07-03-2012 12:34 PM - edited 03-11-2019 04:26 PM
Hi, i've got several problem. The goal is to reach port 8888 from outside to inside my lan.
my config is simple, asa inside : 192.168.1.0/24, outside dhcp by fai.
inside to outside all is ok.
internet ping to outside interface is ok.
But internet to connect to port 8888 is not working.
I try many things and i'm quite sure that my config is shitty now...
So please help me
here it is :
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
mac-address a44c.1156.90b2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 178.250.208.37
name-server 8.8.8.8
domain-name xx
same-security-traffic permit intra-interface
object network obj_any
subnet 192.168.1.0 255.255.255.0
object network server1
host 192.168.1.20
object network NETWORK_OBJ_192.168.1.192_27
subnet 192.168.1.192 255.255.255.224
object network telephone_ip
host 192.168.1.5
object network lan
subnet 192.168.1.0 255.255.255.0
description lan
object network vpn
range 192.168.69.100 192.168.69.110
description vpn
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.69.96_28
subnet 192.168.69.96 255.255.255.240
object service http_8888
service tcp destination eq 8888
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object udp
protocol-object tcp
protocol-object ip
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.69.96_28 any
access-list outside_access_in extended permit object-group TCPUDP any object telephone_ip eq sip
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object http_8888 any object server1
access-list outside_access_in extended permit tcp any host 192.168.1.20 eq 8888
access-list outside_access_in extended permit tcp any host 192.168.1.20
access-list inside_access_in extended permit ip any any
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list lan standard permit 192.168.1.0 255.255.255.0
access-list SplitTunnel_ACL standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn-pool 192.168.69.100-192.168.69.110 mask 255.255.255.0
ipv6 icmp permit any inside
ipv6 icmp permit any outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static lan lan destination static vpn vpn
nat (inside,outside) source dynamic lan interface
nat (outside,outside) source dynamic any interface destination static server1 server1 service http_8888 http_8888
!
object network server1
nat (outside,inside) static interface service tcp 8888 8888
!
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
07-03-2012 01:51 PM
your NAT-config is probably incorrect. Keep in mind that the NAT-statements are processed top down. And the NAT for the Server has to be changed:
object network server1
nat (inside,outside) static interface service tcp 8888 8888
07-03-2012 01:53 PM
ok so can you tell me how i can correct my nat setup(topdown) ?
Thanks you.
I've got this log always in logging :
%ASA-7-710005: TCP request discarded from MYISPIP/64667 to outside:IPOFTHEOUTSIDEINTERFACE/8888
07-03-2012 01:54 PM
Hello Jonathan,
Lets do it different
object network server1
no nat (outside,inside) static interface service tcp 8888 8888
object network Internal_host
host 192.168.1.20
object service 8888
Service tcp source eq 8888
nat (inside,outside) source static Internal_host interface service 8888 8888
Regards,
Julio
07-03-2012 02:00 PM
Julio, i try your config but same problem.
Log :
%ASA-7-710005: TCP request discarded from MYISPIP/64667 to outside:IPOFTHEOUTSIDEINTERFACE/8888
07-03-2012 02:04 PM
Please provide the following:
packet-tracer input outside tcp 4.2.2.2 1025 interface_ip eq 8888
Regards,
07-03-2012 02:12 PM
ok here is the result.
btw now i got new log :
Deny TCP (no connection) from MYISPIP/64842 to ASAOUTSIDEIP/8888 flags FIN PSH ACK on interface outside
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Internal_host interface service 8888 8888
Additional Information:
NAT divert to egress interface inside
Untranslate ipoutsideinterface/8888 to 192.168.1.20/8888
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp object obj_any object supernova eq 8888
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Internal_host interface service 8888 8888
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4820, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
07-03-2012 02:21 PM
Hello Jonathan,
Packet tracer looks good,
Next test:
- capture asp type asp-drop all circular-buffer
Then try to connect to the port 8888 and provide the following outputs:
sh cap asp | include outside_ip
Regards,
Julio
07-03-2012 02:40 PM
Ok here is the next:
anyway thx for help
check your pm.
07-03-2012 02:53 PM
i've do some test, when i push the nat rules at the 1rst place get that :
Deny TCP (no connection) from MYISPIP/64842 to ASAOUTSIDEIP/8888 flags FIN PSH ACK on interface outside
when i push the nat rules at the last place get that :
%ASA-7-710005: TCP request discarded from MYISPIP/64667 to outside:IPOFTHEOUTSIDEINTERFACE/8888
07-03-2012 03:31 PM
Hello Jonathan,
I checked my PM and I already know what the problem is.
Looks like you are facing a Asymetric routing issue.
The ASA is receiving the first tcp packet and this is not a SYN packet.
To make it work do the following:
access-list test permit tcp any host outside_ip_address eq 8888
class-map test
match access-group test
policy-map global_policy
class test
set connection advanced-options tcp-state-bypass
Let me know if this works?
Regards,
Julio
07-03-2012 03:45 PM
hmm are you sure it's
match access-group test ?
the only one command i can do is
match access-list test
Anyway it's not working...
same error syn,ack etc
Question, this nat rule must be the first on the list ?
i send you pm with my route print
07-03-2012 03:52 PM
Hello,
Sorry is match access-list!
No, we do not need it at the first place.
Please do the following
clear cap asp
And then try to connect one more time,
Send me the cap one more time
07-03-2012 03:57 PM
in your mail =)
07-03-2012 04:28 PM
Hmm do you think it's possible that all my problem come because i must spoof the mac adress to get dhcp from isp because he do mac filtering ?
so i must drop that in interface vlan 2 :
interface Vlan2
mac-address a44c.1156.90b2
nameif outside
So i think we will continue tomorrow because it's 1:40 in the morning here and i must sleep.
Have a nice day
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide