Cannot get web traffic destined for port on internal host to connect

cisco24seven · ‎09-20-2011

I have application that Internet users will connect to on port 5008 that is behind my ASA on the internal LAN. I have added the following lines to the config but I still cannot connect:

static (inside,outside) udp <outside_ip> 5008 192.168.5.xx 5008 netmask 255.255.255.255

access-list outside_access_in extended permit udp any host <outside_ip> eq 5008

Since they did not work I removed them. Below is my config. Also I have the inside interface and the DMZ interface on the same subnet, shouldn't they be completely different? Thanks

ASA Version 8.2(1) 
!
hostname fw
domain-name xxxxx
enable password k4HlcGX2lC1ypFOm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.75.254 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif DMZ
 security-level 50
 ip address 192.168.75.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxxxxxxxxxxxxxxxxxxxxxxx
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www 
access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.xx eq 1433 
access-list DMZtoInside extended deny ip any 192.168.0.0 255.255.255.0 
access-list DMZtoInside extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (management) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp xxx.xxx.xxx.xxx www 192.168.75.5 www netmask 255.255.255.255 
static (DMZ,outside) tcp xxx.xxx.xxx.xxx https 192.168.75.5 https netmask 255.255.255.255 
static (inside,DMZ) 192.168.5.xx 192.168.5.xx netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group DMZtoInside in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.168.5.xx 255.255.255.255 172.16.75.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:e6f986d4427504d675bb1ca51a815345
: end
no asdm history enable

------------------------
Switch port config below
------------------------

interface FastEthernet0/15
 switchport access vlan 15
 switchport mode dynamic desirable <---I need to change to switchport mode access to secure, forgot!


interface Vlan15
 ip address 172.16.75.253 255.255.255.0


ip route 192.168.75.0 255.255.255.0 172.16.75.254

Maykol Rojas · ‎09-20-2011

Hello,

On your configuration we cannot see the lines that you put, Can you put them back again and put get the output of the following command,

packet-tracer input outside udp 4.2.2.2 1025 5008

Also, captures would work to help us sort this out

https://supportforums.cisco.com/docs/DOC-1222

Mike

cisco24seven · ‎09-20-2011

I only added these two lines:

static (inside,outside) udp 5008 192.168.5.xx 5008 netmask 255.255.255.255

access-list outside_access_in extended permit udp any host eq 5008

However since they did not work I removed them. I cannot currently get a packet capture. What is the recommendation concerning the outside interface IP address being on the same subnet as the DMZ interface? What is best practice?

I did use the packet tracer and it said that the packet coming in from the public IP to the inside server 192.168.5.x on UDP port 5008 was dropped due to "flow denied by configured rule". I then retrieved the following:

sh xlate

5 in use, 7 most used

Global 192.168.5.15 Local 192.168.5.15

Global 192.168.5.14 Local 192.168.5.14

PAT Global (80) Local 192.168.75.5(80)

PAT Global (443) Local 192.168.75.5(443)

PAT Global (5008) Local 192.168.5.14(5008)

sh access-list outside_access_in

access-list outside_access_in; 2 elements; name hash: 0x6892a938

access-list outside_access_in line 1 remark Permit traffic from Internet

access-list outside_access_in line 2 extended permit tcp any host (eq www (hitcnt=4657) 0xb3e8f076

access-list outside_access_in line 3 extended permit udp any host (eq 5008 (hitcnt=27) 0x422c2ed2

I would be grateful for any help on this. Thanks.

varrao · ‎09-20-2011

Hi,

You cannot have same subnet ip address on two interfaces thats not correct, you will have issues. I woudl suggest different subnet ip on the two interfaces.

As Mike said, to troubleshoot this please take captures and collect the log as well on the ASA, theyw ould atleast give you a direction to troubleshoot in.

Varun

Thanks,
Varun Rao

Maykol Rojas · ‎09-20-2011

I will need to have the packet tracer to see what would be the configured rule that would block it, normally going thru the phases will give me the answer,

Regarding to this statement,

outside interface IP address being on the same subnet as the DMZ interface? What is best practice?

I dont understand what you mean by that, your DMZ is 192.168.75.0/24, and the outside should be something public, what do you mean they are the same?

Like Varun says, if you try to put the same subnet on both, it will give you an error that would say it overlaps, maybe I am not understanding correclty what you mean by they are the same.

Mike

cisco24seven · ‎09-23-2011

Here is the packet tracer results:

fw# packet-tracer input outside udp 4.2.2.2 1025 5008

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) udp 5008 192.168.5.14 5008 netmask 255.255.255.255
match udp inside host 192.168.5.14 eq 5008 outside any
static translation to /5008
translate_hits = 0, untranslate_hits = 5
Additional Information:
NAT divert to egress interface inside
Untranslate /5008 to 192.168.5.14/5008 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit udp any host eq 5008
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) udp 5008 192.168.5.14 5008 netmask 255.255.255.255
match udp inside host 192.168.5.14 eq 5008 outside any
static translation to /5008
translate_hits = 0, untranslate_hits = 5
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) 192.168.5.14 192.168.5.14 netmask 255.255.255.255
match ip inside host 192.168.5.14 DMZ any
static translation to 192.168.5.14
translate_hits = 12, untranslate_hits = 229
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6076, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Here is some additional info: Users will attempt to connect to the on port 5008 from remote locations using air cards. I have used a static to associate the inside IP with the with port 5008. When the traffic comes in it does hit the inside server but it is never returned to the remote user. The set up looks like this:

[ ASA ] --------------[ Cisco 3550 vlan for this traffic ]

My suspicion is that the 3550 sees the Public IP address of the users air card and does know what to do with it. Any help or suggestions would be great, thanks all.

cisco24seven · ‎09-23-2011

Maykol,

Actually I mistakenly said outside interface when I meant inside interface. My question was is it okay to have your inside interface as 192.168.75.254 and your DMZ interface at 192.168.75.1? I have since changed the inside to 192.168.85.254. What ios best practice in this area? Thanks

Julio Carvajal · ‎09-24-2011

Hello CiscoSeven,

Ok so the thing is that you have a network on the inside interface that also its on the DMZ, that is a Desing issue that might cause some routing issues on the ASA, I would change the internal network to something different and create the new static one to one,

Route inside 192.168.15.xx 255.255.255.255 172.16.75.253

static (inside,outside) public_ip 5008 192.168.15.xx

Lets try that and let me know if that works, also run the same packet tracer after these changes.

By the way leave the ACL the way it is. one last thing can you post the routes that the 3550 has as well.

Hope this Helps,

Have a great day.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cisco24seven · ‎09-24-2011

Thanks for your reply. I had already added your above recommendation and it is still not working. I since changed the inside interface to 192.168.85.254, the DMZ was left at 192.168.75.1. I then changed the staic translation to:

static (inside,outside) public_ip 5008 172.16.32.x

route inside 172.16.32.0 255.255.255.0 172.16.85.253

The 172.16.32.x subnet is on a vlan on the 3550, the port ip is 172.16.32.100.

On the switch I have added a route that states:

ip route 172.16.32.0 255.255.255.0 172.16.85.254

I then used Wireshark to see if I could see the packets and what they were doing at the switch (3550) level. What is happening is that the packet gets through to the server at 172.16.32.x, it is on the return where the packet is dropped. Wireshark reports a packet with a source of 172.16.32.x and a destination of , which is the actual public IP address of the salespeoples air cards, so it their carrier is AT&T it will be an AT&T IP, if it is Verizon it will be a Verizon IP etc etc.

So is the packet getting back to the ASA device?

If so why is it getting dropped?

How do I fix this?

Thanks

Julio Carvajal · ‎09-24-2011

This is a layer 3 device, should have this route pointing to the ASA

ip route 0.0.0.0 0.0.0.0 172.16.85.254.

In order to see if the packet is being dropped by the ASA add this capture

capture test type asp-drop all

and then sh capture test | include and the Ip address of the internal server to see if the ASA is dropping any packets regarding that IP address.

By the way can you post the updated Configuration again, this is gonna help us

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cisco24seven · ‎09-25-2011

Thanks for the reply. The 3550 cannot have a default route to the ASA as the 3550 already has a default route to a different gw. I will post the updated config and the results of the commands you suggested on Monday. Thanks again for your help!

Julio Carvajal · ‎09-25-2011

So that is why. The packets are going to the other gateway instead of the ASA.

The ASA is not getting the packets when the Computer respond, that is the issue.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cisco24seven · ‎09-25-2011

Thanks for your reply. I wish it were that simple The default route on the 3550 says ip route 0.0.0.0 .0.0.0.0 192.168.5.x and that is where all of our traffic is sent unless we specify specific traffic to go out another gateway, currently there is three in total. We have some VPN users that are coming in through a Cisco 3005 concentrator and their traffic does not go out the default route but a specific route set up for this purpose.

So basically that is what we are trying to do with the ASA and return the incoming traffic for the sales people back out 172.16.85.254. I dont understand why we are having such a hard time so I must be missing something :S

Julio Carvajal · ‎09-25-2011

Ok, this seems to be a desing issue and the only way the traffic is going to get back to the ASA will be with the default-route I just provided you. I understand that to implement it would require extra configuration but in order for this to work that will be the only way.

If you create a capture you will see that the packets are not returning to the ASA, big problem!!!

Hope this help you and hope you have a great day

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC