Re: Can't point a public IP to my Internal server IP

newbie2018 · ‎03-12-2018

Hi everyone,

I am Junior network admin and I am tasked to configure our office ASA 5506-X to so that one of the IP amongst our public IP range points to our webserver internal IP then which would allow users to access the website on the outside world. The problem is the following configuration(I will post below) worked before and when we switched to a new ISP therefore switching a new public IP block, and changing the public IP representing the website on the outside world, the webpage times out and nothing comes up. Locally, we can access the webserver adding port 8080 to it: http://10.10.1.30:8080, but nothing is displayed on the outside network. Note that when we remove the :8080 just typing the following locally it doesn't go through either; http://10.10.1.30. TIMES OUT...

note the old public IP was 111.111.222.226, 255.255.255.224 new public IP selected within the IP block is 222.222.222.228 255.255.255.224 internal webserver IP 10.10.1.30

Previous config that worked with old public IP pointing to the local webserver box and IP

object network obj_any

subnet 0.0.0.0 0.0.0.0

!

object network webserver-external-ip

host 111.111.222.226

object network webserver-internal-ip

host 10.10.1.30

!

object network internal-subnet

subnet 10.10.1.30 255.255.255.0

object-group network company-HQ

network-object 111.111.222.224 255.255.255.224

!

access-list outside-in remark Allow traffic from public IP to companysite.com

access-list outside-in extended permit tcp any object webserver-internal-ip eq www

access-list outside-in remark Allow traffic from public IP to companysite.com

access-list outside-in extended permit tcp any object webserver-internal-ip eq https

access-list outside-in remark Test ICMP (ping) from inside to outside

access-list outside-in extended deny ip any any

access-list inside-in extended permit ip any any

access-list DefaultRAGroup_splitTunnelAcl standard permit any

nat (inside,outside) source static internal-subnet internal-subnet destination static xxx xxx no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

nat (inside,outside) after-auto source dynamic any interface

access-group outside-in in interface outside

So, when we got a new IP block from the same ISP provider selected one usable IP within the block and replaced the host in this Object network webserver-external-ip with the new ip as such:

object-group network company-HQ

network-object 222.222.222.226 255.255.255.224

Object network webserver-external ip

host 222.222.222.228

after I've done that I thought things will keep work as before but no luck! the website is down. the new public IP was updated with the domain registrar as well.

All help will be greatly appreciated please! I hope I explained clearly if not please let me know.

Ajay Saini · ‎03-12-2018

Hello,

3 things to rule out the issue:

1. take a packet-tracer output to verify if the NAT and access rule is in effect:

packet-tracer input outside tcp 4.2.2.2 3344 222.222.222.228 80 detail

2. take a packet-capture on outside interface:

capture capo interface outside match tcp any host 222.222.222.228

show cap capo

3. Are you able to access the website just by the ip address and not name. If not, then the routing of the ip address is a concern for which ISP might be able to help.

Please attach syslogs apart from above outputs, we can analyze them.

HTH

AJ

newbie2018 · ‎03-13-2018

Hi Ajay,

these are the outputs for the specified commands:

asa# packet-tracer input outside tcp 4.2.2.2 3344 222.222.222.228 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 222.222.222.228 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed22b14c50, priority=111, domain=permit, deny=true
hits=769, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=outside

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

2) For the below command, nothing displays, nothing came up after running the command:

asa# capture capo interface outside match tcp any host 222.222.222.228

asa#

3)

asa# show cap capo

0 packet captured

0 packet shown

4) I am not able to access the website either by the ip address nor by name. I will contact the ISP and ask them about the routing of that specific IP.

From the first command you advised to run, i noticed that there is a drop. and it looks like something is being blocked. I am not sure what.

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed22b14c50, priority=111, domain=permit, deny=true
hits=769, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=outside

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

I am not sure how to interprete this in depth.

Thanks for your quick response and help.

