 inactive
03-16-2015 03:11 AM
Hi,
Yes you are correct: "shrun3" and "shnat5" are the last changes and is the current configuration on my ASA.
But issue is from outside to inside on http port.
Outside:80 --- > Outside-OVH (ASA) ---> NAT to 192.168.1.2:80
KR
03-16-2015 03:28 AM
Can you try this please?
Delete the inactive rule from your config.
Delete this rule from your config - nat (VLAN1,outside-OVH) dynamic interface
Add the after-auto keyword to this rule below.
nat (VLAN1,outside-OVH) source static NET-VLAN1 NET-VLAN1 destination static NETWORK_OBJ_10.0.33.0_24 NETWORK_OBJ_10.0.33.0_24 no-proxy-arp route-lookup
Can you for testing purposes also disable the Split Tunnelling rule?
The issue is that you are applying multiple NAT rules to the 192.168.1.0/24 subnet, and you are also applying a split tunnelling rule to that subnet. So multiple rules can apply to the traffic. By process of elimination we can find out where the problem is.
03-16-2015 11:31 AM
I try this, but issue remain the same.
Please fin din attached the config then I tested, sh nat result, and logs received on the ASDM.
However, I added the following after my test:
object network NET-VLAN1
nat (VLAN1,outside-OVH) dynamic interface
Because without that I don't can use the internet access from VLAN 1.
Arthur
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide