06-06-2016 03:33 AM - edited 03-12-2019 12:51 AM
hi ,
i have to access my internel server (172.18.1.17/24) from public interface (OUT_FO: 41.231.82.254) in http. but the access is not working.
my config is in attachements
here is the result of command "packet tracer" and it shows that i have a problem in NAT (Phase 5)
!!!!!!!!!!!!!!!!
packet-tracer input out_FO tcp 41.231.8.90 80 172.18.1.17 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.18.1.0 255.255.255.0 lan
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from-FO in interface OUT_FO
access-list from-FO extended permit tcp any object newmigAIFT eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xace9cfd0, priority=13, domain=permit, deny=false
hits=1330, user_data=0xa907e080, cs_id=0x0, use_real_addr, flags=0x0, pr otocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.18.1.17, mask=255.255.255.255, port=80, dscp=0x0
input_ifc=OUT_FO, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacd429b0, priority=0, domain=inspect-ip-options, deny=true
hits=7834, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUT_FO, output_ifc=any
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group out-lan out interface lan
access-list out-lan extended permit tcp any any
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad469c98, priority=13, domain=permit, deny=false
hits=1448, user_data=0xa907d100, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=lan
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network newAIFTFO
nat (lan,OUT_FO) static interface service tcp www www
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaccd9c58, priority=6, domain=nat-reverse, deny=false
hits=1331, user_data=0xace56d70, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.18.1.17, mask=255.255.255.255, port=80, dscp=0x0
input_ifc=OUT_FO, output_ifc=lan
Result:
input-interface: OUT_FO
input-status: up
input-line-status: up
output-interface: lan
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
please HELP !!!
06-06-2016 03:45 AM
Hi,
The traffic is dropped due to the NAT statement:
nat (
Are you using a different NAT for the web server ?
If yes try promoting that NAT to line 1 on the ASA.
For example:
nat (inside,outside) static 192.168.100.100 service tcp 8080 www
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-06-2016 04:02 AM
i promote the nat rule to the first line but it's not working !!!
06-06-2016 04:52 AM
Hi,
Is the packet tracer output still the same ?
Can you share the NAT rule ?
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-06-2016 05:55 AM
object network newAIFTFO
nat (lan,OUT_FO) static interface service tcp www www
06-06-2016 07:42 AM
I think you have to let the NAT know which IP address of internal server will be translated Please try to change NAT statement
From:
object network newAIFTFO
nat (lan,OUT_FO) static interface service tcp www www
To:
object network newAIFTFO
host 172.18.1.17
nat (lan,OUT_FO) static interface service tcp www www
########################################################
Also, you may need ACL to allow external IP to reach your internal IP:
"
access-list Out_to_Internalserver permit tcp host 41.231.8.90 host 172.18.1.17 eq www
access-group Out_to_Internalserver in interface OUT_FO
"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide