Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2005
Views
1
Helpful
14
Replies

Inbound ACL on ASA is not Working

mrlizard06
Level 1
Level 1

‎02-10-2024 07:15 PM - edited ‎02-10-2024 07:33 PM

I'm having a strange problem with an ASA. Its a pretty basic setup with a FPR-1010 running an ASA image (version 9.18(2)). I have webvpn configured, but disabled right now for troubleshooting. The issue I'm having is that no matter what access-list i put on the outside interface and no matter what ACE(s) i put in it no traffic matches them. Maybe I'm missing something obvious, but at this point I'm throwing up the white flag and asking for help before I make the call to just reset it to factory and try to do the config again from the ground up. You'll notice that there are three access-lists configured that indicate they go on the outside interface, as the config indicates i'm using outside-in right now so i can just use smtp and https for testing. Let me know if I can provide more info.

Here is the output of packet-tracer input outside tcp 8.8.8.8 65321 *WAN IP* https detailed

Result of the command: "packet-tracer input outside tcp 8.8.8.8 65321 *WAN IP* https detailed"

Phase: 1
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 18910 ns
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fc66a114c50, priority=0, domain=nat-per-session, deny=false
	hits=47922, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=any, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Elapsed time: 18910 ns
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fc66b7911a0, priority=0, domain=permit, deny=true
	hits=13842, user_data=0xb, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
	input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Time Taken: 37820 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000564161c60a0e flow (NA)/NA

 

 

: Hardware:   FPR-1010, 7148 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
ASA Version 9.18(2) 
!
hostname *CMPNAME*FPR1010
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
!
license smart
 feature tier standard
names
no mac-address auto
ip local pool annyconnect 172.16.10.1-172.16.10.10 mask 255.255.255.0

!
interface Vlan1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/1
 no switchport
 nameif outside
 security-level 0
 ip address *WAN IP* 255.255.255.252 
!
interface Ethernet1/2
 no switchport
 nameif inside
 security-level 100
 ip address 192.168.254.254 255.255.255.0 
!
interface Ethernet1/3
 no switchport
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/4
 no switchport
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/4.5
 vlan 5
 nameif guest
 security-level 50
 ip address 192.168.5.1 255.255.255.0 
!
interface Ethernet1/5
 no switchport
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/6
 switchport
 no security-level
!
interface Ethernet1/7
 switchport
 power inline auto
 no security-level
!
interface Ethernet1/8
 switchport
 power inline auto
 no security-level
!
interface Management1/1
 management-only
 shutdown
 nameif management
 security-level 0
 no ip address
!
interface BVI1
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone America/Chicago
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 208.67.222.222 outside
 name-server 208.67.220.220 outside
same-security-traffic permit intra-interface
no object-group-search access-control
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network emailserver
 host 192.168.254.250
object network insidenet
 subnet 192.168.254.0 255.255.255.0
object network ms2-http
 host 192.168.254.250
object network ms2-https
 host 192.168.254.250
object network ldap
 host 192.168.254.250
object network ldaps
 host 192.168.254.250
object network smtp
 host 192.168.254.250
object network vpnsubnet
 subnet 172.16.10.0 255.255.255.0
object network *SMTPRELAY1*
 subnet *SMTPRELAY1* 255.255.255.248
object network *SMTPRELAY2*
 subnet *SMTPRELAY2* 255.255.255.0
object network *SMTPRELAY3*
 subnet  255.255.255.0
object network wanip
 host *WAN IP*
object-group network VipreFusemail
 network-object object *SMTPRELAY1*
 network-object object *SMTPRELAY2*
 network-object object *SMTPRELAY3*
access-group outside-in in interface outside
access-list outside-in extended permit tcp any any eq https 
access-list outside-in extended permit tcp any any eq smtp 
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in extended permit tcp any any eq smtp 
access-list outside_access_in extended permit tcp any any eq 444 
access-list outside_access_in extended permit tcp any interface outside eq ldap 
access-list outside_access_in extended permit tcp any any eq www 
access-list outside_access_in extended permit tcp any any eq ldaps 
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
access-list split_tunnel_vpn standard permit 192.168.254.0 255.255.255.0 
access-list outside_in_temp extended permit tcp any any eq https 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static insidenet insidenet destination static vpnsubnet vpnsubnet no-proxy-arp route-lookup
!
object network obj_any
 nat (any,outside) dynamic interface
object network emailserver
 nat (inside,outside) static interface service tcp smtp smtp 
object network ms2-http
 nat (inside,outside) static interface service tcp www www 
object network ms2-https
 nat (inside,outside) static interface service tcp https https 
route outside 0.0.0.0 0.0.0.0 *WAN DEFAULT ROUTE* 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server Duo-RADIUS protocol radius
aaa-server Duo-RADIUS (inside) host 192.168.254.250
 timeout 60
 key *****
 authentication-port 1812
 accounting-port 1813
 no mschapv2-capable
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication login-history
http server enable
http 192.168.254.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.1.1,CN=*CMPNAME*FPR1010
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 crl configure
crypto ca trustpool policy
 auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 0a0142800000014523c844b500000002
    30820560 30820348 a0030201 0202100a 01428000 00014523 c844b500 00000230 
    0d06092a 864886f7 0d01010b 0500304a 310b3009 06035504 06130255 53311230 
    10060355 040a1309 4964656e 54727573 74312730 25060355 0403131e 4964656e 
    54727573 7420436f 6d6d6572 6369616c 20526f6f 74204341 2031301e 170d3134 
    30313136 31383132 32335a17 0d333430 31313631 38313232 335a304a 310b3009 
    06035504 06130255 53311230 10060355 040a1309 4964656e 54727573 74312730 
    25060355 0403131e 4964656e 54727573 7420436f 6d6d6572 6369616c 20526f6f 
    74204341 20313082 0222300d 06092a86 4886f70d 01010105 00038202 0f003082 
    020a0282 020100a7 5019de3f 993dd433 46f16f51 6182b2a9 4f8f6789 5d84d953 
    dd0c28d9 d7f0ffae 95437299 f9b55d7c 8ac142e1 315074d1 810d7ccd 9b21ab43 
    e2acad5e 866ef309 8a1f5a32 bda2eb94 f9e85c0a ecff98d2 af71b3b4 539f4e87 
    ef92bcbd ec4f3230 884b175e 57c453c2 f602978d d9622bbf 241f628d dfc3b829 
    4b49783c 93608822 fc99da36 c8c2a2d4 2c540067 356e73bf 0258f0a4 dde5b0a2 
    267acae0 36a51916 f5fdb7ef ae3f40f5 6d5a04fd ce34ca24 dc74231b 5d331312 
    5dc40125 f630dd02 5d9fe0d5 47bdb4eb 1ba1bb49 49d89f5b 02f38ae4 2490e462 
    4f4fc1af 8b0e7417 a8d17288 6a7a0149 ccb44679 c617b1da 981e0759 fa752185 
    65dd9056 cefbaba5 609dc49d f952b08b bd87f98f 2b230a23 763bf733 e1c900f3 
    69f94ba2 e04ebc7e 93398407 f744707e fe075ae5 b1acd118 ccf235e5 494908ca 
    56c93dfb 0f187d8b 3bc113c2 4d8fc94f 0e37e91f a10e6adf 622ecb35 0651792c 
    c82538f4 fa4ba789 5c9cd2e3 0d39864a 747cd559 87c23f4e 0c5c52f4 3df75282 
    f1eaa3ac fd49341a 28f34188 3a13eee8 deff991d 5fbacbe8 1ef2b950 60c031d3 
    73e5efbe a0ed330b 74be2020 c4676cf0 08037a55 807f464e 96a7f41e 3ee1f6d8 
    09e13364 2b63d732 5e9ff9c0 7b0f786f 97bc939a f99c1290 787a8087 15d77274 
    9c557478 b1bae16e 7004ba4f a0ba68c3 7bff31f0 733d3d94 2ab10b41 0ea0fe4d 
    88656b79 33b4d702 03010001 a3423040 300e0603 551d0f01 01ff0404 03020106 
    300f0603 551d1301 01ff0405 30030101 ff301d06 03551d0e 04160414 ed4419c0 
    d3f0068b eea47bbe 42e72654 c88e3676 300d0609 2a864886 f70d0101 0b050003 
    82020100 0dae9032 f6a64b7c 44761961 1e2728cd 5e54ef25 bce30890 f929d7ae 
    6808e194 0058ef2e 2e7e5352 8cb65c07 ea88ba99 8b5094d7 8280df61 090093ad 
    0d14e6ce c1f23794 78b05f9c b3a273b8 8f059338 cd8d3eb0 b8fbc0cf b1f2ec2d 
    2d1bccec aa9ab3aa 60821b2d 3bc3843d 578a961e 9c75b8d3 30cd6008 8390d38e 
    54f14d66 c05d7403 40a3ee85 7ec21f77 9c06e8c1 a7185d52 95edc9dd 259e6dfa 
    a9eda33a 34d0597b daed50f3 35bfedeb 144d31c7 60f4daf1 879ce248 e2c6c537 
    fb0610fa 75596631 4729da76 9a1ce982 aeef9ab9 51f78823 9a699562 3ce55580 
    36d75402 fff1b95d ced4236f d845844a 5b65ef89 0cdd14a7 20cb18a5 25b40df9 
    01f0a2d2 f400c874 8ea12a48 8e65db13 c4e22517 7debbe87 5b172054 51934a53 
    030bec5d ca33ed62 fd45c72f 5bdc58a0 8039e6fa d7fe1314 a6ed3d94 4a4274d4 
    c3775973 cd8f46be 5538effa e89132ea 97580422 de38c3cc bc6dc933 3a6a0a69 
    3fa0c8ea 728f8c63 8623bd6d 3c969e95 e0494caa a2b92a1b 9c368178 edc3e846 
    e2265944 751ed975 8951cd10 849d6160 cb5df997 224d8e98 e6e37ff6 5bbbaecd 
    ca4a816b 5e0bf351 e1742be9 7e27a7d9 99494ef8 a580db25 0f1c6362 8ac93367 
    6b3c1083 c6addea8 cd168e8d f0073771 9ff2abfc 41f5c18b ec00375d 09e54e80 
    effab15c 3806a51b 4ae1dc38 2d3cdcab 1f901ad5 4a9ceed1 706cccee f457f818 
    ba846e87
  quit
crypto ca certificate chain _SmartCallHome_ServerCA2
 certificate ca 0509
    308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500 
    3045310b 30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164 
    6973204c 696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f 
    6f742043 41203230 1e170d30 36313132 34313832 3730305a 170d3331 31313234 
    31383233 33335a30 45310b30 09060355 04061302 424d3119 30170603 55040a13 
    1051756f 56616469 73204c69 6d697465 64311b30 19060355 04031312 51756f56 
    61646973 20526f6f 74204341 20323082 0222300d 06092a86 4886f70d 01010105 
    00038202 0f003082 020a0282 0201009a 18ca4b94 0d002daf 03298af0 0f81c8ae 
    4c19851d 089fab29 4485f32f 81ad321e 9046bfa3 86261a1e fe7e1c18 3a5c9c60 
    172a3a74 8333307d 615411cb edabe0e6 d2a27ef5 6b6f18b7 0a0b2dfd e93eef0a 
    c6b310e9 dcc24617 f85dfda4 daff9e49 5a9ce633 e62496f7 3fba5b2b 1c7a35c2 
    d667feab 66508b6d 28602bef d760c3c7 93bc8d36 91f37ff8 db1113c4 9c7776c1 
    aeb7026a 817aa945 83e205e6 b956c194 378f4871 6322ec17 6507958a 4bdf8fc6 
    5a0ae5b0 e35f5e6b 11ab0cf9 85eb44e9 f80473f2 e9fe5c98 8cf573af 6bb47ecd 
    d45c022b 4c39e1b2 95952d42 87d7d5b3 9043b76c 13f1dedd f6c4f889 3fd175f5 
    92c391d5 8a88d090 ecdc6dde 89c26571 968b0d03 fd9cbf5b 16ac92db eafe797c 
    adebaff7 16cbdbcd 252be51f fb9a9fe2 51cc3a53 0c48e60e bdc9b476 0652e611 
    13857263 0304e004 362b2019 02e874a7 1fb6c956 66f07525 dc67c10e 616088b3 
    3ed1a8fc a3da1db0 d1b12354 df44766d ed41d8c1 b222b653 1cdf351d dca1772a 
    31e42df5 e5e5dbc8 e0ffe580 d70b63a0 ff33a10f ba2c1515 ea97b3d2 a2b5bef2 
    8c961e1a 8f1d6ca4 6137b986 7333d797 969e237d 82a44c81 e2a1d1ba 675f9507 
    a32711ee 16107bbc 454a4cb2 04d2abef d5fd0c51 ce506a08 31f991da 0c8f645c 
    03c33a8b 203f6e8d 673d3ad6 fe7d5b88 c95efbcc 61dc8b33 77d34432 35096204 
    921610d8 9e2747fb 3b21e3f8 eb1d5b02 03010001 a381b030 81ad300f 0603551d 
    130101ff 04053003 0101ff30 0b060355 1d0f0404 03020106 301d0603 551d0e04 
    1604141a 8462bc48 4c332504 d4eed0f6 03c41946 d1946b30 6e060355 1d230467 
    30658014 1a8462bc 484c3325 04d4eed0 f603c419 46d1946b a149a447 3045310b 
    30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164 6973204c 
    696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f 6f742043 
    41203282 02050930 0d06092a 864886f7 0d010105 05000382 0201003e 0a164d9f 
    065ba8ae 715d2f05 2f67e613 4583c436 f6f3c026 0c0db547 645df8b4 72c946a5 
    03182755 89787d76 ea963480 1720dce7 83f88dfc 07b8da5f 4d2e67b2 84fdd944 
    fc775081 e67cb4c9 0d0b7253 f8760707 4147960c fbe08226 93558cfe 221f6065 
    7c5fe726 b3f73290 9850d437 7155f692 2178f795 79faf82d 26876656 3077a637 
    78335210 58ae3f61 8ef26ab1 ef187e4a 5963ca8d a256d5a7 2fbc561f cf39c1e2 
    fb0aa815 2c7d4d7a 63c66c97 443cd26f c34a170a f890d257 a21951a5 2d9741da 
    074fa950 da908d94 46e13ef0 94fd1000 38f53be8 40e1b46e 561a20cc 6f588ded 
    2e458fd6 e9933fe7 b12cdf3a d6228cdc 84bb226f d0f8e4c6 39e90488 3cc3baeb 
    557a6d80 9924f56c 01fbf897 b0945beb fdd26ff1 77680d35 6423acb8 55a103d1 
    4d4219dc f8755956 a3f9a849 79f8af0e b911a07c b76aed34 d0b62662 381a870c 
    f8e8fd2e d3907f07 912a1dd6 7e5c8583 99b03808 3fe95ef9 3507e4c9 626e577f 
    a75095f7 bac89be6 8ea201c5 d666bf79 61f33c1c e1b9825c 5da0c3e9 d848bd19 
    a2111419 6eb2861b 683e4837 1a88b75d 965e9cc7 ef276208 e291195c d2f121dd 
    ba174282 97718153 31a99ff6 7d62bf72 e1a3931d cc8a265a 0938d0ce d70d8016 
    b478a53a 874c8d8a a5d54697 f22c10b9 bc5422c0 01506943 9ef4b2ef 6df8ecda 
    f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31cd2e
  quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate 65c404f0
    308202d8 308201c0 a0030201 02020465 c404f030 0d06092a 864886f7 0d01010b 
    0500302e 31143012 06035504 030c0b31 39322e31 36382e31 2e313116 30140603 
    5504030c 0d536563 496e7446 50523130 3130301e 170d3234 30323038 31343533 
    34385a17 0d333430 32303531 34353334 385a302e 31143012 06035504 030c0b31 
    39322e31 36382e31 2e313116 30140603 5504030c 0d536563 496e7446 50523130 
    31303082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 
    010100c0 175f90d9 7354e129 b426104e f3503073 599cb898 60e09886 158afbd0 
    0b82dd6b 4a3e6a75 d4bb540d ab70e93b a69a0830 89a2a7db 9a5766dd a3f834cd 
    2710b7e4 1f8c3d15 43ef76be b1220dfe ddfee709 e2544efe 68b6e0ba 591f1922 
    76b44a9b 5a00ffb3 4e79b613 706ad8e4 b44a7f90 d0be6ed1 eaefb12f 8769c6af 
    f590e5a9 f5fa7788 a88ab164 87bb0e84 f5c0d319 3651ab78 b5128c57 03bb30e5 
    65b8ce25 cf343e91 14992dde d54f40da bcbf702e b987053a 844161f7 a3dd1aaf 
    53cdb946 f20a6c98 b6706a15 bee013db b3ddcdb3 11c70cea d658352b 3d1e6c1f 
    c7ce7d4c d3cd0028 08d6af6b 961ecfe0 5cbba6ba fb1c31a9 b52f0077 792ef04e 
    75ad4702 03010001 300d0609 2a864886 f70d0101 0b050003 82010100 67466181 
    34bc16a6 ce04574a 5203d25f 6d034416 d6f693e0 1c5f4567 ff59c1c7 91872195 
    61df36d5 a3ae16a6 41f79c0c 0a91f179 0682232f 76c73afe 8b984444 7dd5e22d 
    15fdfda4 ddb6a9c9 bdb07dd6 5f3f807c 20abca9a dcebe2a7 a3809274 7ee68635 
    051fd666 28b63341 09168a21 de3561a0 1de972eb 496edd81 7c4f376d 6bfcda3f 
    eb5a27bd eb777d08 7eb74be3 737e23f2 7da994a3 baf28b8f fbac6bb9 f0cd9a82 
    c8a21a7b 220923b0 3a6cba2a 65bf0252 296dcad7 1037ef5a ab2e8cf4 04b44547 
    126b12d9 6e4584b8 1e18adc5 fec24c2b 52353953 666a3aee c3b6f386 5e496ced 
    05b49496 fd551391 addf63f6 dd74718a 7aeb638e a38aa21f 565dbc24
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 5
 prf sha256
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha256
 group 5
 prf sha256
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha256
 group 5
 prf sha256
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption aes
 integrity sha256
 group 5
 prf sha256
 lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
no ssh stack ciscossh
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh *MYCMPIP* 255.255.255.255 outside
ssh 192.168.254.0 255.255.255.0 inside
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 guest
webvpn
 port 444
 dtls port 444
 http-headers
  hsts-server
   enable
   max-age 31536000
   include-sub-domains
   no preload
  hsts-client
   enable
  x-content-type-options
  x-xss-protection
  content-security-policy
 anyconnect image disk0:/anyconnect-win-4.10.03104-webdeploy-k9.pkg 1
 anyconnect profiles *CMP*annyconnectVPN disk0:/*CMP*annyconnectvpn.xml
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.254.241
 dns-server value 192.168.254.241
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_vpn
 default-domain value *CMPDOMAIN*.local
 webvpn
  anyconnect profiles value *CMP*annyconnectVPN type user
dynamic-access-policy-record DfltAccessPolicy
username *MYCMP* password ***** pbkdf2 privilege 15
tunnel-group *CMP*vpn type remote-access
tunnel-group *CMP*vpn general-attributes
 address-pool annyconnect
 authentication-server-group Duo-RADIUS
tunnel-group *CMP*vpn webvpn-attributes
 group-alias *CMP* enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9d09ec1caa51d53bae74a30f71f6a06f
: end

 

 

 

 

 

0 Helpful
14 Replies 14

MHM Cisco World
VIP
VIP

‎02-11-2024 02:42 AM

No need ACL in Outside' the traffic from Inside will return pass through Outside without any need for ACL.

The ACL need only if the traffic initiate from Outside and you have server Inside.

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎02-11-2024 05:26 AM

Can You confirm you have server Inside and which type of this server?

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎02-11-2024 05:32 AM

I will assume it is http/https

The NAT is issue here 

Nat (inside'outside) static source object-private-ip object-public-ip service tcp http http

Why?

For static NAT we need to use manaul NAT not object NAT'

When you use object NAT for static NATing you need to be sure the dynamic NAT in end of list.(I dont recommends at all use object NAT for static NAT).

Check NAT role order in ASA for more information.

MHM

0 Helpful

tvotna
Spotlight
Spotlight
In response to MHM Cisco World

‎02-11-2024 05:45 AM

@MHM Cisco World, what a crap! The packet-tracer was run as

packet-tracer input outside tcp 8.8.8.8 65321 *WAN IP* https detailed

How could 8.8.8.8 match with

nat (inside,outside) source static insidenet insidenet destination static vpnsubnet vpnsubnet no-proxy-arp route-lookup

?

 

0 Helpful

tvotna
Spotlight
Spotlight
In response to tvotna

‎02-11-2024 05:54 AM

@MHM Cisco World, if you mean that object NAT is an issue here, then yes, it can be the issue, but it's not quite clear what exactly is wrong with the object static NAT:

object network ms2-https
 nat (inside,outside) static interface service tcp https https

It is indeed possible that packet comes in, not matched by the object static NAT for some unknown reason and is routed back out outside interface and dropped there. We need "show nat detail" to understand how pre-defined "https" was interpreted by the system.

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎02-11-2024 04:49 AM - edited ‎02-11-2024 04:50 AM

When you use packet tracer, you would need to specify the destination IP after NAT, so in your case you would need to use the private IP of the destination server. Example:

packet-tracer input outside tcp 8.8.8.8 65321 192.168.254.250 25 detailed

Regarding port 443, if you enable webvpn on port 443, then that would affect the traffic that will be destined to the internal web servers on port 443 because in that case both webvpn and the internal servers NAT will be configured with the same public IP. I think the solution for this would be to change the default port for webvpn or use a different external port for the internal web servers.

 

0 Helpful

tvotna
Spotlight
Spotlight
In response to Aref Alsouqi

‎02-11-2024 05:21 AM

@Aref Alsouqi, what?

object network ms2-https
 nat (inside,outside) static interface service tcp https https 
webvpn
 port 444

 

Aref Alsouqi
VIP
VIP
In response to tvotna

‎02-11-2024 06:02 AM

Skimmed through the config and that was gone unnoticed, in that case what I'd mentioned about ports conflict won't apply.

0 Helpful

tvotna
Spotlight
Spotlight
In response to Aref Alsouqi

‎02-11-2024 06:05 AM

First part doesn't apply too, it is perfectly possible to test static NAT rules with the packet-tracer by specifying public IP address in the tool.

 

 

 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to tvotna

‎02-11-2024 06:24 AM

I must be confusing myself with something else then. I'll test this on an ASA when I get the chance for my interest.

0 Helpful

tvotna
Spotlight
Spotlight

‎02-11-2024 05:16 AM

Hmm... This is indeed extremely strange, but I have an idea. This is crazy, but please try:

object network obj_any
 nat (inside,outside) dynamic interface

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎02-11-2024 06:08 AM

Taking this snippet from the shared configs, I can't see any issue with them. The static NAT here is correct, the ACL entry is correct, and the right ACL is applied to the outside interface. However, as mentioned before I think packet tracer command should use the private IP as the destination, not the public IP and that would reflect the right flow on the firewall:

object network ms2-http
   host 192.168.254.250
   nat (inside,outside) static interface service tcp https https

access-list outside-in extended permit tcp any any eq https

access-group outside-in in interface outside

0 Helpful

tvotna
Spotlight
Spotlight
In response to Aref Alsouqi

‎02-11-2024 07:24 AM

Ok. Configuration is valid as well as the way how packet-tracer was run. This is a bug.

CSCwc82124 ASA NAT rules are not working as expected after an upgrade to 9.18.2

Symptom:
After upgrading the ASAv to version 9.18.2, The following problems are noticed on the system

- auto-nat rules to outside interface IP not working (NAT untranslate section not working)
- to the box traffic like ASDM 443 access through the data interface is not redirected to identity rather an egress lookup is done and the TCP SYN is sent back to the data interface (U-turn) leading up to GUI access issues.

Conditions:
ASA running 9.18.2 code
Dynamic NAT with 443 port translation configured
nat (Inside,Outside) source dynamic interface service

Workaround:
None

 

The bug was fixed in 9.18.3 and 9.18.4

 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to tvotna

‎02-12-2024 01:14 AM

It was correct indeed. For some reason I confused myself yesterday with the packet tracer command although I'm familiar with the way how it works.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card