Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1248
Views
5
Helpful
2
Replies

Cisco ASA 5505 PAT issue

d1_s
Level 1
Level 1

‎04-14-2020 06:09 PM

Hello everyone,

 

I am not much familiar with Cisco ASAs, however for the past few days I've been reading and trying to troubleshoot the following issue, but still I have not been successful. I hope somebody here can help me:

 

Cisco ASA 5505 - 9.2(1)

(using bogus IP details)


setup:

                               _____
(199.99.9.10) outside<---E0<--|Cisco|
                              | ASA |
                              |5505 |
                              |_____|-->E1--->inside (192.168.1.0/24)

 

statically routed IP

199.99.9.12 is statically routed at the GW to 199.99.9.10

 

My requirement

Forward IP 199.99.9.12 port 443 (https) & 80 to inside IP 192.168.1.190:443 & 80

config is shown below:

 

interface Ethernet0/0
description CONNECTS TO WAN
switchport access vlan 112
!
interface Ethernet0/1
description CONNECTS TO LAN
switchport access vlan 113

interface Vlan112
description WAN
nameif outside
security-level 0
ip address 199.99.9.9 255.255.255.252
!
interface Vlan113
description LAN
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network webserver-https
host 192.168.1.190

object network webserver-http
host 192.168.1.190

object network hosted-external-ip
host 199.99.9.12


access-list outside-in extended permit tcp any object webserver-http eq www
access-list outside-in extended permit tcp any object webserver-https eq https
access-list outside-in extended deny icmp any any log

access-list inside-in extended permit ip any any
access-list inside-in extended permit icmp any any


object network obj_any
nat (inside,outside) dynamic interface

object network webserver-https
nat (inside,outside) static hosted-external-ip service tcp https https

object network webserver-http
nat (inside,outside) static hosted-external-ip service tcp www www



access-group outside-in in interface outside
access-group inside-in in interface inside


route outside 0.0.0.0 0.0.0.0 199.99.9.9 1

*******************************

I omitted a lot of config and just put what I thought was necessary

 

I've performed the following test:

 

Cisco-ASA5505# packet-tracer input outside tcp 1.1.1.1 1234 199.99.9.12 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network webserver-https
nat (inside,outside) static hosted-external-ip service tcp https https
Additional Information:
NAT divert to egress interface inside
Untranslate 199.99.9.12/443 to 192.168.1.190/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit tcp any object webserver-https eq https
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network webserver-https
nat (inside,outside) static hosted-external-ip service tcp https https
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1054, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

__________________________________

However when I try to access it via a browser and did a show connections details, I can see the flag is set to SaAB, I have looked that up and found out that this is shown when a connection is not able to complete the TCP 3-way handshake:

 

TCP outside: 176.222.12.123/43628 inside: 192.168.1.190/443,
flags SaAB , idle 2s, uptime 5s, timeout 30s, bytes 0

TCP outside: 176.222.12.123/43627 inside: 192.168.1.190/443,
flags SaAB , idle 3s, uptime 6s, timeout 30s, bytes 0

TCP outside: 176.222.12.123/43626 inside: 192.168.1.190/443,
flags SaAB , idle 3s, uptime 6s, timeout 30s, bytes 0

 

I am wondering whether there is nothing wrong with the firewall config at all and it is just the webserver that is not responding for some reason, but when I test it within the LAN, its accessible.

 

I have tried different scenarios but with the same results. I do not have access to the webserver in order to check what is going on. I appreciate any input you have to resolve this issue.

 

 

 

0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎04-14-2020 06:44 PM

Hi,

SaAB means that your server isn't responding with SYN/ACK hence the TCP
connection isn't established. Your firewall is good. Check your LAN/SERVER
to see why SA isn't received by ASA.

**** please remember to rate useful posts

d1_s
Level 1
Level 1
In response to Mohammed al Baqari

‎04-14-2020 07:19 PM

Hi Mohammed, 

 

Thank you for your quick response. 

I unfortunately do not have access to the server to check it. But I will ask somebody who does. 

 

There is a another firewall that is doing a port forwarding to the same server using another public IP. That works fine. Can web servers be configured to accept connections from a specific specific port on a public IP and reject others? 

 

Regards,


D.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card