09-25-2019 04:27 AM - edited 02-21-2020 09:31 AM
Hi all,
I need help with Port Forwarding. It's working but only when I also include the original port on the outside access. I have a server inside listening on port 443. I want outside clients to connect using port 50443. I can connect on port 50443 only when I ALSO have port 443 included in my Outside Interface ACL. How can I block port 443 access from the outside and allow 443 access to my server only via outside port 50443 ?
[code]
object service LOCAL-HTTPS
service tcp source eq https
object service REMOTE-50443
service tcp source eq 50443
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq 50443
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https **** Once Disabled, Inbound on 50443 does NOT work ****
nat (INSIDE,ISP) source static any any destination static obj-MY_Server obj-MY_Server
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
access-group INSIDE_access_in_1 in interface INSIDE control-plane
access-group INSIDE_access_in in interface INSIDE
access-group ISP_access_in_1 in interface ISP control-plane
access-group ISP_access_in in interface ISP
[/code]
I think that includes all relevant code. The first NAT statement fixed my first problem which was with RPF errors
Thanks in advance
09-25-2019 05:26 AM
09-25-2019 06:33 AM
As I said, once I put the (mandatory) rule
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https
I can indeed access the server via port 443
yes, obj-MY_Server has a private 10.x.x.x address
But this is NOT what I want. I want to hide the server from the Internet. I want the external user to connect with
https://MY_Server:50443
Without the following
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq 50443
I could not connect with port 50443 at all. And with this ACL ONLY, I could also not connect.
So I want to allow connections only incoming on port 50443 and BLOCKING 443
09-25-2019 07:01 AM
09-25-2019 07:34 AM
[code]
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
[/code]
[code]
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.yy/50443 to 10.10.xx.xx/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ISP_access_in in interface ISP control-plane
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https
access-list ISP_access_in remark Remote Server Access
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
Static translate 1.1.1.1/1234 to 1.1.1.1/1234
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
Additional Information:
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map INSIDE-class
match access-list INSIDE_mpc
policy-map INSIDE-policy
class INSIDE-class
police input 5000000 2500 conform-action transmit exceed-action transmit
police output 5000000 2500 conform-action transmit exceed-action transmit
service-policy INSIDE-policy interface INSIDE
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3238152, packet dispatched to next module
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow
[/code]
HOWEVER
If I disable the rule - access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https inactive
[code]
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xx/50443 to 10.10.xx.xx/443
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
[/code]
09-25-2019 08:21 AM
09-25-2019 08:52 AM
Unfortunately that's not entirely true.
Both Rules active = Access to Server on BOTH ports
443 Only inactive = NO Access to Server on BOTH ports
50443 Only inactive = Access to Server on BOTH ports
[code]
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xx/52443 to 10.10.xx.xx/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ISP_access_in in interface ISP-NEXT control-plane
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https
access-list ISP_access_in remark Remote Server Access
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
Static translate 1.1.1.1/1234 to 1.1.1.1/1234
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
Additional Information:
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map INSIDE-class
match access-list INSIDE_mpc
policy-map INSIDE-policy
class INSIDE-class
police input 5000000 2500 conform-action transmit exceed-action transmit
police output 5000000 2500 conform-action transmit exceed-action transmit
service-policy INSIDE-policy interface INSIDE
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3260732, packet dispatched to next module
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow
[/code]
09-25-2019 09:06 AM
09-25-2019 10:22 AM
ASA5505# packet-tracer input ISP-NEXT tcp 1.1.1.1 1234 88.148.xx.xx 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
ASA5505# sh runn | incl inactive
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https inactive
I test access from Chrome from my office and from my house
09-25-2019 04:27 PM
09-26-2019 03:21 AM
Thanks again for all your efforts to get this working. Your assistance is greatly appreciated.
I can confirm that I do NOT use a VPN
So with the 443 rule inactive, here are the results
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xxx 50443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xx/50443 to 10.10.xx.xx/443
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
09-26-2019 03:36 AM
09-26-2019 09:18 AM
Sorry
ASA5505# sh runn | incl inactive
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq 50443 inactive
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xxx/52443 to 10.10.xx.xx/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ISP_access_in in interface ISP control-plane
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https
access-list ISP_access_in remark Remote Server Access
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
Static translate 1.1.1.1/1234 to 1.1.1.1/1234
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
Additional Information:
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map INSIDE-class
match access-list INSIDE_mpc
policy-map INSIDE-policy
class INSIDE-class
police input 5000000 2500 conform-action transmit exceed-action transmit
police output 5000000 2500 conform-action transmit exceed-action transmit
service-policy INSIDE-policy interface INSIDE
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3476816, packet dispatched to next module
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow
09-26-2019 07:38 PM
09-27-2019 06:21 AM
It appears therefore that what is happening from the packet-tracer perspective is different to reality.
Maybe I could PM you with the public IP Address to try it yourself ?
Once the rule for port 443 was disabled, the server wasn't accessible on port 50443.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide