02-19-2014 04:16 AM - edited 03-11-2019 08:47 PM
Hi,
an internal (inside) server has to be accessible from outside. Following the descriptions here
a static nat with PAT for tcp 80+443 as well as appropriate ACLs were created.
Not working.
Checked with packet trace both incoming and outgoing directions:
Without a problem. (ACL allowed, the right NAT translations)
Changed ASDM to port 8080 (was never allowed on outside anyways)
Changed webvpn to port 4433 (was never activated anyways):
Still not working.
Checked the server's firewall as well: the scopes are for "any" Internally accessible on both ports.
Disabled the server's firewall.
No avail.
What could I be missing?
Thanks in advance!
Solved! Go to Solution.
02-19-2014 06:29 AM
Hi Boian,
Ok, you have a few problems - but all with the same root issue.
When you overload on an Interface IP, you need to leverage the keyword "interface" in both the static and ACL statements.
For example, if you want to allow users to connect to the outside interface on TCP/80 and have that PATed to an internal web server on port 80, you must use the syntax:
static (inside,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255
Additionally, when you permit the traffic inbound to the outside interface, you need to leverage the 'interface' keyword:
access-list OUTSIDE_IN extended permit tcp any interface outside eq www
Sincerely,
David.
02-19-2014 04:19 AM
Hi,
Could we see the configurations, the "packet-tracer" command used and the output of that/those commands.
- Jouni
02-19-2014 05:56 AM
Hi and thanks for the fast reply.
The packet-tracer wasn't having any problems as I configured the nat as "static (inside,outside)" pointing to an additional public IP address. Since there were more services (such as SMTP) connected to outside servers the company told me to nat over the primary public IP that is assigned to the outside interface. The result is even worse, since now the ACL implicit deny is stopping me. I added an explicit deny with log just to get to the desription, but still don't get it.
OK I swapped the external IP for X.X.X.X, truncated sensitive info with [trunc] and send here the console output and the config.
ASA# packet-tracer input outside tcp 8.8.8.8 1056 X.X.X.X 443 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) outside-interface PROBLEM_SERVER netmask 255.255.255.255 norandomseq
nat-control
match ip inside host PROBLEM_SERVER outside any
static translation to outside-interface
translate_hits = 2166, untranslate_hits = 1361
Additional Information:
NAT divert to egress interface inside
Untranslate outside-interface/0 to PROBLEM_SERVER/0 using netmask 255.255.255.255
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in outside-interface 255.255.255.255 identity
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd5120ed0, priority=0, domain=permit, deny=true
hits=3335, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA# sh access-list | i 0xd5120ed0
ASA# sh access-list OUTSIDE_IN
access-list OUTSIDE_IN; 4 elements
access-list OUTSIDE_IN line 1 remark allow echo requests
access-list OUTSIDE_IN line 2 extended permit icmp any host outside-interface echo log informational interval 300 (hitcnt=0) 0x3d8de1bc
access-list OUTSIDE_IN line 3 remark allow web to internal server
access-list OUTSIDE_IN line 4 extended permit tcp any host outside-interface eq www (hitcnt=0) 0x3fce57d6
access-list OUTSIDE_IN line 5 remark allow https to internal server
access-list OUTSIDE_IN line 6 extended permit tcp any host outside-interface eq https (hitcnt=0) 0xf5acf247
access-list OUTSIDE_IN line 7 remark default deny with log
access-list OUTSIDE_IN line 8 extended deny ip any any log informational interval 300 (hitcnt=2) 0x2dc51227
ASA#
########################
ASA# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA
domain-name [trunc]
enable password [trunc] encrypted
names
name 192.168.34.0 farm-lan
[trunc]
name 172.16.1.254 asa-mgmgt-interface description Management Interface
name [X.X.X.X] outside-interface description public IP address
name 10.0.1.0 testo-lan
name 192.168.0.0 inside-lan
name 10.0.0.0 labs-lan
name 192.168.52.0 guest-lan
name 172.16.1.0 admin-lan
name 10.0.1.254 ASA-testo-GW
name 10.0.1.10 testo-base
[trunc]
name 192.168.0.2 PROBLEM_SERVER
[trunc]
name 10.0.0.254 ASA-labs-GW
!
interface Ethernet0/0
description network for guests
nameif guest
security-level 50
ip address 192.168.52.254 255.255.255.0
!
interface Ethernet0/1
description internal VLAN trunk
no nameif
no security-level
no ip address
!
interface Ethernet0/1.3
description labs-lan
vlan 3
nameif labs
security-level 100
ip address ASA-labs-GW 255.255.255.0
!
interface Ethernet0/1.4
description testo-lan
vlan 4
nameif testo
security-level 100
ip address ASA-testo-GW 255.255.255.0
!
interface Ethernet0/1.7
description inside-lan
vlan 7
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/2
description WAN
nameif outside
security-level 0
ip address outside-interface 255.255.255.248
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address asa-mgmgt-interface 255.255.255.0
management-only
!
passwd [trunc] encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring
dns server-group DefaultDNS
domain-name [trunc]
same-security-traffic permit inter-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq 993
port-object eq imap4
port-object eq 5223
port-object eq 587
object-group network ASA-LAN-interface
description inside interface from router
network-object host 192.168.0.254
object-group network Private-IP-Range
description RFC 1918
network-object labs-lan 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object inside-lan 255.255.0.0
object-group network admin-stations
[trunc]
object-group network Servers
network-object host PROBLEM_SERVER
object-group service imapssl tcp
description encrypted imap
port-object eq 993
object-group service authsmtp tcp
description iCloud authenticated SMTP
port-object eq 587
object-group service iclouddav tcp
description iCloud DAV sync for calender etc
port-object eq 5223
access-list INSIDE_OUT remark permits ip access to ASA LAN interface
access-list INSIDE_OUT extended permit ip inside-lan 255.255.255.0 object-group ASA-LAN-interface log disable
access-list INSIDE_OUT remark permit snmp access from LAN to ASA
access-list INSIDE_OUT extended permit udp inside-lan 255.255.255.0 object-group ASA-LAN-interface eq snmp log disable
access-list INSIDE_OUT remark permits ping access to ASA LAN interface
access-list INSIDE_OUT extended permit icmp inside-lan 255.255.255.0 object-group ASA-LAN-interface echo log disable
access-list INSIDE_OUT remark allow network testing for all
access-list INSIDE_OUT extended permit icmp inside-lan 255.255.255.0 any log disable
access-list INSIDE_OUT remark testing workstations
access-list INSIDE_OUT extended permit ip object-group admin-stations any log disable
access-list INSIDE_OUT remark DNS lookup
access-list INSIDE_OUT extended permit object-group TCPUDP object-group Servers any eq domain log disable
access-list INSIDE_OUT remark time sync with outside world
access-list INSIDE_OUT extended permit udp host PROBLEM_SERVER any eq ntp log disable
access-list INSIDE_OUT remark allow PROBLEM_SERVER SMTP outside
access-list INSIDE_OUT extended permit tcp host PROBLEM_SERVER any eq smtp log disable
access-list INSIDE_OUT remark allow PROBLEM_SERVER any traffic testing
access-list INSIDE_OUT extended permit tcp host PROBLEM_SERVER any
access-list INSIDE_OUT remark permits web access
access-list INSIDE_OUT extended permit tcp inside-lan 255.255.255.0 any object-group DM_INLINE_TCP_1 log disable
access-list INSIDE_OUT remark default deny with log
access-list INSIDE_OUT extended deny ip any any log
[trunc]
access-list OUTSIDE_IN remark allow echo requests
access-list OUTSIDE_IN extended permit icmp any host outside-interface echo log
access-list OUTSIDE_IN remark allow web to internal server
access-list OUTSIDE_IN extended permit tcp any host outside-interface eq www
access-list OUTSIDE_IN remark allow https to internal server
access-list OUTSIDE_IN extended permit tcp any host outside-interface eq https
access-list OUTSIDE_IN remark default deny with log
access-list OUTSIDE_IN extended deny ip any any log informational interval 300
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging host inside [trunc]
logging debug-trace
mtu guest 1500
mtu labs 1500
mtu testo 1500
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool VPN_IP_Pool 192.168.0.210-192.168.0.220 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 [trunc] netmask 255.0.0.0
nat (guest) 2 guest-lan 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 inside-lan 255.255.255.0
static (labs,inside) labs-lan labs-lan netmask 255.255.255.0 norandomseq
static (testo,inside) testo-lan testo-lan netmask 255.255.255.0 norandomseq
static (inside,outside) outside-interface PROBLEM_SERVER netmask 255.255.255.255 norandomseq
static (inside,testo) inside-lan inside-lan netmask 255.255.255.0 norandomseq
static (inside,labs) inside-lan inside-lan netmask 255.255.255.0 norandomseq
[trunc]
access-group INSIDE_OUT in interface inside
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 [trunc] 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 8080
http admin-lan 255.255.255.0 management
http inside-lan 255.255.255.0 inside
snmp-server host inside excalibur community public
snmp-server location Germany
snmp-server contact admin@febit.de
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
[trunc]
no crypto isakmp nat-traversal
telnet admin-lan 255.255.255.0 management
telnet timeout 5
ssh inside-lan 255.255.255.0 inside
ssh admin-lan 255.255.255.0 management
ssh timeout 15
ssh version 2
console timeout 0
management-access management
dhcpd address 192.168.52.10-192.168.52.30 guest
dhcpd dns [trunc] interface guest
dhcpd lease 14400 interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics
!
class-map internal_routing_map
description disables SYN randomization for internal routes
match access-list internal_routing_acl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect sip
inspect netbios
inspect icmp
inspect http
policy-map internal_routing_policy
class internal_routing_map
set connection random-sequence-number disable
!
service-policy global_policy global
service-policy internal_routing_policy interface inside
webvpn
port 4433
dtls port 4433
[trunc]
: end
ASA#
02-19-2014 06:29 AM
Hi Boian,
Ok, you have a few problems - but all with the same root issue.
When you overload on an Interface IP, you need to leverage the keyword "interface" in both the static and ACL statements.
For example, if you want to allow users to connect to the outside interface on TCP/80 and have that PATed to an internal web server on port 80, you must use the syntax:
static (inside,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255
Additionally, when you permit the traffic inbound to the outside interface, you need to leverage the 'interface' keyword:
access-list OUTSIDE_IN extended permit tcp any interface outside eq www
Sincerely,
David.
02-19-2014 07:46 AM
Hello David, thank you very much for the prompt reaction!!!
I still cannot make this thing work, even with your advise. Somehow I cannot get a single hitcount on the WWW and HTTPS rules, every time I (or other external PCs) try to connect they land on line 8 of the ACL. VERY WEIRD!
I tried with browser and tried even telnet IP... 80 / 433 respectively. No way to get through!
ASA# sh run | i static
static (inside,outside) tcp interface www PROBLEM_SERVER www netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface https PROBLEM_SERVER https netmask 255.255.255.255 norandomseq
static (labs,inside) labs-lan labs-lan netmask 255.255.255.0 norandomseq
static (testo,inside) testo-lan testo-lan netmask 255.255.255.0 norandomseq
static (inside,testo) inside-lan inside-lan netmask 255.255.255.0 norandomseq
static (inside,labs) inside-lan inside-lan netmask 255.255.255.0 norandomseq
ASA#
ASA# sh access-list OUTSIDE_IN
access-list OUTSIDE_IN; 4 elements
access-list OUTSIDE_IN line 1 remark allow echo requests
access-list OUTSIDE_IN line 2 extended permit icmp any interface outside echo log informational interval 300 (hitcnt=0) 0xe2af2171
access-list OUTSIDE_IN line 3 remark allow web to internal server
access-list OUTSIDE_IN line 4 extended permit tcp any interface outside eq www log informational interval 300 (hitcnt=0) 0x7c40f258
access-list OUTSIDE_IN line 5 remark allow https to internal server
access-list OUTSIDE_IN line 6 extended permit tcp any interface outside eq https log informational interval 300 (hitcnt=0) 0x503e0f80
access-list OUTSIDE_IN line 7 remark default deny with log
access-list OUTSIDE_IN line 8 extended deny ip any any log informational interval 300 (hitcnt=876) 0x2dc51227
ASA# sh xlate
287 in use, 949 most used
PAT Global outside-interface(80) Local PROBLEM_SERVER(80)
PAT Global outside-interface(443) Local PROBLEM_SERVER(443)
[etc....]
02-19-2014 07:56 AM
Can you capture the syslogs (at level 6) when you attempt to access the web server from the outside? That should help clear things up.
You can also try running packet-tracer sourced from the outside client, destined to the outside interface IP on tcp/80 to see what it shows.
Sincerely,
David.
02-19-2014 08:07 AM
Hello David, the syslog obviously records "TCP access denied by ACL". But I still cannot what is wron with mine...
02-19-2014 08:34 AM
Hi Boian,
Please note that I CAN SOLVE YOUR PROBLEM, but only if you supply the information I request.
If the syslog includes the text, "TCP access denied by ACL", then I must assume that this is syslog 710003, in which case you are not hitting the interface ACL, but instead an implicit ACL which is applied to traffic destined "to-us" for services the ASA hosts.
But, this shouldn't be happening, as a static PAT statement will override locally hosted services.
Can you check the output of "show nat"?
Sincerely,
David.
02-19-2014 08:43 AM
Hi David, sorry, my output was shortened: you are correct:
%ASA-3-710003: TCP access denied by ACL from ZZZZ/65344 to inside:XXXX/443
Yes, this was implicit ACL: look at the dump above that I provided:
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd5120ed0, priority=0, domain=permit, deny=true
hits=3335, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
As you can imagine this ID=0xd5120ed0 does not belong to my configured ACLs
02-19-2014 08:54 AM
Contd. relevant excerpt of sh nat:
NAT policies on Interface inside:
match tcp inside host PROBLEM_SERVER eq 80 outside any
static translation to outside-interface/80
translate_hits = 0, untranslate_hits = 0
match tcp inside host PROBLEM_SERVER eq 443 outside any
static translation to outside-interface/443
translate_hits = 0, untranslate_hits = 6
match ip inside inside-lan 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside inside-lan 255.255.255.0 outside any
dynamic translation to pool 1 (outside-interface [Interface PAT])
translate_hits = 49192, untranslate_hits = 2850
02-19-2014 08:39 AM
Sorry for the bad language, David, already tired.
The packet-tracer (see above) is not correct. Believe it or not I called an external partner and he could actually connect to the server. What is this? I was trying to test from the internal LAN behind the inside interface and I could not do that, I could not even ping the public IP, that's why i thought the packet tracer was "judging" correct!
Why?
02-19-2014 08:52 AM
Hi Boian,
You will never be able to connect to the NATed/PATed (ie: Public IP) from the Inside network of the ASA. This is just how the ASA is designed. If your client is located off the internal interface, then you need to connect to the Real IP of the server. If you want to test your configuration, you must test from a device located on the Outside interface.
For the syslogs, if an interface ACL was blocking the packet (even the implicit deny at the bottom), you would see syslog messages 106023 or 106100. Syslog 710003 has a different meaning/purpose. It is specific to access attempts to services hosted by the ASA - which essentially tells me your NAT rule is not working.
Sincerely,
David.
02-19-2014 08:58 AM
Hmm, but what else services can be hosted on ports 80 & 443. OK I have to go now, so thanks a lot and will update&feedback tomorrow!
02-19-2014 10:13 AM
Hi Boian,
Can you confirm that the server is accessible externally? Since you said a partner was able to access it?
Note: You cannot access the server by it's NATed/PATed IP from the inside.
Sincerely,
David.
02-19-2014 11:20 AM
Hi David,
yes, I can confirm that with the "interface" settings the server is accessible now. I marked your first answer as correct.
Thanks a million!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide