08-16-2013 12:59 PM - edited 03-11-2019 07:26 PM
Once again I find myself struggling with NAT and ACLs on a 5505. I am unable to access our new webserver in the DMZ.
The server can ping the DMZ interface of the 5505, but that's it. I've tried allowing ICMP in to it from the outside to test, but I think I'm making a bigger mess of it each time. I've been reading and reading and trying different things, including following Cisco's example for 9.1 but nothing has worked.
ASA Version 8.4(1)
object network LOCALSQL
host 192.168.1.2
object network DMZ-Webserver-Public-IP
host 43.114.152.57
object network dmz-subnet
subnet 192.18.36.0 255.255.255.0
object network webserver
host 192.18.36.57
object-group network DM_INLINE_NETWORK_16
network-object object DMZ-Webserver-Public-IP
network-object object webserver
object-group network DM_INLINE_NETWORK_18
network-object object DMZ-Webserver-Public-IP
network-object object webserver
object-group network DM_INLINE_NETWORK_19
network-object object DMZ-Webserver-Public-IP
network-object object webserver
object-group network DM_INLINE_NETWORK_20
network-object object DMZ-Webserver-Public-IP
access-list outside_acl extended permit tcp any object webserver eq www
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 any object-group
DM_INLINE_NETWORK_19
access-list DMZ_access_in extended permit tcp any object-group DM_INLINE_NETWORK_20 object-group
Web_Services
access-list DMZ_access_in extended permit ip any object webserver
access-list dmz_acl extended permit ip any any
access-list dmz_acl extended deny ip any object Inside_LAN
access-list dmz_acl extended permit object SQL-Server any object LOCALSQL
access-list outside_in extended permit tcp object-group DM_INLINE_NETWORK_10 object-group
DM_INLINE_NETWORK_17 object-group DM_INLINE_TCP_2
access-list outside_in extended permit icmp any object DMZ-Webserver-Public-IP
access-list outside_in extended permit object-group DM_INLINE_SERVICE_3 any object-group
DM_INLINE_NETWORK_18
access-list outside_in extended permit tcp any object-group DM_INLINE_NETWORK_16 object-group
Web_Services
object network dmz-subnet
nat (DMZ,outside) dynamic interface
object network webserver
nat (DMZ,outside) static DMZ-Webserver-Public-IP service tcp www www
access-group outbound in interface inside
access-group outside_acl in interface outside
access-group DMZ_access_in in interface DMZ
08-16-2013 01:04 PM
Hi,
You can try using the "packet-tracer" command to confirm that the ASA configurations are correct.
It might even be that its not matching the correct NAT rule.
packet-tracer input outside tcp 8.8.8.8 12345 43.114.152.57 80
Post the output of the command.
- Jouni
08-16-2013 01:58 PM
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network webserver
nat (DMZ,outside) static DMZ-Webserver-Public-IP service tcp www www
Additional Information:
NAT divert to egress interface DMZ
Untranslate 43.114.152.57/80 to 192.18.36.157/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_acl in interface outside
access-list outside_acl extended permit tcp any object webserver object-group DM_INLINE_TCP_3 log debugging
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network webserver
nat (DMZ,outside) static DMZ-Webserver-Public-IP service tcp www www
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4953608, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow
Everything here seems to check out, but I cannot access the website from the outside world, yet when I connect from (inside) 192.18.36.14 on VLAN10 to (DMZ) 192.18.36.157 on VLAN10, I can see the website with no problems, whereas 192.18.36.157 is the interal web server IP.
08-16-2013 07:25 PM
Jouni,
This came up in the log when I was attempting to connect:
2 Aug 16 2013 22:15:49 24.208.153.185 64024 43.114.152.57 443 Inbound TCP connection denied from 24.208.153.185/64024 to 43.114.152.57/443 flags SYN on interface outside
08-16-2013 11:20 PM
Hello Brad,
You are trying to connect to port 443 (Inbound TCP connection denied from 24.208.153.185/64024 to 43.114.152.57/443 flags SYN on interface outside).
Make sure you have the NAT statement for that as well on your ASA as on the configuration I can only see it for the WEB-Service HTTP TCP/80 and that you allowed on the ACL on the outside interface
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide