Solved: Re: Cisco ASA 9.1 5540 NAT statement not getting hit - Page 3

efreymuth_2 · ‎04-13-2019

Hello all,

I am an amateur when it comes to the true science behind some of what I am trying to configure so I love to hear explanations as to why it is not working, as well as get it fixed. I have a Cisco 5540 running 9.1. I have an outside, p_wired, dmz, private interfaces setup and working. Everyone can access the internet like I would expect. The dmz_webserver can access the outside in order to do updates but I cannot get to the website that I want to host on the dmz_webserver from the public internet. Below is my current running config. The immediate packet-tracer command shows a result of allow, so I am truly lost. Any help is truly appreciated. I have been reading and studying for almost 2 weeks because I like to try and figure things like this out myself.

packet-tracer input outside tcp 18.218.108.31 1234 192.168.2.100 80 detailed

The p_wired interface has good internet access and I can carry out all tasks needed. I can access the dmz interface from the p_wired as I would like because of the security-level settings are working. The dmz has good internet access to the server and any other device I connect to it. The private network is not a concern and is working as expected.

ASA Version 9.1(7)23
!
hostname ciscoasa
enable password [removed]
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif p_wired
security-level 50
ip address 172.16.1.1 255.255.0.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 25
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif private
security-level 100
ip address 10.0.0.1 255.0.0.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup p_wired
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.4.2.2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network dmz_webserver
host 192.168.2.100
object network outside_acl
object network dmz_acl
object service HTTP-8080
service tcp source eq 8080
object service HTTP-80
service tcp source eq www
object network dmz_subnet
subnet 192.168.2.0 255.255.255.0
access-list outside_acl extended permit tcp any4 object dmz_webserver eq www
access-list outside_acl extended permit tcp any4 object dmz_webserver eq 8080
access-list outside_acl extended permit tcp any object dmz_webserver eq www
access-list outside_acl extended permit tcp any any eq www
access-list outside_acl extended permit tcp any any eq 8080
access-list outside_acl extended permit ip any any
pager lines 24
logging enable
mtu outside 1500
mtu p_wired 1500
mtu dmz 1500
mtu private 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected

nat (p_wired,outside) source dynamic any interface
nat (dmz,outside) source static any dmz_webserver service HTTP-80 HTTP-80
nat (dmz,outside) source static any dmz_webserver service HTTP-8080 HTTP-8080
nat (dmz,outside) source dynamic any interface
!
object network dmz_webserver
nat (dmz,outside) static interface
access-group outside_acl in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8 4.4.2.2
!
dhcpd address 172.16.100.1-172.16.100.100 p_wired
dhcpd enable p_wired
!
dhcpd address 192.168.2.100-192.168.2.120 dmz
dhcpd enable dmz
!
dhcpd address 10.10.10.1-10.10.10.100 private
dhcpd enable private
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
anyconnect-essentials
cache
disable
!
!
!
policy-map global_policy
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:[removed]
: end

---- Below is the result of NAT translation after I ran the packet-tracer command at the beginning twice.

ciscoasa(config)# show nat
Manual NAT Policies (Section 1)
1 (p_wired) to (outside) source dynamic any interface
translate_hits = 324, untranslate_hits = 5
2 (dmz) to (outside) source static any dmz_webserver service HTTP-80 HTTP-80
translate_hits = 2, untranslate_hits = 2
3 (dmz) to (outside) source static any dmz_webserver service HTTP-8080 HTTP-8080
translate_hits = 0, untranslate_hits = 0
4 (dmz) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static dmz_webserver interface
translate_hits = 0, untranslate_hits = 0

If you need anything else to help me out please let me know. I know the dmz_webserver is working and the ports are listening because I have verified with the netstat command and I can access the website from either a dmz or p_wired connected device.

Thanks,

Eldon

efreymuth_2 · ‎04-20-2019

It was worth a try. Can you post your running config so I can try to mirror it? I know the server is not listening on 443 because I have analyzed the netstat listening ports and that one is not listed. If anything it might be listening on 8443, but I can access the website from any internal network using just port 8080 and regular apache with port 80. So, there is something with the route not getting to the server through the ASA because I can see the packets going to the outside interface but there is nothing in any of the server access logs.

If you could post your running-config from a solution you know to be working I will mark that as a solution and just chalk it up to my ISP/internal network configuration.

Thanks for all your help.

Eldon

GRANT3779 · ‎04-20-2019

Hi Eldon,
Can you remove the following

nat (dmz,outside) after-auto source dynamic any interface
Then test access from Outside.

GRANT3779 · ‎04-20-2019

For everything else if required you can add the following

Object network OBJ-DMZ
Subnet 192.168.2.0 255.255.255.0
Nat (dmz, outside) dynamic interface

GRANT3779 · ‎04-20-2019

Forgot to log out of our company CCO when I was downloading image for testing 😊. That was my last reply also.. Apologies for confusion

efreymuth_2 · ‎04-19-2019

Thanks, I just wanted to ask about that other stuff because that "destination" NAT statement was something I had not seen before. Below is my updated running-config based on your recommendations. I also provided the capture on the outside and dmz interface for 8080. I know the server is listening because I can see it in the netstat and I can access the site through 192.168.2.100 anywhere inside my network.

I ran Wireshark and a capture on all 8080 packets into the outside interface and the dmz interface. I can see the ports from the public internet hitting the outside interface but nothing is hitting the dmz in the captures.

Let me know what else you want to see or try. I feel like we are making good progress because I can finally match up packets from my external web request to the outside interface.

ciscoasa(config)# capture outside8080 interface outside match tcp any any eq 8$
ciscoasa(config)# capture dmz8080 interface dmz match tcp any any eq 8080
ciscoasa(config)# show capture outside8080

15 packets captured

1: 22:56:31.530780 192.168.3.4.54893 > [public ip removed].8080: S 1954080724:1954080724(0) win 64240 <mss 1380,nop,wscale 8,no
2: 22:56:31.530902 192.168.3.4.54894 > [public ip removed].8080: S 2263337131:2263337131(0) win 64240 <mss 1380,nop,wscale 8,no
3: 22:56:31.782079 192.168.3.4.54895 > [public ip removed].8080: S 1440162043:1440162043(0) win 64240 <mss 1380,nop,wscale 8,no
4: 22:56:34.530719 192.168.3.4.54893 > [public ip removed].8080: S 1954080724:1954080724(0) win 64240 <mss 1380,nop,wscale 8,no
5: 22:56:34.531695 192.168.3.4.54894 > [public ip removed].8080: S 2263337131:2263337131(0) win 64240 <mss 1380,nop,wscale 8,no
6: 22:56:34.782613 192.168.3.4.54895 > [public ip removed].8080: S 1440162043:1440162043(0) win 64240 <mss 1380,nop,wscale 8,no
7: 22:56:40.531771 192.168.3.4.54893 > [public ip removed].8080: S 1954080724:1954080724(0) win 64240 <mss 1380,nop,wscale 8,no
8: 22:56:40.532717 192.168.3.4.54894 > [public ip removed].8080: S 2263337131:2263337131(0) win 64240 <mss 1380,nop,wscale 8,no
9: 22:56:40.784642 192.168.3.4.54895 > [public ip removed].8080: S 1440162043:1440162043(0) win 64240 <mss 1380,nop,wscale 8,no
10: 22:56:55.199849 192.168.3.4.54896 > [public ip removed].8080: S 1947578079:1947578079(0) win 64240 <mss 1380,nop,wscale 8,no
11: 22:56:55.199986 192.168.3.4.54897 > [public ip removed].8080: S 3397323018:3397323018(0) win 64240 <mss 1380,nop,wscale 8,no
12: 22:56:58.201649 192.168.3.4.54897 > [public ip removed].8080: S 3397323018:3397323018(0) win 64240 <mss 1380,nop,wscale 8,no
13: 22:56:58.201664 192.168.3.4.54896 > [public ip removed].8080: S 1947578079:1947578079(0) win 64240 <mss 1380,nop,wscale 8,no
14: 22:57:04.215503 192.168.3.4.54896 > [public ip removed].8080: S 1947578079:1947578079(0) win 64240 <mss 1380,nop,wscale 8,no
15: 22:57:04.231097 192.168.3.4.54897 > [public ip removed].8080: S 3397323018:3397323018(0) win 64240 <mss 1380,nop,wscale 8,no
15 packets shown

ciscoasa(config)# show capture dmz8080

0 packet captured

0 packet shown
ciscoasa(config)#

ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 1234 192.168.3.4 808$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.4 255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x794d5ed0, priority=0, domain=nat-per-session, deny=false
hits=38677, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x79b82810, priority=0, domain=permit, deny=true
hits=2158, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)# packet-tracer input outside tcp 8.8.8.8 1234 192.168.2.100 8$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 dmz

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

GRANT3779 · ‎04-19-2019

Also just noticed you have internal IP for your Outside interface, which i assume is related to the changes you made ISP end.

efreymuth_2 · ‎04-14-2019

Stupid question. Do I have to create any NAT or ACL rules if there is a switch connected to G0/2 (dmz) interface?

GRANT3779 · ‎04-14-2019

If L2 no, and wouldn't stop you from at least seeing something coming Inbound from the Internet. It's as if the traffic from Internet directed to server is not getting as far as firewall.
How are you connecting to the server from the Internet btw? DNS? IP?
Have you double checked the address?
I wonder if anyone else has got a static port forward working with a DHCP Outside dynamic address.

You could run a packet capture direct on the asa itself and let it run while you test again, see if traffic gets as far as outside interface.

efreymuth_2 · ‎04-19-2019

Ok, so I have made some progress and had some set backs and I feel like someone here will have a simple solution. I took my ISP router out of bridged mode and setup port forwarding. I had assumed that bridged mode would just forward all traffic to my ASA but that must have been part of the problem. Now that I have static port forwarding setup in my ISP router I am getting packets to the outside interface and I can see them in the capture. However nothing is getting translated to the DMZ and nat'd to the webserver. I also setup a DHCP reservation for the ASA MAC in my ISP router which allowed me to assign a static IP to G0/0 (outside) interface.

So, now I just need some help figuring out why the traffic is not getting to the DMZ webserver? It feels like I am starting over but not quite since you all helped me confirm that my ISP router was the issue and I have that (semi) resolved.

Eldon

GRANT3779 · ‎04-19-2019

Hi Eldon,

Can we see the config of the firewall as it stands and also packet tracer output from the perspective of traffic coming in from the Outside towards the web server on one of the allowed ports.

What does the capture you ran show? Did you run the embedded pcacp against the Outside interface?