Solved: outside access

Liam Dwyer · ‎12-04-2013

Hello,

I am having a beat my head against the wall moment. Trying to put in a access-list statement for an external IP to a DMZ ip address allowing only 80 and 443. this is the statement -

access-list outside_access_in line 4 extended permit tcp host 12.133.197.99 eq www host 192.168.1.11 eq www

here is the packet-tracer output....

Obviously getting dropped but where?!?!?!

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.1.0 255.255.255.0 dmz1

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz1

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss · ‎12-05-2013

Hi,

It should not be overriding it since we are talking about a completely different public IP address.

Your connections would be coming towards the IP address x.x.197.99 from the public network and NAT configurations that use the IP address x.x.197.72 should not have anything to do with the operation of the x.x.197.99 NAT

And this still is NOT the correct configuration

object network obj-192.168.1.11

nat (dmz1,outside) static xx.xxx.197.99 service tcp www https

It should be

object network SERVER-TCP80

host 192.168.1.11

nat (dmz1,outside) static x.x.197.99 service tcp 80 80

object network SERVER-TCP443

host 192.168.1.11

nat (dmz1,outside) static x.x.197.99 service tcp 443 443

I can't see those configurations in the above listing.

Insert the correct public IP address instead of the x.x.197.99. You can naturally change the name of the above objects but otherwise the configurations should be like mentioned above.

After you have those configurations you could test them with

packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 80

packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 443

- Jouni

View solution in original post

Jouni Forss · ‎12-04-2013

Hi,

There is a minor mistake.

access-list outside_access_in line 4 extended permit tcp host x.x.197.99 eq www host 192.168.1.11 eq www

That is that you define the source port as TCP/80 also (WWW/HTTP).

This will not be the case. The clients source ports is pretty much always a random source port and you rarely know it.

So change your ACL to this to allow both HTTP and HTTPS

access-list outside_access_in line 4 extended permit tcp host x.x.197.99 host 192.168.1.11 eq www

access-list outside_access_in line 5 extended permit tcp host x.x.197.99 host 192.168.1.11 eq https

The above simply allows destination port TCP/80 and TCP/443 connections from the single source IP address. As we dont mention any source port after the source IP address that means any source port is fine and this is how it should be.

Hope this helps

Please do remember to mark a reply as the correct answer if it answers your question.

Feel free to ask more if needed though

- Jouni

Jouni Forss · ‎12-04-2013

Also,

I think you should see an UN-NAT Phase among the very first few Phases for this traffic.

If this traffic is coming from the external/public network then the host on the DMZ needs to have a public NAT IP address.

I assume that you are using a software level 8.3 or newer since you refer to actual DMZ server local IP address as the destination in the ACL that is attached to the "outside" interface of the ASA.

If you are using an ASA software of 8.2 or below then the ACL rules destination IP address should be the NAT IP address.

- Jouni

Liam Dwyer · ‎12-05-2013

morning, sorry for the delay got caught up.

so the nat is in place.

28 (dmz1) to (outside) source static obj-192.168.1.11 12.133.197.99 service tcp www https

translate_hits = 0, untranslate_hits = 22

not sure if I have the acl in the right spot though since there are multiple outside acl's.

getting the same output from packet tracer

Liam Dwyer · ‎12-05-2013

new packet tracer out put after I added the statement to allow all from the outside to dmz address

still dropping though

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.1.0 255.255.255.0 dmz1

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_acl in interface outside

access-list outside_acl extended permit tcp any host 192.168.1.11 eq www

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network obj-192.168.1.11

nat (dmz1,outside) static 12.133.197.99 service tcp www https

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz1

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss · ‎12-05-2013

Hi,

Seems to me that the NAT configurations is wrong.

You should see the UN-NAT phase at the very start of the "packet-tracer". You also have to use the public NAT IP address as the destination IP in the "packet-tracer" command.

Please share your NAT configuration related to these rules and the contents of the "object" and "object-group" you might be using.

Seems to me that you are doing Static PAT but your are mapping the port TCP/80 to the port TCP/443 which doesnt make sense.

If you are doing Static PAT for ports TCP/80 and TCP/443 then you should have something like this

object network SERVER-TCP80

host 192.168.1.11

nat (dmz1,outside) static x.x.197.99 service tcp 80 80

object network SERVER-TCP443

host 192.168.1.11

nat (dmz1,outside) static x.x.197.99 service tcp 443 443

You should what is the name of the ACL attached to your "outside" interface. You can do that with the command

show run access-group | inc outside

Then you can add to that ACL these lines

access-list permit tcp any object SERVER-TCP80 eq 80

access-list permit tcp any object SERVER-TCP443 eq 443

Hope this helps

- Jouni

Liam Dwyer · ‎12-05-2013

my mistake on the packet tracer and I just re-ran. I am getting nat for the dmz segment to another address but all is allowed...

