12-04-2013 12:50 PM - edited 03-11-2019 08:12 PM
Hello,
I am having a beat my head against the wall moment. Trying to put in a access-list statement for an external IP to a DMZ ip address allowing only 80 and 443. this is the statement -
access-list outside_access_in line 4 extended permit tcp host 12.133.197.99 eq www host 192.168.1.11 eq www
here is the packet-tracer output....
Obviously getting dropped but where?!?!?!
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 dmz1
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
12-05-2013 07:34 AM
Hi,
It should not be overriding it since we are talking about a completely different public IP address.
Your connections would be coming towards the IP address x.x.197.99 from the public network and NAT configurations that use the IP address x.x.197.72 should not have anything to do with the operation of the x.x.197.99 NAT
And this still is NOT the correct configuration
object network obj-192.168.1.11
nat (dmz1,outside) static xx.xxx.197.99 service tcp www https
It should be
object network SERVER-TCP80
host 192.168.1.11
nat (dmz1,outside) static x.x.197.99 service tcp 80 80
object network SERVER-TCP443
host 192.168.1.11
nat (dmz1,outside) static x.x.197.99 service tcp 443 443
I can't see those configurations in the above listing.
Insert the correct public IP address instead of the x.x.197.99. You can naturally change the name of the above objects but otherwise the configurations should be like mentioned above.
After you have those configurations you could test them with
packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 80
packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 443
- Jouni
12-04-2013 12:54 PM
Hi,
There is a minor mistake.
access-list outside_access_in line 4 extended permit tcp host x.x.197.99 eq www host 192.168.1.11 eq www
That is that you define the source port as TCP/80 also (WWW/HTTP).
This will not be the case. The clients source ports is pretty much always a random source port and you rarely know it.
So change your ACL to this to allow both HTTP and HTTPS
access-list outside_access_in line 4 extended permit tcp host x.x.197.99 host 192.168.1.11 eq www
access-list outside_access_in line 5 extended permit tcp host x.x.197.99 host 192.168.1.11 eq https
The above simply allows destination port TCP/80 and TCP/443 connections from the single source IP address. As we dont mention any source port after the source IP address that means any source port is fine and this is how it should be.
Hope this helps
Please do remember to mark a reply as the correct answer if it answers your question.
Feel free to ask more if needed though
- Jouni
12-04-2013 12:57 PM
Also,
I think you should see an UN-NAT Phase among the very first few Phases for this traffic.
If this traffic is coming from the external/public network then the host on the DMZ needs to have a public NAT IP address.
I assume that you are using a software level 8.3 or newer since you refer to actual DMZ server local IP address as the destination in the ACL that is attached to the "outside" interface of the ASA.
If you are using an ASA software of 8.2 or below then the ACL rules destination IP address should be the NAT IP address.
- Jouni
12-05-2013 05:56 AM
morning, sorry for the delay got caught up.
so the nat is in place.
28 (dmz1) to (outside) source static obj-192.168.1.11 12.133.197.99 service tcp www https
translate_hits = 0, untranslate_hits = 22
not sure if I have the acl in the right spot though since there are multiple outside acl's.
getting the same output from packet tracer
12-05-2013 06:30 AM
new packet tracer out put after I added the statement to allow all from the outside to dmz address
still dropping though
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 dmz1
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_acl in interface outside
access-list outside_acl extended permit tcp any host 192.168.1.11 eq www
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj-192.168.1.11
nat (dmz1,outside) static 12.133.197.99 service tcp www https
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
12-05-2013 06:32 AM
Hi,
Seems to me that the NAT configurations is wrong.
You should see the UN-NAT phase at the very start of the "packet-tracer". You also have to use the public NAT IP address as the destination IP in the "packet-tracer" command.
Please share your NAT configuration related to these rules and the contents of the "object" and "object-group" you might be using.
Seems to me that you are doing Static PAT but your are mapping the port TCP/80 to the port TCP/443 which doesnt make sense.
If you are doing Static PAT for ports TCP/80 and TCP/443 then you should have something like this
object network SERVER-TCP80
host 192.168.1.11
nat (dmz1,outside) static x.x.197.99 service tcp 80 80
object network SERVER-TCP443
host 192.168.1.11
nat (dmz1,outside) static x.x.197.99 service tcp 443 443
You should what is the name of the ACL attached to your "outside" interface. You can do that with the command
show run access-group | inc outside
Then you can add to that ACL these lines
access-list
access-list
Hope this helps
- Jouni
12-05-2013 06:40 AM
my mistake on the packet tracer and I just re-ran. I am getting nat for the dmz segment to another address but all is allowed...
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 12.133.197.0 255.255.255.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz1_acl in interface dmz1
access-list dmz1_acl extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj-192.168.1.0
nat (dmz1,outside) dynamic 12.133.197.72
Additional Information:
Dynamic translate WebServer2/12345 to 12.133.197.72/52673
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 426842629, packet dispatched to next module
Result:
input-interface: dmz1
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
12-05-2013 06:42 AM
here is the object-group output -
object-group network og_ip_nat_dmz2
network-object 10.1.0.0 255.255.0.0
object-group icmp-type safe_icmp
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network COS-Clients
network-object host Lucille
network-object host commandview
network-object host vDR04
network-object host vc
network-object host mis2
network-object host fps1
network-object host BACKUP2
network-object host hpsim
network-object host p2v
network-object host Jill
network-object host commandview2
network-object host BACKUP3
network-object host CELLMGR
network-object host vc2
network-object host vDR01
network-object host vDR02
network-object host vDR03
network-object host Liam
object-group network ESX-Servers
network-object host esx01
network-object host esx02
network-object host esx03
network-object host vMa01
network-object host vMa02
network-object host vMa03
network-object host esx04
network-object host vMa04
network-object host esx05
network-object host vMa05
object-group network HPSIM-Server
network-object host hpsim
object-group network UPS-Management
network-object host sups-01
network-object host sups-02
network-object host sups-03
network-object host sups-07
network-object host sups-10
object-group service COS-Access-TCP tcp
port-object eq 902
port-object eq 903
port-object eq ssh
port-object eq https
port-object eq 3052
port-object eq 27000
port-object eq 27010
port-object eq 6547
port-object eq 5480
port-object eq www
port-object eq 22024
object-group service COS-Access-UDP udp
port-object eq 902
port-object eq 903
object-group service upsmgmnt tcp
port-object eq 3573
port-object eq 3052
port-object eq www
port-object eq 6547
object-group service upsmgmnt_udp udp
port-object eq 3052
port-object eq 200
port-object range 2844 2845
port-object range 4679 4680
object-group service backupexec tcp
port-object range 5204 5221
port-object eq 6101
port-object eq 10000
port-object eq 5555
port-object range 20000 20004
port-object range 20100 20199
port-object range 18000 18049
object-group service hpsim-tcp tcp
port-object eq 1125
port-object eq 1126
port-object eq 5988
port-object eq 5989
object-group service hpsim-udp udp
port-object eq snmp
object-group service OFFICESCAN tcp
port-object eq 8080
port-object eq 4343
port-object eq 34515
object-group network og_ip_nat_dmz1
network-object 10.1.0.0 255.255.0.0
object-group network Email-Port-25
network-object host Exchange
network-object host SPAM1
network-object host SPAM2
object-group network Blacklist
network-object 206.51.26.0 255.255.255.0
network-object 193.109.81.0 255.255.255.0
network-object 204.187.87.0 255.255.255.0
network-object 206.53.144.0 255.255.240.0
network-object 216.9.240.0 255.255.240.0
network-object 67.223.64.0 255.255.224.0
network-object 93.186.16.0 255.255.240.0
network-object 68.171.224.0 255.255.224.0
network-object 74.82.64.0 255.255.224.0
network-object 173.247.32.0 255.255.224.0
network-object 178.239.80.0 255.255.240.0
network-object 180.168.204.0 255.255.252.0
network-object 5.100.168.0 255.255.248.0
network-object 180.149.148.0 255.255.252.0
network-object 131.117.168.0 255.255.248.0
object-group service prtg-UDP udp
port-object eq snmptrap
port-object eq 2048
object-group service ARCGIS-IN_tcp tcp
port-object eq 27000
port-object eq 27010
object-group service MitelIN-MBG_tcp tcp
port-object eq www
port-object eq https
port-object eq 4443
port-object eq 6801
port-object eq 6802
port-object eq 3998
port-object eq 6880
object-group service MitelIN-MBG_udp udp
port-object range 20000 20499
port-object range 1024 65535
object-group service MitelDMZ-IN_tcp tcp
port-object eq www
port-object eq https
port-object eq 4443
port-object eq 6809
port-object eq 6800
port-object eq 6801
port-object eq 6802
port-object eq 3998
port-object eq 6880
object-group service MItelDMZ-IN_udp udp
port-object range 20000 20499
port-object range 1024 65535
object-group service MitelDMZ-MAS_tcp tcp
port-object eq www
port-object eq https
port-object eq 4443
object-group network Mitel-dmz-hosts
network-object MBGDMZ 255.255.255.255
network-object WEBSERVER 255.255.255.255
object-group network Mitel-internal-hosts
network-object MASLAN 255.255.255.255
network-object MBGLAN 255.255.255.255
object-group service MitelIN-AWC_tcp tcp
port-object eq www
port-object eq https
object-group service MitelIN-AWC2_tcp tcp
port-object eq 4443
object-group network Mitel-outside
network-object host 12.33.197.79
network-object host 12.133.197.80
object-group network MItel-dmz-hosts
object-group service MSDTC-DMZ-IN_tcp tcp
port-object range 1024 1054
port-object eq 135sho
12-05-2013 06:56 AM
packet tracer command.
packet-tracer input dmz1 tcp 192.168.1.11 12345 12.133.197.99 80
everything is in place as stated above.
12-05-2013 07:02 AM
Hi,
But what situation is this supposed to simulate?
It tells me that the host 192.168.1.11 is now trying to connect to its own public IP address with the port TCP/80?
I assumed that your goal was to make this DMZ server accessible from the public network with the public IP address x.x.197.99 and ports TCP/80 and TCP/443
In that case the correct "packet-tracer" commands to simulate that traffic would be
packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 80
packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 443
The source IP address and port is just random IP/port
If this was not your goal I would need clarification as to what you are attempting to achieve.
- Jouni
12-05-2013 06:45 AM
Hi,
Please also post the actual "packet-tracer" command used.
You seem to have used a "packet-tracer" command that simulates a packet coming from the DMZ to WAN rather than anything coming in.
The NAT configuration used here is Static NAT for some other server it seems? So it doesnt seem to have anything to do with the problem.
Your ealier output told us the problem
You have this configuration
object network obj-192.168.1.11
nat (dmz1,outside) static x.x.197.99 service tcp www https
I assume that the internal host is 192.168.1.11
The above configuration essentially tells the ASA to forward any HTTPS connection coming to public IP address 12.133.197.99 to the internal IP address 192.168.1.11 and to port HTTP (not HTTPS)
I would imagine that your aim is to forward both HTTP and HTTPS ports to the host 192.168.1.11? The above configuration I suggested should accomplish that.
- Jouni
12-05-2013 07:08 AM
Sorry, yes the idea is to get www and https traffic to the internal ip address of 192. from public ip of 12.
I added the oject network as stated above and still not working.
this is the packet output from the 8.8.8.8
packet-tracer input outside tcp 8.8.8.8 12345 12.133.197.99 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 12.133.197.0 255.255.255.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I tried adding the access-list in both places at different time.
access-list dmz1_acl line 1 extended permit tcp host 12.133.197.99 host 192.168.1.11 eq www (hitcnt=0) 0xe66b97a4
access-list dmz1_acl line 2 extended permit tcp host 12.133.197.99 host 192.168.1.11 eq https (hitcnt=0) 0xfc5e1db8
access-list outside_acl line 38 extended permit tcp any host 192.168.1.11 eq www (hitcnt=2) 0x403d29cb
access-list outside_acl line 39 extended permit tcp any host 192.168.1.11 eq https
holy frustrating....
12-05-2013 07:11 AM
Hi,
You most likely have a NAT rule that overrides the Static PAT configurations suggested.
Can you share the NAT configuration with the command
show run nat
- Jouni
12-05-2013 07:25 AM
looks like the first .72 is overriding.
nat (inside,outside) source static obj-10.100.0.0 obj-10.100.0.0 destination static obj-10.6.62.xx8 obj-10.6.62.xx8
nat (inside,outside) source static obj-10.100.0.0 obj-10.100.0.0 destination static obj-10.6.65.0 obj-10.6.65.0
nat (inside,outside) source static obj-10.100.0.0 obj-10.100.0.0 destination static obj-10.6.65.xx8 obj-10.6.65.xx8
!
object network Exchange
nat (inside,outside) static xx.xxx.197.66 service tcp www www
object network Exchange-01
nat (inside,outside) static xx.xxx.197.66 service tcp https https
object network SPAM1
nat (inside,outside) static xx.xxx.197.66 service tcp smtp smtp
object network SPAM2
nat (inside,outside) static xx.xxx.197.68 service tcp smtp smtp
object network EVAULT1
nat (inside,outside) static xx.xxx.197.70 service tcp https https
object network MBGDMZ
nat (dmz1,outside) static xx.xxx.197.79
object network obj-10.1.0.0
nat (inside,dmz2) static 10.1.0.0 no-proxy-arp route-lookup
object network obj-10.1.0.0-01
nat (inside,dmz1) static 10.1.0.0 no-proxy-arp route-lookup
object network prtg
nat (inside,outside) static xx.xxx.197.78
object network obj-10.100.0.0
nat (inside,outside) dynamic xx.xxx.197.72
object network obj-10.1.0.0-02
nat (inside,outside) dynamic xx.xxx.197.72
object network obj-10.2.0.0
nat (inside,outside) dynamic xx.xxx.197.72
object network obj-10.3.0.0
nat (inside,outside) dynamic xx.xxx.197.72
object network obj-10.50.1.0
nat (HTINetwork,outside) dynamic xx.xxx.197.72
object network obj_any
nat (Guest,outside) dynamic xx.xxx.197.72
object network MBGDMZ-01
nat (dmz1,outside) static xx.xxx.197.79 service tcp 6880 6880
object network obj-192.168.1.203
nat (dmz1,outside) static xx.xxx.197.73
object network obj-192.168.1.198
nat (dmz1,outside) static xx.xxx.197.75
object network WEBSERVER
nat (dmz1,outside) static xx.xxx.197.69
object network ARCGIS
nat (dmz1,outside) static xx.xxx.197.81
object network MBGDMZ-02
nat (dmz1,outside) static xx.xxx.197.79
object network obj-192.168.1.0
nat (dmz1,outside) dynamic xx.xxx.197.72
object network WEBDEVEL
nat (dmz2,outside) static xx.xxx.197.76
object network obj-192.168.2.0
nat (dmz2,outside) dynamic xx.xxx.197.72
object network esx01
nat (COS,inside) static esx01 no-proxy-arp route-lookup
object network esx02
nat (COS,inside) static esx02 no-proxy-arp route-lookup
object network esx03
nat (COS,inside) static esx03 no-proxy-arp route-lookup
object network vMa01
nat (COS,inside) static vMa01 no-proxy-arp route-lookup
object network vMa02
nat (COS,inside) static vMa02 no-proxy-arp route-lookup
object network vMa03
nat (COS,inside) static vMa03 no-proxy-arp route-lookup
object network masdmz
nat (dmz1,outside) static xx.xxx.197.80
object network MBGDMZ-06
nat (dmz1,outside) static xx.xxx.197.79 service tcp www www
object network MBGDMZ-07
nat (dmz1,outside) static xx.xxx.197.79 service tcp https https
object network MBGDMZ-08
nat (dmz1,outside) static xx.xxx.197.79
object network Mitel_443_4443
nat (dmz1,outside) static xx.xxx.197.80 service tcp https 4443
object network esx04
nat (COS,inside) static esx04 no-proxy-arp route-lookup
object network vMA04
nat (COS,inside) static vMA04 no-proxy-arp route-lookup
object network PAHRC
nat (dmz1,outside) static xx.xxx.197.100
object network esx05
nat (COS,inside) static esx05 no-proxy-arp route-lookup
object network vMa05
nat (COS,inside) static vMa05 no-proxy-arp route-lookup
object network obj-192.168.1.11
nat (dmz1,outside) static xx.xxx.197.99 service tcp www https
12-05-2013 07:34 AM
Hi,
It should not be overriding it since we are talking about a completely different public IP address.
Your connections would be coming towards the IP address x.x.197.99 from the public network and NAT configurations that use the IP address x.x.197.72 should not have anything to do with the operation of the x.x.197.99 NAT
And this still is NOT the correct configuration
object network obj-192.168.1.11
nat (dmz1,outside) static xx.xxx.197.99 service tcp www https
It should be
object network SERVER-TCP80
host 192.168.1.11
nat (dmz1,outside) static x.x.197.99 service tcp 80 80
object network SERVER-TCP443
host 192.168.1.11
nat (dmz1,outside) static x.x.197.99 service tcp 443 443
I can't see those configurations in the above listing.
Insert the correct public IP address instead of the x.x.197.99. You can naturally change the name of the above objects but otherwise the configurations should be like mentioned above.
After you have those configurations you could test them with
packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 80
packet-tracer input outside tcp 8.8.8.8 12345 x.x.197.99 443
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide