Solved: Cisco ASA inbound connections

venkat257 · ‎10-06-2015

Hi guys,

I am new to this group. I have a question and believe it is related to the firewall. I need 443 routed internally. The connection is working with 80 but not 443. Please check the picture attached.

The command existing in the firewall is

access-list OUTSIDE_IN line 10 extended permit tcp any4 host 172.20.40.1 eq www

I gave the following command but its not working

access-list OUTSIDE_IN line 40 extended permit tcp any4 host 172.20.40.1 eq https

sh access-list | i 172.20.40.1

access-list OUTSIDE_IN line 10 extended permit tcp any4 host 172.20.40.1 eq www (hitcnt=1424566) 0x9f3fd44a
access-list OUTSIDE_IN line 40 extended permit tcp any4 host 172.20.40.1 eq https (hitcnt=0) 0xa89e875a

Kindly help. thanks in advance

BR,

Venkat

Rishabh Seth · ‎10-07-2015

Hi Venkat,

Please provide following information:

1: Is there any deny ACL above line40 which might be blocking TCP/443 traffic?

2: Can you run packet-tracer and share your findings.

Will wait for your update.

Thanks,

R.Seth

View solution in original post

rodrigog · ‎10-06-2015

Hello Venkat,

By any means did you added also the needed nat ?

Try adding the nat that may be missing

Also try running a packet tracer from the outside to see what could be the root cause

Regards,

Rodrigo

venkat257 · ‎10-07-2015

Hello Rodrigo,

Please see below

sh run | i obj-122.56.11.165
object network obj-122.56.11.165
nat (FrontIPS_Outside,outside) source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (FrontIPS_Outside,outside) source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-443 obj-tcp-source-eq-443

thmasa1f# sh run | b object network obj-122.56.11.165
object network obj-122.56.11.165
host 122.56.11.165

object service obj-tcp-source-eq-80
service tcp source eq www

object service obj-tcp-source-eq-443
service tcp source eq https

rodrigog · ‎10-07-2015

Hello Venkat,

The configuration seems good but I can't see if the Nat may be hitting a source dynamic first that may be dropping the traffic

Try the next command on the next order to discard that possibility

no nat (FrontIPS_Outside,outside) source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-443 obj-tcp-source-eq-443

nat (FrontIPS_Outside,outside) 1 source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-443 obj-tcp-source-eq-443

Let me know the results

Regards,

Rodrigo

venkat257 · ‎10-07-2015

Hello Rodrigo,

It is still the same. No luck

access-list OUTSIDE_IN line 40 extended permit tcp any4 host 172.20.40.1 eq https (hitcnt=0)

Br,

Venkat

Rishabh Seth · ‎10-07-2015

Hi Venkat,

Please provide following information:

1: Is there any deny ACL above line40 which might be blocking TCP/443 traffic?

2: Can you run packet-tracer and share your findings.

Will wait for your update.

Thanks,

R.Seth

venkat257 · ‎10-07-2015

Hello Rodrigo and Rishabh,

The connectivity is working now. The https statement was after the deny statement. After changing, it started working. Thanks a lot.

Br,

Venkat