To add to the above findings. I initiated another capture... and i have the following:

asa# show cap capo

10:19:37.360516 4.2.2.2.3344 > 222.222.222.228.80: S 376539812:376539812(0) win 8192
2: 10:21:48.221485 4.2.2.2.3344 > 222.222.222.228.80: S 1503435714:1503435714(0) win 8192
3: 10:21:57.814548 4.2.2.2.3344 > 222.222.222.228.80: S 1603185936:1603185936(0) win 8192
4: 10:23:17.618803 4.2.2.2.3344 > 222.222.222.228.80: S 2107421198:2107421198(0) win 8192
5: 10:34:28.315123 4.2.2.2.3344 > 222.222.222.228.80: S 1696172604:1696172604(0) win 8192
6: 10:35:09.930554 4.2.2.2.3344 > 222.222.222.228.80: S 443932954:443932954(0) win 8192
7: 10:36:39.636655 4.2.2.2.3344 > 222.222.222.228.80: S 1041436200:1041436200(0) win 8192

Ajay Saini · ‎03-13-2018

Strange, we don't see the NAT being hit for incoming traffic. Could you please share the NAT statement for the server in question. Also, lets make sure there is no other NAT higher in order related to the same public ip address or real ip address.

sh xlate | in 10.10.1.30

Also, can you try to add the NAT statement in manual NAT section.

-

HTH

AJ

newbie2018 · ‎03-13-2018

This is the NAT for the server:

object network webserver-internal-ip

nat (inside,outside) static webserver-external-ip service tcp www www

This NAT is no longer in the ASA config and everytime i add it then save the config, and do a sh run, it's still not within the config table.

Not sure why!

I realized that there is another NAT than could be the problem. when i try to remove that it says the following:

-asa(config)# object network webserver-external-ip
-asa(config-network-object)# no nat (inside,outside) static webserver-internal-ip service tcp www 8080
ERROR: NAT configuration not found for object webserver-external-ip

The show xlate for the internal server IP:

asa# show xlate | in 10.10.1.30
TCP PAT from inside:222.222.222.228 80-80 to outside:10.10.1.30 8080-8080

It is strange because it is considering the public IP as the inside IP and the local server IP the outside IP..

I think the above NAT is what is causing the show xlate | in 10.10.1.30 to display the TCP PAT above...

newbie2018 · ‎03-13-2018

Manual NAT:

show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static internal-network destination static Mount_Pearl Mount_Pearl no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static webserver-external-ip webserver-internal-ip service tcp www 8080
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 42769, untranslate_hits = 50

Manual NAT Policies (Section 3)
1 (visitors) to (outside) source dynamic any interface
translate_hits = 4395535, untranslate_hits = 28531
2 (inside) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
.... I am still trying to rearrange the NAT policies...

newbie2018 · ‎03-13-2018

I though i would post the following so you guys can review it:

1) show packet-tracer....

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed23a082f0, priority=13, domain=capture, deny=false
hits=9313059, user_data=0x7fed23a31f00, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed22b11860, priority=1, domain=permit, deny=false
hits=140382464, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network webserver-internal-ip
nat (inside,outside) static webserver-external-ip service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate 222.222.222.228/80 to 10.10.1.30/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit tcp any object webserver-internal-ip eq www
access-list outside-in remark Allow traffic from public IP to companysite.com website
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed22be9ad0, priority=13, domain=permit, deny=false
hits=74, user_data=0x7fed1cd183c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.10.1.30, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed220a38a0, priority=0, domain=nat-per-session, deny=false
hits=2499493, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed22b19d20, priority=0, domain=inspect-ip-options, deny=true
hits=5104929, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fed232d5cb0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=50394, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network webserver-internal-ip
nat (inside,outside) static webserver-external-ip service tcp www www
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fed22cdade0, priority=6, domain=nat-reverse, deny=false
hits=32, user_data=0x7fed2331bc10, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.10.1.30, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fed220a38a0, priority=0, domain=nat-per-session, deny=false
hits=2499495, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fed22b74560, priority=0, domain=inspect-ip-options, deny=true
hits=708338, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5139763, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result: