Solved: How to get access to port 8000? - Page 2

eferland · ‎03-08-2013

I had a issue getting to my VPN device from outside my network on port 444. A Cisco tech helped me fix it last night but now I can't get to the device via the internal IP and using port 8000? It worked fine before the tech helped me get access which I'm grateful for but how do I get access back?

I'm using a ASA 5510

Result of the command: "show run nat"

nat (inside,outside) source static 10.0.0.0 10.0.0.0 destination static 10.0.1.0 10.0.1.0 no-proxy-arp route-lookup

!

object network obj-10.0.0.183

nat (inside,outside) static interface service tcp smtp smtp

object network obj-10.0.0.183-01

nat (inside,outside) static interface service tcp https https

object network obj-10.0.0.183-02

nat (inside,outside) static interface service tcp imap4 imap4

object network obj_any

nat (inside,outside) dynamic interface

object network obj_voip

nat (VoIP,outside) dynamic interface

object network BarracudaVPN

nat (inside,outside) static interface service tcp 444 444

object network vpn

nat (inside,outside) static A_64.140.222.185

This was the fix from cisco

!

object network BarracudaVPN

no nat (outside,inside) static interface service tcp 444 444

nat (inside,outside) static interface service tcp 444 444

clear xlate local 10.0.0.12

!

access-list out_in line 1 permit tcp any host 10.0.012 eq 444

!

eferland · ‎03-08-2013

Result of the command: "packet-tracer input inside tcp 10.0.0.12 12345 1.1.1.1 80"

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group in_out in interface inside

access-list in_out extended permit tcp host 10.0.0.12 any eq www

access-list in_out remark Barracuda

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

object network vpn

nat (inside,outside) static A_64.140.222.185

Additional Information:

Static translate 10.0.0.12/12345 to 64.140.222.185/12345

Phase: 9

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 83337983, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

eferland · ‎03-08-2013

"Naturally something can be told by looking through the ASDM real time monitoring on what happens to the connection from the device to the destination port TCP/80 somewhere"

Where in the asdm?

Jouni Forss · ‎03-08-2013

Hi,

That test would show that the connection should go through just fine.

What seems strange to me is the result of the NAT phase combined with the thing what you were looking through with Cisco

The "packet-tracer" output shows that you have configured a completely own IP address for the VPN device

You NAT configurations is probably something like this

object network vpn

host 10.0.0.12

nat (inside,outside) static A_64.140.222.185

IF the host 10.0.0.12 actually has its own public IP address you could just open port TCP/444 for this host on the "outside" interface ACL. It wouldnt need any port forward as the above NAT configuration already makes it possible to contact the device using that public IP address on any port PROVIDED that the ACL rule for it exists.

I presume that the IP address 64.140.222.185 isnt used anywhere else on the ASA?

- Jouni

eferland · ‎03-08-2013

64.140.222.185:443 is used for owa (Exchange). To change the default from port 443 to 444 (because 443 is in use) on the vpn device I need to login via 10.0.0.12:8000.

I can see it trying to get on in the asa it looks like this

6

Mar 08 2013

17:41:52

302013

10.0.0.12

45976

216.129.105.129

80

Built outbound TCP connection 83340217 for outside:216.129.105.129/80 (216.129.105.129/80) to inside:10.0.0.12/45976 (64.140.222.185/45976)

eferland · ‎03-08-2013

My boss is kicking me out. arrrgh

Jouni Forss · ‎03-08-2013

Hi,

The IP address 64.140.222.185 wouldnt by any change be your "outside" interface IP address?

- Jouni

Jouni Forss · ‎03-08-2013

The log message says that the connection attempt was allowed through the firewall.

It doesnt however yet tell us if the connection attempt succeeded.

If the TCP connection forming times out it will be "Teardown" with the message SYN Timeout.

A normal TCP connection that is closed ends with TCP FINs.

The log doesnt however show the "Teardown" message. Only the forming message "Built"

- Jouni

eferland · ‎03-11-2013

Yes 64.140.222.185 is my outside interface.

eferland · ‎03-11-2013

I just changed the IP on the device and I can get in via 10.0.0.22:8000 but not 64.140.222.185:444

eferland · ‎03-11-2013

So I guess I just need to manually enter in each nat'ed port instead of using a "object network".

Jouni Forss · ‎03-11-2013

Hi,

When you only have a single IP address at your disposal then your options are few.

Your basic PAT configuration for user Internet traffic should look something like this (using random IPs and names)

nat (any,outside) after-auto source dynamic any interface

Or if you want to define the "source" addresses then you can use

object-group network DEFAULT-PAT-SOURCE

object-network 10.10.10.0 255.255.255.0

object-network 10.10.20.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Both of the NAT accept host from "any" interface so they could be configured to apply all the other LAN/DMZ interfaces.

Since you only have the mentioned "outside" interface IP adress then you can only provide public access to local server by using Port Forward / Static PAT configurations

For example

object network SERVER-TCP444

host 10.10.10.10

nat (inside,outside) static interface service tcp 444 444

And so on depending on the service needed to be forwarded. The first port number listed on the NAT configuration line is the actual port on the host and the second port is the mapped port.

These shouldnt directly effect any internal LAN connectivity since the translation are only done between "inside" and "outside" in this case. Nor should they prevent any kind of connectivity to Internet with port TCP/80 from any host on the LAN.

- Jouni