Solved: Outside IP Inside Clients...cant connect

wperez001 · ‎10-22-2013

I have a situation.

I have a web server on the outside with an ip of 62.61.107.68 , my asa is 62.61.107.78 , my inside is 10.1.15.1-254

I put a DMZ Switch where the server connects and the Firewall connect so I am not using a DMZ port on the ASA. none of my inside pcs can reach the web server. Everyone else in the world can, what am i missing?

jumora · ‎10-31-2013

Please update the ticket as resolved or answered so we can close out followup.

Value our effort and rate the assistance!

View solution in original post

jumora · ‎10-22-2013

OK, can you get me the configuration of the ASA.

Run the next command on the ASA CLI:

packet-tracer input inside tcp 10.1.15.250 1025 62.61.107.68 80 detail

Value our effort and rate the assistance!

wperez001 · ‎10-22-2013

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 64.61.107.64 255.255.255.240 outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside in interface inside control-plane

access-list inside extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad180748, priority=12, domain=permit, deny=false

hits=131559, user_data=0xa8b11900, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab920bb0, priority=0, domain=inspect-ip-options, deny=true

hits=208926, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 access-list inside_nat_outbound

match ip inside 10.1.15.0 255.255.255.0 outside host 64.61.107.68

dynamic translation to pool 1 (64.61.107.78 [Interface PAT])

translate_hits = 81, untranslate_hits = 0

Additional Information:

Dynamic translate 10.1.15.250/1025 to 64.61.107.78/43762 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in id=0xadfea5a0, priority=2, domain=nat, deny=false

hits=81, user_data=0xaddf0218, cs_id=0x0, flags=0x0, protocol=0

src ip=10.1.15.0, mask=255.255.255.0, port=0

dst ip=64.61.107.68, mask=255.255.255.255, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 access-list inside_nat_outbound

match ip inside 10.1.15.0 255.255.255.0 outside host 64.61.107.68

dynamic translation to pool 1 (64.61.107.78 [Interface PAT])

translate_hits = 81, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xaddf15d8, priority=2, domain=host, deny=false

hits=144940, user_data=0xaddf0218, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.1.15.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xab8d29c8, priority=0, domain=inspect-ip-options, deny=true

hits=201047, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 216034, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Jouni Forss · ‎10-23-2013

Hi,

Are you saying that your have the users and the Web server in the same network and that you are trying to connect to it with some public IP address that is configured on the firewall with Static NAT?

If so then this is not possible without adding some additional NAT configurations.

We would really need to see some firewall configurations and possibly some simple network layout picture as I am not clear what you mean with the switch setup.

- Jouni

jumora · ‎10-23-2013

From the packet tracer it seems that the connection should go through without any problem so I need addionational information.

From your PC please send me the next:

cmd > ipconfig /all

cmd > route print

cmd > nslookup >>>>>> If it can't resolve you can get to it via domain so do it via IP

cmd >arp -a

Please send me the next:

-"show arp" from the ASA CLI.

- Enable logging on the ASA over CLI

enable

config t

logging on

logging buffered debugging

logging buffer-size 1048576

logging asdm debugging

You can view the logs two ways, or through CLI or ASDM:

- To view over CLI

show log | in 62.61.107.68

To view over ASDM:

Pull up ASDM - If you have access to ASDM all you need to do is go to monitor> logging > real time log viewer> filter the IP address that you are tryting to reach "62.61.107.68"

Also, could you please send me a screen shot of when you try to access the site via IP or domain from your PC.

If we don't see anything clear here we will need to setup wireshark on your PC and maybe captures on the ASA but we will go through that route if needed.

Value our effort and rate the assistance!

jumora · ‎10-25-2013

Do you still need assistance, please let us know.

Value our effort and rate the assistance!

wperez001 · ‎10-25-2013

Ive attached the running config above and this is an illustration of the dmz switch. I do not use a dmz port on the asa, only and inside and outside port. I swapped my firewall out with a sonicwall in the meantime while this problem gets resolved. sonicwall worked instantly I can see the server on the dmz switch without having to create any rule. im going to delete my config if needed and start over.

Jouni Forss · ‎10-26-2013

Hi,

Looking at the picture seems to suggest that there is no DMZ but that the server is actually attached to the Internet directly without any kind of protection from the firewall?

If you have just connected the switch to the WAN port of the ASA and the server to the switch (and the switch to whatever device provides you with the WAN connection) then the users behind the ASA and the server behind the ASA should be able to connect. The server should see traffic coming from directly connected network as the users are probably using Dynamic PAT to the interface IP address of the ASAs WAN interface.

If you are switching the ASA with the other firewall and they are both using the same public IP address on their WAN port then I would suggest checking the ARP on the actual server so it doesnt still show the old firewalls MAC address in the ARP table.

Your "packet-tracer" already tolds us the Dynamic PAT is happening for the LAN users and the traffic is allowed so it might even be that the ARP on the actual server might be the problem.

You could also use captures on the ASA if you want to confirm if any traffic is coming back from the server to the users. You could also monitor the ASA logs through ASDM while connecting to the server to see what happens to the connection.

You could go as far as checking the MAC address of the Sonicwalls WAN interface. You could then configure that MAC address on the ASA WAN interface just to test if its a simple ARP problem.

interface Ethernet0/0

mac-address aaaa.bbbb.cccc

- Jouni

wperez001 · ‎10-28-2013

I really dont want to use the Sonicwall, this all happened when I changed my outside IP from 64.61.107.66 to 64.61.107.78

jumora · ‎10-28-2013

I understand your issue but we need you to help us out deducting the source cause of failure, I have sent you steps to follow and requested outputs that need to be taken to help you but you have not reply with what we need.

Help us help you by helping yourself and following our troubleshooting steps if not I guess that it is up to you if you want to route through another direction.

If the problem is that you don’t know how to takeout the outputs then I would suggest opening up a TAC ticket.

Value our effort and rate the assistance!

jumora · ‎10-31-2013

Please update the ticket as resolved or answered so we can close out followup.

Value our effort and rate the assistance!

wperez001 · ‎10-31-2013

Thank you guys. ( I will start a new topic on gettign the VPN to work)

wperez001 · ‎10-31-2013

While I had my users on the Sonicwall, it afect my Citrix Users, the connections was dropping left and right when I put them back on the ASA the connection never dropped.