Need Help on one Firewall Question - Page 2

jaskamboj · ‎07-10-2013

Hi All,

I am using cisco asa in my environment and which is connected to l2. One server and one router is also connected to L2. Now i want to access port 80 on my server from outside.

How its possible if the server gateway is routers ip and i don't want to add static route in router or server towards the firewall. Nat and access List is done on firewall. what else i can do on firewall to access port 80 of my server from outside. Dont want to change anything on router/server.

Below is the IP detail

1. Firewall inside 192.168.1.1 & Outside 1.1.1.1

2. Router IP - 192.168.1.2

3. Server IP - 192.168.1.3 & GW - 192.168.1.2

jaskamboj · ‎07-13-2013

Hi Jouni,

Have tried with earlier configuration but no luck..

Jouni Forss · ‎07-13-2013

If you have those old NAT format configurations on your PIX firewall then I would like to see the output of a "packet-tracer" command simulating a connection coming for your webserver

It would be something like this

packet-tracer input outside tcp 123.123.123.123 12345 80

This should tell us what NAT rules are matched on the firewall for such a connection. Just enter your public IP address used for the Web servers NAT command.

- Jouni

jaskamboj · ‎07-15-2013

Hi,

Please find the bleow report.

packet-tracer input outside tcp 1.1.1.2 www 1.1.1.1 www

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255

match tcp inside host 192.168.1.3 eq 80 outside any

static translation to 1.1.1.1/80

translate_hits = 0, untranslate_hits = 10

Additional Information:

NAT divert to egress interface inside

Untranslate 1.1.1.1/80 to 192.168.1.3/80 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group WEBSERVER in interface outside

access-list WEBSERVER extended permit tcp any host 1.1.1.1 eq www

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255

match tcp inside host 192.168.1.3 eq 80 outside any

static translation to 1.1.1.1/80

translate_hits = 0, untranslate_hits = 10

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255

match tcp inside host 192.168.1.3 eq 80 outside any

static translation to 1.1.1.1/80

translate_hits = 0, untranslate_hits = 10

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 10, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Jouni Forss · ‎07-15-2013

Hi,

Only situation where I managed to get this working was when I configured

static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255

global (inside) 100 interface

nat (outside) 100 0.0.0.0 0.0.0.0 outside

I tried to configure Dynamic Policy PAT on the "outside" -> "inside" but it didnt seem to work.

- Jouni