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 12.133.197.0 255.255.255.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group dmz1_acl in interface dmz1

access-list dmz1_acl extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj-192.168.1.0

nat (dmz1,outside) dynamic 12.133.197.72

Additional Information:

Dynamic translate WebServer2/12345 to 12.133.197.72/52673

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 426842629, packet dispatched to next module

Result:

input-interface: dmz1

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Liam Dwyer · ‎12-05-2013

here is the object-group output -

object-group network og_ip_nat_dmz2

network-object 10.1.0.0 255.255.0.0

object-group icmp-type safe_icmp

icmp-object echo

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

object-group network COS-Clients

network-object host Lucille

network-object host commandview

network-object host vDR04

network-object host vc

network-object host mis2

network-object host fps1

network-object host BACKUP2

network-object host hpsim

network-object host p2v

network-object host Jill

network-object host commandview2

network-object host BACKUP3

network-object host CELLMGR

network-object host vc2

network-object host vDR01

network-object host vDR02

network-object host vDR03

network-object host Liam

object-group network ESX-Servers

network-object host esx01

network-object host esx02

network-object host esx03

network-object host vMa01

network-object host vMa02

network-object host vMa03

network-object host esx04

network-object host vMa04

network-object host esx05

network-object host vMa05

object-group network HPSIM-Server

network-object host hpsim

object-group network UPS-Management

network-object host sups-01

network-object host sups-02

network-object host sups-03

network-object host sups-07

network-object host sups-10

object-group service COS-Access-TCP tcp

port-object eq 902

port-object eq 903

port-object eq ssh

port-object eq https

port-object eq 3052

port-object eq 27000

port-object eq 27010

port-object eq 6547

port-object eq 5480

port-object eq www

port-object eq 22024

object-group service COS-Access-UDP udp

port-object eq 902

port-object eq 903

object-group service upsmgmnt tcp

port-object eq 3573

port-object eq 3052

port-object eq www

port-object eq 6547

object-group service upsmgmnt_udp udp

port-object eq 3052

port-object eq 200

port-object range 2844 2845

port-object range 4679 4680

object-group service backupexec tcp

port-object range 5204 5221

port-object eq 6101

port-object eq 10000

port-object eq 5555

port-object range 20000 20004

port-object range 20100 20199

port-object range 18000 18049

object-group service hpsim-tcp tcp

port-object eq 1125

port-object eq 1126

port-object eq 5988

port-object eq 5989

object-group service hpsim-udp udp

port-object eq snmp

object-group service OFFICESCAN tcp

port-object eq 8080

port-object eq 4343

port-object eq 34515

object-group network og_ip_nat_dmz1

network-object 10.1.0.0 255.255.0.0

object-group network Email-Port-25

network-object host Exchange

network-object host SPAM1

network-object host SPAM2

object-group network Blacklist

network-object 206.51.26.0 255.255.255.0

network-object 193.109.81.0 255.255.255.0

network-object 204.187.87.0 255.255.255.0

network-object 206.53.144.0 255.255.240.0

network-object 216.9.240.0 255.255.240.0

network-object 67.223.64.0 255.255.224.0

network-object 93.186.16.0 255.255.240.0

network-object 68.171.224.0 255.255.224.0

network-object 74.82.64.0 255.255.224.0

network-object 173.247.32.0 255.255.224.0

network-object 178.239.80.0 255.255.240.0

network-object 180.168.204.0 255.255.252.0

network-object 5.100.168.0 255.255.248.0

network-object 180.149.148.0 255.255.252.0

network-object 131.117.168.0 255.255.248.0

object-group service prtg-UDP udp

port-object eq snmptrap

port-object eq 2048

object-group service ARCGIS-IN_tcp tcp

port-object eq 27000

port-object eq 27010

object-group service MitelIN-MBG_tcp tcp

port-object eq www

port-object eq https

port-object eq 4443

port-object eq 6801

port-object eq 6802

port-object eq 3998

port-object eq 6880

object-group service MitelIN-MBG_udp udp

port-object range 20000 20499

port-object range 1024 65535

object-group service MitelDMZ-IN_tcp tcp

port-object eq www

port-object eq https

port-object eq 4443

port-object eq 6809

port-object eq 6800

port-object eq 6801

port-object eq 6802

port-object eq 3998

port-object eq 6880

object-group service MItelDMZ-IN_udp udp

port-object range 20000 20499

port-object range 1024 65535

object-group service MitelDMZ-MAS_tcp tcp

port-object eq www

port-object eq https

port-object eq 4443

object-group network Mitel-dmz-hosts

network-object MBGDMZ 255.255.255.255

network-object WEBSERVER 255.255.255.255

object-group network Mitel-internal-hosts

network-object MASLAN 255.255.255.255

network-object MBGLAN 255.255.255.255

object-group service MitelIN-AWC_tcp tcp

port-object eq www

port-object eq https

object-group service MitelIN-AWC2_tcp tcp

port-object eq 4443

object-group network Mitel-outside

network-object host 12.33.197.79

network-object host 12.133.197.80

object-group network MItel-dmz-hosts

object-group service MSDTC-DMZ-IN_tcp tcp

port-object range 1024 1054

port-object eq 135sho

Liam Dwyer · ‎12-05-2013

packet tracer command.

packet-tracer input dmz1 tcp 192.168.1.11 12345 12.133.197.99 80

everything is in place as stated above.

Jouni Forss · ‎12-05-2013

Hi,

But what situation is this supposed to simulate?

It tells me that the host 192.168.1.11 is now trying to connect to its own public IP address with the port TCP/80?

I assumed that your goal was to make this DMZ server accessible from the public network with the public IP address x.x.197.99 and ports TCP/80 and TCP/443

In that case the correct "packet-tracer" commands to simulate that traffic would be

packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 80

packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 443

The source IP address and port is just random IP/port

If this was not your goal I would need clarification as to what you are attempting to achieve.

- Jouni

Jouni Forss · ‎12-05-2013

Hi,

Please also post the actual "packet-tracer" command used.

You seem to have used a "packet-tracer" command that simulates a packet coming from the DMZ to WAN rather than anything coming in.

The NAT configuration used here is Static NAT for some other server it seems? So it doesnt seem to have anything to do with the problem.

Your ealier output told us the problem

You have this configuration

object network obj-192.168.1.11

nat (dmz1,outside) static x.x.197.99 service tcp www https

I assume that the internal host is 192.168.1.11

The above configuration essentially tells the ASA to forward any HTTPS connection coming to public IP address 12.133.197.99 to the internal IP address 192.168.1.11 and to port HTTP (not HTTPS)

I would imagine that your aim is to forward both HTTP and HTTPS ports to the host 192.168.1.11? The above configuration I suggested should accomplish that.

- Jouni

Liam Dwyer · ‎12-05-2013

Sorry, yes the idea is to get www and https traffic to the internal ip address of 192. from public ip of 12.

I added the oject network as stated above and still not working.

this is the packet output from the 8.8.8.8

packet-tracer input outside tcp 8.8.8.8 12345 12.133.197.99 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 12.133.197.0 255.255.255.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

I tried adding the access-list in both places at different time.

access-list dmz1_acl line 1 extended permit tcp host 12.133.197.99 host 192.168.1.11 eq www (hitcnt=0) 0xe66b97a4

access-list dmz1_acl line 2 extended permit tcp host 12.133.197.99 host 192.168.1.11 eq https (hitcnt=0) 0xfc5e1db8

access-list outside_acl line 38 extended permit tcp any host 192.168.1.11 eq www (hitcnt=2) 0x403d29cb

access-list outside_acl line 39 extended permit tcp any host 192.168.1.11 eq https

holy frustrating....

Jouni Forss · ‎12-05-2013

Hi,

You most likely have a NAT rule that overrides the Static PAT configurations suggested.

Can you share the NAT configuration with the command

show run nat

- Jouni

Liam Dwyer · ‎12-05-2013

looks like the first .72 is overriding.

nat (inside,outside) source static obj-10.100.0.0 obj-10.100.0.0 destination static obj-10.6.62.xx8 obj-10.6.62.xx8
nat (inside,outside) source static obj-10.100.0.0 obj-10.100.0.0 destination static obj-10.6.65.0 obj-10.6.65.0
nat (inside,outside) source static obj-10.100.0.0 obj-10.100.0.0 destination static obj-10.6.65.xx8 obj-10.6.65.xx8
!
object network Exchange
nat (inside,outside) static xx.xxx.197.66 service tcp www www
object network Exchange-01
nat (inside,outside) static xx.xxx.197.66 service tcp https https
object network SPAM1
nat (inside,outside) static xx.xxx.197.66 service tcp smtp smtp
object network SPAM2
nat (inside,outside) static xx.xxx.197.68 service tcp smtp smtp
object network EVAULT1
nat (inside,outside) static xx.xxx.197.70 service tcp https https
object network MBGDMZ
nat (dmz1,outside) static xx.xxx.197.79
object network obj-10.1.0.0
nat (inside,dmz2) static 10.1.0.0 no-proxy-arp route-lookup
object network obj-10.1.0.0-01
nat (inside,dmz1) static 10.1.0.0 no-proxy-arp route-lookup
object network prtg
nat (inside,outside) static xx.xxx.197.78
object network obj-10.100.0.0
nat (inside,outside) dynamic xx.xxx.197.72
object network obj-10.1.0.0-02
nat (inside,outside) dynamic xx.xxx.197.72
object network obj-10.2.0.0
nat (inside,outside) dynamic xx.xxx.197.72
object network obj-10.3.0.0
nat (inside,outside) dynamic xx.xxx.197.72
object network obj-10.50.1.0
nat (HTINetwork,outside) dynamic xx.xxx.197.72
object network obj_any
nat (Guest,outside) dynamic xx.xxx.197.72
object network MBGDMZ-01
nat (dmz1,outside) static xx.xxx.197.79 service tcp 6880 6880
object network obj-192.168.1.203
nat (dmz1,outside) static xx.xxx.197.73
object network obj-192.168.1.198
nat (dmz1,outside) static xx.xxx.197.75
object network WEBSERVER
nat (dmz1,outside) static xx.xxx.197.69
object network ARCGIS
nat (dmz1,outside) static xx.xxx.197.81
object network MBGDMZ-02
nat (dmz1,outside) static xx.xxx.197.79
object network obj-192.168.1.0
nat (dmz1,outside) dynamic xx.xxx.197.72
object network WEBDEVEL
nat (dmz2,outside) static xx.xxx.197.76
object network obj-192.168.2.0
nat (dmz2,outside) dynamic xx.xxx.197.72
object network esx01
nat (COS,inside) static esx01 no-proxy-arp route-lookup
object network esx02
nat (COS,inside) static esx02 no-proxy-arp route-lookup
object network esx03
nat (COS,inside) static esx03 no-proxy-arp route-lookup
object network vMa01
nat (COS,inside) static vMa01 no-proxy-arp route-lookup
object network vMa02
nat (COS,inside) static vMa02 no-proxy-arp route-lookup
object network vMa03
nat (COS,inside) static vMa03 no-proxy-arp route-lookup
object network masdmz
nat (dmz1,outside) static xx.xxx.197.80
object network MBGDMZ-06
nat (dmz1,outside) static xx.xxx.197.79 service tcp www www
object network MBGDMZ-07
nat (dmz1,outside) static xx.xxx.197.79 service tcp https https
object network MBGDMZ-08
nat (dmz1,outside) static xx.xxx.197.79
object network Mitel_443_4443
nat (dmz1,outside) static xx.xxx.197.80 service tcp https 4443
object network esx04
nat (COS,inside) static esx04 no-proxy-arp route-lookup
object network vMA04
nat (COS,inside) static vMA04 no-proxy-arp route-lookup
object network PAHRC
nat (dmz1,outside) static xx.xxx.197.100
object network esx05
nat (COS,inside) static esx05 no-proxy-arp route-lookup
object network vMa05
nat (COS,inside) static vMa05 no-proxy-arp route-lookup
object network obj-192.168.1.11
nat (dmz1,outside) static xx.xxx.197.99 service tcp www https

Jouni Forss · ‎12-05-2013

Hi,

It should not be overriding it since we are talking about a completely different public IP address.

Your connections would be coming towards the IP address x.x.197.99 from the public network and NAT configurations that use the IP address x.x.197.72 should not have anything to do with the operation of the x.x.197.99 NAT

And this still is NOT the correct configuration

object network obj-192.168.1.11

nat (dmz1,outside) static xx.xxx.197.99 service tcp www https

It should be

object network SERVER-TCP80

host 192.168.1.11

nat (dmz1,outside) static x.x.197.99 service tcp 80 80

object network SERVER-TCP443

host 192.168.1.11

nat (dmz1,outside) static x.x.197.99 service tcp 443 443

I can't see those configurations in the above listing.

Insert the correct public IP address instead of the x.x.197.99. You can naturally change the name of the above objects but otherwise the configurations should be like mentioned above.

After you have those configurations you could test them with

packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 80

packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 443

- Jouni