Solved: Help Public Server ASA 8.4

CSCO10962914 · ‎04-02-2012

People,

I Have a Firewall ASA 5505 with asa 8.4(2) asdm 6.4(5)

I have only one Public IP services and need to publish on the Internet

External User (Internet) -> Calls connection on port 22 Internal server 192.168.1.124

External User (Internet) -> Calls connection on port 80 of the Internal 192.168.1.124 server or other server the same inside.

In the first moment I'm just testing the access port 22.

I had it working in version 8.2 but after I updated to 8.4 does not work, I've tested several different configurations.

Configuration (see asa5505_config.txt file)

object network remoto_ssh

host 189.120.190.229

object network linux_ssh

host 192.168.1.124

nat (inside,outside) static remoto_ssh

access-list outside_access_in line 1 extended permit tcp any object linux_ssh eq ssh

ERROR: Address 189.120.190.229 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

Thanks

llamaw0rksE · ‎04-03-2012

I do not see the point of this object rule......

What purpose does it serve? You have already identified the inside lan on the interface setup.

(ip address 192.168.1.1 255.255.255.0)

object network rede_inside

subnet 192.168.1.0 255.255.255.0 ??????

i am unfamiliar with DCHP setroute. MY wanip is a static (semi - sometime it changes poweroutages etc).

Do you mean its a dynamic WANIP?? Every day the ISP changes it?

You have two objects entered without any defining data??

object network aa ???

object network Server_LinuxSSH ????

I have no clue what your trying to do with all these ACL rules.... Its way overboard

access-list rede_inside extended permit ip any any

access-list outside_access_in extended permit tcp any any eq ssh

access-list outside_access_in extended deny ip any any

access-list inside_access_in extended permit ip object rede_inside any

access-list inside_access_in extended deny ip object rede_inside any

Your dynamic pat rule is missing the object it should be associated with (not defined in your objects section).

nat (inside,outside) source dynamic any interface

the embedded NAT object rule for ssh seems reasonable, although I would use the port number in the rule and if it equates to a known text item the router will change it automatically ( I confirmed this I made a service object stuck in port 22 and it changed it in the run config to appear as 'ssh'. I am not sure about ANY in the nat rule but your using a different WANIP format than I am used (DHCP Setroute).

Dont know the purpose of this rule, I dont use it.

access-group inside_access_in in interface inside

Your totally missing a route rule. The packets from your lan and dmz have no idea how to get to their next destination.

YOU need to associate a routing with the IP gateway of your ISP.

Sample config follows.

ASA Version 8.4(2)

!

hostname FW-Zion

names

name 192.168.1.0 rede_inside

name 192.168.1.2 wan_tc_zion

name 192.168.1.124 vm_secur

!

interface Ethernet0/0

description outside

switchport access vlan 2

!

interface Ethernet0/1

!interface Ethernet0/2

!interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

!interface Ethernet0/5

shutdown

!interface Ethernet0/6

shutdown

interface Ethernet0/7

description lan_server_ssh

!

interface Vlan1

description inside

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description outside

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns server-group DefaultDNS

domain-name toka.com

object network obj_any_inside

subnet 0.0.0.0 0.0.0.0

(part of dynamic pat rule which will assign pat to any outgoing traffic so return traffic is routed correctly to originator within the inside lan)

object network Server_LinuxSSH

host 192.168.1.124

(comments: host object of PcIP for ACL rules)

Object Service SSH_Service

service tcp destination eq ssh

(comments: service defined for ACL rules, note when making the object I entered in 22 for port number)

object network web-ssh4Nat

host 192.168.1.124

(comments: Nat rule object created)

object-group icmp-type portas_ping_tracert

icmp-object time-exceeded

access-list outside_access_in remark allow external access to ssh server

access-list outside_access_in extended permit object SSH_Service any object Server_LinuxSSH

( If I didnt use my defined Service object in making the ACL rule and simply put in the port information the rule would be......access-list outside_access_in extended permit tcp any object VS-pcIP eq ssh ) Note if you define a group of users, in ranges, in subnets or individually you can create a group object for users and replace 'any'.

pager lines 24

logging enable

arp timeout 14400

!

object network obj_any_inside

nat (inside,outside) dynamic interface

(First NAT rule in order, followed by static nat rules)

object network web-ssh4Nat

nat (inside,outside) static interface service tcp ssh ssh

access-group outside_access_in in interface outside

(acl rules above associated with and made under the outside (incoming rules) section

route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1

(Comments where xx.xxx.xxx.xx is the IP gateway of the ISP)

timeout xlate 3:00:00

: end

View solution in original post

llamaw0rksE · ‎04-02-2012

I didnt see a routing.......

route outside 0.0.0.0 0.0.0.0 xx.xxx.xx.225 1

(this tells the router where the next hop is....... typically the gateway IP of the ISP.

(for dynamic pât rule - allows internal users to reach the internet and get return traffic)

object network obj_any_inside

subnet 0.0.0.0 0.0.0.0

object network obj_any_inside

nat (inside,outside) dynamic interface

(here is port forwarding static Nat rule. assuming .229 is your external IP address. Since you only have one, just use external interface in rule.)

object network Nat22toserver

host 192.168.1.124

object network Nat22toserver

nat (inside,outside) static interface service tcp ssh ssh

Basically your server 192.168.1.124 needs to be an object by itself for ACL rules.

For Nat related rules and services I use nat in object rules and names that indicate what I am portforwarding.

CSCO10962914 · ‎04-02-2012

Hello Alex,

access the Internet via the default route is working. in my interface outside I have DHCP and it gives me a publicip. Problem is in the PAT or Public Server ..

Thanks

llamaw0rksE · ‎04-03-2012

Well that looks like an ACL issue not a nat pat issue.

access-list outside_access_in extended deny ip any any

Would that not stop all incoming traffic cold to any of your servers??

CSCO10962914 · ‎04-03-2012

So I already have an ACL on the outside allowing access to server 192.168.1.124on tcp port 22 (SSH).

could you pass me a configuration of this type of solution so I can compare?

Thanks!!!

llamaw0rksE · ‎04-03-2012

Okay by default at least in 8.43, there are implicit rules such that any traffic from a lower security to a higher security zone is BLOCKED. In other words typically the outside interface has security of "0" and the inside interface "100" and thus all WAN to LAN trafffic inbound is blocked by default.

Now to add to that had a longer look at your config. YOu have no static Nat rules and ur placement in the order of the dynamic pat rule is weird.

Sorry I fail to to see any routing commands (i must be blind).

.

By the way Zion is a Dmz right. Zion can only have internet access with the basic license, cannot initiate connectivity to the LAN but the LAN can initiate connectivity to zion.

Your whole setup is very confusing and suggest you start without VPN to get it working then introduce VPN.

Also your deny rule I pointed to above should be the last one in the list of ACL rules. Its the first or second I think. If its even needed.

CSCO10962914 · ‎04-03-2012

Hello Alex,

So you can understand my topology sent you a complete configuration.(see you e-mail ciscosupport)

Some considerations:

My VPN is working partially, I close the VPN can not access anything more. but I'll leave it to solve later.

How to publish an SSH service was just what we were seeing evendid several tests today but without success.

My license based license and then today just use inside andoutside.

you could tell me step by step what I need to publish this service?(SSH) will try to redo all my settings.

Attached below new logs and topology.

Thank you for your support.

CSCO10962914 · ‎04-03-2012

The following files / logs

llamaw0rksE · ‎04-03-2012

Okay I will be unable to help you with a full configuration that has VPN and split tunneling nat or acl rules as I am not that knowlegdable. I can get you going with a simple start and then you can add the complexity.

One comment is that with the basic license you can only have three interfaces and that is described by VLANs to my knowedge. YOu have far too many vlans setup.

VLAN1 INSIDe

VLAN2 - OUTSIDE

VLANX - DMZ

I see you also have a VLAN3, a VLAN4

You have to decide which VLAN your going to keep and how you will structure your setup.

Stuff you want more public suggest you put on the DMZ.

Lets start with no VPN and one server with one service on LAN (inside) and one on the DMZ or if you have none intended for the LAN, two on the DMZ.

Do you have groups of external users or singles that you want to use to limit access to those servers.

We can walk through who should have access to what...........

CSCO10962914 · ‎04-03-2012

Hello Alex,

I cleaned my configuration and was only Inside and Outside. currently is workingmy access to internet but still could not access my ssh server by outside.

thank you

llamaw0rksE · ‎04-03-2012

I do not see the point of this object rule......

What purpose does it serve? You have already identified the inside lan on the interface setup.

(ip address 192.168.1.1 255.255.255.0)

object network rede_inside

subnet 192.168.1.0 255.255.255.0 ??????

i am unfamiliar with DCHP setroute. MY wanip is a static (semi - sometime it changes poweroutages etc).

Do you mean its a dynamic WANIP?? Every day the ISP changes it?

You have two objects entered without any defining data??

object network aa ???

object network Server_LinuxSSH ????

I have no clue what your trying to do with all these ACL rules.... Its way overboard

access-list rede_inside extended permit ip any any

access-list outside_access_in extended permit tcp any any eq ssh

access-list outside_access_in extended deny ip any any

access-list inside_access_in extended permit ip object rede_inside any

access-list inside_access_in extended deny ip object rede_inside any

Your dynamic pat rule is missing the object it should be associated with (not defined in your objects section).

nat (inside,outside) source dynamic any interface

the embedded NAT object rule for ssh seems reasonable, although I would use the port number in the rule and if it equates to a known text item the router will change it automatically ( I confirmed this I made a service object stuck in port 22 and it changed it in the run config to appear as 'ssh'. I am not sure about ANY in the nat rule but your using a different WANIP format than I am used (DHCP Setroute).

Dont know the purpose of this rule, I dont use it.

access-group inside_access_in in interface inside

Your totally missing a route rule. The packets from your lan and dmz have no idea how to get to their next destination.

YOU need to associate a routing with the IP gateway of your ISP.

Sample config follows.

ASA Version 8.4(2)

!

hostname FW-Zion

names

name 192.168.1.0 rede_inside

name 192.168.1.2 wan_tc_zion

name 192.168.1.124 vm_secur

!

interface Ethernet0/0

description outside

switchport access vlan 2

!

interface Ethernet0/1

!interface Ethernet0/2

!interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

!interface Ethernet0/5

shutdown

!interface Ethernet0/6

shutdown

interface Ethernet0/7

description lan_server_ssh

!

interface Vlan1

description inside

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description outside

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns server-group DefaultDNS

domain-name toka.com

object network obj_any_inside

subnet 0.0.0.0 0.0.0.0

(part of dynamic pat rule which will assign pat to any outgoing traffic so return traffic is routed correctly to originator within the inside lan)

object network Server_LinuxSSH

host 192.168.1.124

(comments: host object of PcIP for ACL rules)

Object Service SSH_Service

service tcp destination eq ssh

(comments: service defined for ACL rules, note when making the object I entered in 22 for port number)

object network web-ssh4Nat

host 192.168.1.124

(comments: Nat rule object created)

object-group icmp-type portas_ping_tracert

icmp-object time-exceeded

access-list outside_access_in remark allow external access to ssh server

access-list outside_access_in extended permit object SSH_Service any object Server_LinuxSSH

( If I didnt use my defined Service object in making the ACL rule and simply put in the port information the rule would be......access-list outside_access_in extended permit tcp any object VS-pcIP eq ssh ) Note if you define a group of users, in ranges, in subnets or individually you can create a group object for users and replace 'any'.

pager lines 24

logging enable

arp timeout 14400

!

object network obj_any_inside

nat (inside,outside) dynamic interface

(First NAT rule in order, followed by static nat rules)

object network web-ssh4Nat

nat (inside,outside) static interface service tcp ssh ssh

access-group outside_access_in in interface outside

(acl rules above associated with and made under the outside (incoming rules) section

route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1

(Comments where xx.xxx.xxx.xx is the IP gateway of the ISP)

timeout xlate 3:00:00

: end

CSCO10962914 · ‎04-03-2012

Brother,

I clean again my configuration following your information and solve my problem finally i managed to publish my server linux SSH

Thanks for your attention and patience

If I can help you in something please let me know!!!

llamaw0rksE · ‎04-04-2012

Awesome, glad to have been of service.