09-25-2019 04:27 AM - edited 02-21-2020 09:31 AM
Hi all,
I need help with Port Forwarding. It's working but only when I also include the original port on the outside access. I have a server inside listening on port 443. I want outside clients to connect using port 50443. I can connect on port 50443 only when I ALSO have port 443 included in my Outside Interface ACL. How can I block port 443 access from the outside and allow 443 access to my server only via outside port 50443 ?
[code]
object service LOCAL-HTTPS
service tcp source eq https
object service REMOTE-50443
service tcp source eq 50443
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq 50443
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https **** Once Disabled, Inbound on 50443 does NOT work ****
nat (INSIDE,ISP) source static any any destination static obj-MY_Server obj-MY_Server
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
access-group INSIDE_access_in_1 in interface INSIDE control-plane
access-group INSIDE_access_in in interface INSIDE
access-group ISP_access_in_1 in interface ISP control-plane
access-group ISP_access_in in interface ISP
[/code]
I think that includes all relevant code. The first NAT statement fixed my first problem which was with RPF errors
Thanks in advance
09-25-2019 05:26 AM
09-25-2019 06:33 AM
As I said, once I put the (mandatory) rule
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https
I can indeed access the server via port 443
yes, obj-MY_Server has a private 10.x.x.x address
But this is NOT what I want. I want to hide the server from the Internet. I want the external user to connect with
https://MY_Server:50443
Without the following
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq 50443
I could not connect with port 50443 at all. And with this ACL ONLY, I could also not connect.
So I want to allow connections only incoming on port 50443 and BLOCKING 443
09-25-2019 07:01 AM
09-25-2019 07:34 AM
[code]
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
[/code]
[code]
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.yy/50443 to 10.10.xx.xx/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ISP_access_in in interface ISP control-plane
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https
access-list ISP_access_in remark Remote Server Access
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
Static translate 1.1.1.1/1234 to 1.1.1.1/1234
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
Additional Information:
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map INSIDE-class
match access-list INSIDE_mpc
policy-map INSIDE-policy
class INSIDE-class
police input 5000000 2500 conform-action transmit exceed-action transmit
police output 5000000 2500 conform-action transmit exceed-action transmit
service-policy INSIDE-policy interface INSIDE
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3238152, packet dispatched to next module
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow
[/code]
HOWEVER
If I disable the rule - access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https inactive
[code]
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xx/50443 to 10.10.xx.xx/443
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
[/code]
09-25-2019 08:21 AM
09-25-2019 08:52 AM
Unfortunately that's not entirely true.
Both Rules active = Access to Server on BOTH ports
443 Only inactive = NO Access to Server on BOTH ports
50443 Only inactive = Access to Server on BOTH ports
[code]
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xx/52443 to 10.10.xx.xx/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ISP_access_in in interface ISP-NEXT control-plane
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https
access-list ISP_access_in remark Remote Server Access
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
Static translate 1.1.1.1/1234 to 1.1.1.1/1234
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
Additional Information:
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map INSIDE-class
match access-list INSIDE_mpc
policy-map INSIDE-policy
class INSIDE-class
police input 5000000 2500 conform-action transmit exceed-action transmit
police output 5000000 2500 conform-action transmit exceed-action transmit
service-policy INSIDE-policy interface INSIDE
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3260732, packet dispatched to next module
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow
[/code]
09-25-2019 09:06 AM
09-25-2019 10:22 AM
ASA5505# packet-tracer input ISP-NEXT tcp 1.1.1.1 1234 88.148.xx.xx 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
ASA5505# sh runn | incl inactive
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https inactive
I test access from Chrome from my office and from my house
09-25-2019 04:27 PM
09-26-2019 03:21 AM
Thanks again for all your efforts to get this working. Your assistance is greatly appreciated.
I can confirm that I do NOT use a VPN
So with the 443 rule inactive, here are the results
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xxx 50443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xx/50443 to 10.10.xx.xx/443
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
09-26-2019 03:36 AM
09-26-2019 09:18 AM
Sorry
ASA5505# sh runn | incl inactive
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq 50443 inactive
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xxx/52443 to 10.10.xx.xx/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ISP_access_in in interface ISP control-plane
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https
access-list ISP_access_in remark Remote Server Access
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
Static translate 1.1.1.1/1234 to 1.1.1.1/1234
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
Additional Information:
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map INSIDE-class
match access-list INSIDE_mpc
policy-map INSIDE-policy
class INSIDE-class
police input 5000000 2500 conform-action transmit exceed-action transmit
police output 5000000 2500 conform-action transmit exceed-action transmit
service-policy INSIDE-policy interface INSIDE
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3476816, packet dispatched to next module
Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow
09-26-2019 07:38 PM
09-27-2019 06:21 AM
It appears therefore that what is happening from the packet-tracer perspective is different to reality.
Maybe I could PM you with the public IP Address to try it yourself ?
Once the rule for port 443 was disabled, the server wasn't accessible on port 50443.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: