Please, remove:

---> access-group inside_access_in in interface inside<---

access-group outside_access_in in interface outside

-All you need to do is one access group in that configuration.

Also, you can have one Object and add miltiple ACLs to it. It all depends on the services that you want.

object network FTP_PAT

host 192.168.240.19

object network WEB_PAT

host 192.168.240.19

Thanks Oscar,

I removed the access-group inside_access_in but still the same.

I tried with one object before but hadn't internet access to the server either. I don't think it matters so I rather use one object for each port for the sake of clarity.

Regards

Gerardo

Thanks MvSheik,

yes, the server has internet connectivity. This is an http and ftp server that was already running and was accessed by both internal net PCs (which still can access) and from the internet (which after changing the PIX for the ASA can't anymore).

Any way I reset the modem, the asa even the server but still can't access the server from internet.

Regards

Gerardo

Hi,

Have you removed the default inspection configurations? I cant see them in the configurations. I would suggest adding them just for the sake of the FTP

For example

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

  no protocol-enforcement

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect rtsp

  inspect skinny

  inspect pptp

  inspect http

  inspect esmtp

  inspect icmp

  inspect icmp error

  inspect ftp

service-policy global_policy global

Also with regarding the actual specific problem, if you issue "show access-list" command do you see any hitcount on the ACL statements which allow TCP/80 and TCP/21?

Also you could try to take the output of the "packet-tracer" command to test the traffic

packet-tracer input outside tcp 1.1.1.1 12345 80

packet-tracer input outside tcp 1.1.1.1 12345 21

Even though in your situation the Static PAT configuration format shouldnt matter, you could try to do the following configurations and see if they make any difference. These remove the current Static PAT (Port Forward) configurations

no access-list outside_access_in extended permit tcp any object WEB_PAT eq www

no access-list outside_access_in extended permit tcp any object FTP_PAT eq ftp

no object network FTP_PAT

no object network WEB_PAT

object network SERVER

host 192.168.240.19

object service FTP

service tcp source eq 21

object service WWW

service tcp source eq 80

nat (inside,outside) source static SERVER interface service FTP FTP

nat (inside,outside) source static SERVER interface service WWW WWW

- Jouni

Thanks Jouni,

I did add the lines you suggested but still the server is unreachable although the packet-tracer show a better answer.

I had to add a line to permit the ip traffic in the outside_access_list to the server as only icmp was left after the changes.

This is the response to the packet-tracer command before and after.

BEFORE*********************************************************************************

Result of the command: "packet-tracer input outside tcp 1.1.1.1 12345 X.X.X.X 80"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

AFTER*************************************************************************************

Result of the command: "packet-tracer input outside tcp 1.1.1.1 12345 X.X.X.X 80"

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static SERVER interface service WWW WWW

Additional Information:

NAT divert to egress interface inside

Untranslate X.X.X.X/80 to 192.168.1.19/80

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip any object SERVER

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static SERVER interface service WWW WWW

Additional Information:

Static translate 1.1.1.1/12345 to 1.1.1.1/12345

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static SERVER interface service WWW WWW

Additional Information:

Phase: 9

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1491, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

and this is how my configuration looks now.

: Saved

:

ASA Version 9.0(1)

!

hostname ciscoasa1

enable password HK8DwXVw0PRo5n0D encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.128

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object network my-inside-net

subnet 192.168.1.0 255.255.255.128

object network MyPublicIP

host X.X.X.X

object network NAT-DYN

subnet 192.168.1.0 255.255.255.128

object network SERVER

host 192.168.1.19

object service FTP

service tcp source eq ftp

object service WWW

service tcp source eq www

access-list inside_access_in extended permit ip object my-inside-net any

access-list inside_access_in extended permit tcp object my-inside-net any

access-list inside_access_in extended permit udp object my-inside-net any

access-list inside_access_in extended permit icmp object my-inside-net any

access-list outside_access_in extended permit ip any object SERVER

access-list outside_access_in extended permit icmp any4 any4

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static SERVER interface service FTP FTP

nat (inside,outside) source static SERVER interface service WWW WWW

!

object network my-inside-net

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.128 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username MyName password IPks.pvF1fRLc2sc encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

  no protocol-enforcement

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect rtsp

  inspect skinny 

  inspect pptp

  inspect http

  inspect esmtp

  inspect icmp

  inspect icmp error

  inspect ftp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6f9275db2a20167e195bf1144cd05961

: end

no asdm history enable

Regards

Gerardo

Hi,

Since you are only using the public IP that you get for the ASA with DHCP there should be no problem reaching your ASA and therefore your server. If there was a problem no internal device could access the Internet.

You didnt reply/mention in the above reply if you we seeing any hitcounts on the output of the "show access-list" command for this SERVER when you are testing connections from the external network. Try the connections multiple times and check the "show access-list" command to see if the hitcount of the rule for the SERVER is increasing.

Do notice that using the "packet-tracer" commands add to the ACL hitcount even though no actual connection has come from the external network.

I would also suggest double checking the network configurations on the SERVER and confirming that no software firewalls etc is not blocking the connections.

Also, are you sure you are targetting the correct public IP address from the external network? Since you are using DHCP to get a public IP address for your ASA.

- Jouni

Hello Jouni,

in fact I can access cisco ASDM from the internet. The IP is obtained by DHCP but is static, never changes.

I did the show access-list before your changes and showed 0 hits for the server I forgot to tell.

The extrange thing is that hitcnt is only increased by the packet-tracer command not when I try a web page of the server or the ftp. Both the IIS server and ftp server are up and running I can access them from the internal network.

access-list outside_access_in; 2 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit ip any object SERVER (hitcnt=3) 0xee330cf0

  access-list outside_access_in line 1 extended permit ip any host 192.168.1.19 (hitcnt=3) 0xee330cf0

access-list outside_access_in line 2 extended permit icmp any4 any4 (hitcnt=1108) 0x5ac062e8

I have checked the SERVER network configuration and security settings and found nothing wrong. Also I shut down the antivirus and antispybot. But everything remains the same.

Regards

Gerardo

Hi Gerardo,

Did you manage to get this resolved?

I'm experiencing the same issue but I'm using a Cisco ASA 5510 with IOS 9.1.2.

My issue is the same as yours, the ACL that is applied to the Outside interface behaves like it hasn't been applied so I get no hit counts. The only statement that works and gets a hit count is the "permit icmp any any" but all my other statements which are TCP and UDP don't work, it feels like TCP and UDP requests are being dropped but even before the requests get to the ACL.

One thing i noticed on IOS 9.0 and later is that at the beginning of the config it shows this:

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

I'm not sure if by changing them to permit would make a difference, I'll give it a go tomorrow.

Cheers.

Jon

Hello Jon,

I don't have those statements so I don't think that is.

Hello Mike,

     I tried but it didn't work so I swithed it back.

     Just curious: If the ASDM uses https, why disabling http stopped  the communication with the ASDM.

Hi Geraldo,

is your ISP Comcast? I have done the same, I called them up, switched to bridge mode my cable modem, them let the ASA do the work.

Double NAT with a router in between causes many issues. I spent two days doing the same until I got my modem into Bridge mode setup.

Regards,