Please help... ASA 5515 Config

Stray_Bullet · ‎03-09-2020

I can get this thing for the life of me to work. I have spent hundreds on books, about 60 hours trying to get this to work...

I got ISP->ASA->Web server.

This is what I have so far.

Here is my config.

ciscoasa(config)# show running-config
: Saved
  
:
: Serial Number: blah
: Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
hostname ciscoasa
enable password [snip] encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address [my.external.ip.addy] 255.255.255.0
!
interface GigabitEthernet0/1
 nameif DMZ
 security-level 50
 ip address 172.16.22.1 255.255.0.0
!
interface GigabitEthernet0/2
 shutdown
 nameif inside
 security-level 100
 ip address 192.168.22.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network DMZ_outside
 subnet 0.0.0.0 0.0.0.0
object network web-server-fromOutside
 host 172.16.22.2
object network web-server-fromInside
 host 172.16.22.2
access-list OutsidetoDMZ extended permit tcp any host 172.16.22.2 eq www
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network DMZ_outside
 nat (DMZ,outside) dynamic interface
object network web-server-fromOutside
 nat (DMZ,outside) static interface service tcp www www
object network web-server-fromInside
 nat (DMZ,inside) static interface service tcp www www
access-group OutsidetoDMZ in interface outside
route outside 0.0.0.0 0.0.0.0 [my.external.gateway.ip] 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end

Show xlate

ciscoasa# show xlate
2 in use, 251 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from DMZ:172.16.22.2 80-80 to inside:192.168.22.1 80-80
    flags sr idle 0:18:57 timeout 0:00:00
NAT from DMZ:172.16.22.2 to outside:[my.external.ip.addy]
    flags s idle 0:00:13 timeout 0:00:00

Show nat

ciscoasa# show nat

Auto NAT Policies (Section 2)
1 (DMZ) to (inside) source static web-server-fromInside interface  service tcp www www
    translate_hits = 0, untranslate_hits = 0
2 (DMZ) to (outside) source static web-server-fromOutside interface
    translate_hits = 547, untranslate_hits = 284
3 (DMZ) to (outside) source dynamic DMZ_outside interface
    translate_hits = 1637, untranslate_hits = 4
ciscoasa# ciscoasa# show nat

Packet tracer to DMZ IP fails...

ciscoasa(config)# packet-tracer input outside tcp 174.224.137.198 1024 172.16.22.2 80 detailed
  
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.22.2 using egress ifc  DMZ
  
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OutsidetoDMZ in interface outside
access-list OutsidetoDMZ extended permit tcp any host 172.16.22.2 eq www
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x2aaac0b7bc10, priority=13, domain=permit, deny=false
        hits=2, user_data=0x2aaab880f440, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=172.16.22.2, mask=255.255.255.255, port=80, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any
  
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x2aaabf501980, priority=0, domain=nat-per-session, deny=false
        hits=324, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any
  
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x2aaac0a65f50, priority=0, domain=inspect-ip-options, deny=true
        hits=153, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any
  
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network web-server-fromOutside
 nat (DMZ,outside) static interface service tcp www www
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x2aaac0afc980, priority=6, domain=nat-reverse, deny=false
        hits=3, user_data=0x2aaabf231b10, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=172.16.22.2, mask=255.255.255.255, port=80, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=DMZ
  
Result:
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop

packet tracer to outside IP works...

packet-tracer input outside tcp 174.224.137.198 1024 [my.external.ip.addy] 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network web-server-fromOutside
 nat (DMZ,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface DMZ
Untranslate [my.external.ip.addy] /80 to 172.16.22.2/80
  
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OutsidetoDMZ in interface outside
access-list OutsidetoDMZ extended permit tcp any host 172.16.22.2 eq www
Additional Information:
  
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
  
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
  
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network web-server-fromOutside
 nat (DMZ,outside) static interface service tcp www www
Additional Information:
  
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
  
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
  
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 282, packet dispatched to next module
  
Result:
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Muhammad Awais Khan · ‎03-09-2020

after having a quick review, it seems to be issue with the port conflict on the outside interface IP. Web port is also enabled on the ASA itself by below command

http server enable

Can you change the port on your port forwarding rule lets say to 8443 ?

object network web-server-fromOutside
 nat (DMZ,outside) static interface service tcp www 8443

if you do above then add the rule in ACL:

access-list OutsidetoDMZ extended permit tcp any host 172.16.22.2 eq 8443

Stray_Bullet · ‎03-10-2020

@Muhammad Awais Khan wrote:
after having a quick review, it seems to be issue with the port conflict on the outside interface IP. Web port is also enabled on the ASA itself by below command
http server enable
Can you change the port on your port forwarding rule lets say to 8443 ?
object network web-server-fromOutside
 nat (DMZ,outside) static interface service tcp www 8443 
if you do above then add the rule in ACL:
access-list OutsidetoDMZ extended permit tcp any host 172.16.22.2 eq 8443

My DMZ is a web server. The http server enable is on the ASA, subnet 192.168.1.0, Where as my DMZ is a dell server on 172.16.22.0 subnet. How could those be conflicting?

Cristian Matei · ‎03-10-2020

Hi,

What you see is expected, but in the end traffic should work per your intention. Once you have made the HTTP service on your DMZ resource of 172.16.22.2 to be visible on the outside and inside as the IP address of the ASA outside and inside interfaces, than any packet coming ingress on outside or inside destined for that service, needs to have a destination IP address of the ASA inside/outside

packet-tracer input outside tcp 174.224.137.198 1024 [my.external.ip.addy] 80
packet-tracer input inside tcp 192.168.22.198 1024 192.168.22.1 80

Both of the above should be functional (the first one is per your output), the second one if you enable the inside interface which is shutdown; so in the end traffic flow should be functional as well.

packet-tracer input outside tcp 174.224.137.198 1024 172.16.22.2 80 detailed

The above fails, as expected, because you should be accessing the DMZ resource from outside based on the NAT'ed address, not the real address. So what happens here is the following:

- packet comes in on the outside interface with a destination of the real IP address of the server in DMZ

- packet passes the ACL, it does not match any NAT statement, as expected, because the destination IP of your packet-tracer is the real IP, not the NAT'ed IP

- packet passes through other checks

- packet fails in the end the NAT RPF-check, which is expected, because the flow you're trying to simulate it does not make sense. The ASA sees, that if it would allow the flow from 174.224.137.198 to 172.16.22.2, when the reply is receives by the ASA, with a source of 172.16.22.2 and destination of 174.224.137.198, the source will be NAT'ed into the IP address of the OUTSIDE interface, thus breaking the flow.

Regards,

Cristian Matei.

Stray_Bullet · ‎03-10-2020

@Cristian Matei wrote:
Hi,

What you see is expected, but in the end traffic should work per your intention. Once you have made the HTTP service on your DMZ resource of 172.16.22.2 to be visible on the outside and inside as the IP address of the ASA outside and inside interfaces, than any packet coming ingress on outside or inside destined for that service, needs to have a destination IP address of the ASA inside/outside

packet-tracer input outside tcp 174.224.137.198 1024 [my.external.ip.addy] 80
packet-tracer input inside tcp 192.168.22.198 1024 192.168.22.1 80

Both of the above should be functional (the first one is per your output), the second one if you enable the inside interface which is shutdown; so in the end traffic flow should be functional as well.
packet-tracer input outside tcp 174.224.137.198 1024 172.16.22.2 80 detailed
The above fails, as expected, because you should be accessing the DMZ resource from outside based on the NAT'ed address, not the real address. So what happens here is the following:
- packet comes in on the outside interface with a destination of the real IP address of the server in DMZ
- packet passes the ACL, it does not match any NAT statement, as expected, because the destination IP of your packet-tracer is the real IP, not the NAT'ed IP
- packet passes through other checks
- packet fails in the end the NAT RPF-check, which is expected, because the flow you're trying to simulate it does not make sense. The ASA sees, that if it would allow the flow from 174.224.137.198 to 172.16.22.2, when the reply is receives by the ASA, with a source of 172.16.22.2 and destination of 174.224.137.198, the source will be NAT'ed into the IP address of the OUTSIDE interface, thus breaking the flow.

Regards,
Cristian Matei.

Okay that makes sense about the packet tracer to the internal DMZ address. My webserver is already up and running on a Dell poweredge r910 server. I have the inside interface shut down as I am trying to reach my webserver from outside. The paket tracer from 174 ip which was my hotspot, made it to my ASA external IP Address. BUT... I still could not see my websites. I don't get it. I can go onto my server and reach the internet out and view websites, but I couldnt get in to see my websites.

Cristian Matei · ‎03-11-2020

Hi,

Could you clarify exactly what's not working? You added the server, packet-tracer is now good (no more adjacency failure), and what exactly does not work?

Regards,

Cristian Matei.

Stray_Bullet · ‎03-11-2020

So I came home, hooked everything up from its usual which is ISP -> Linksys Router -> Server, to ISP -> ASA -> Server. I can now reach my websites intermittently. Some times the pages load, Sometimes they time out. When they do load, they are sloooooow. I think I bought a used POS ASA. :(

Cristian Matei · ‎03-12-2020

Hi,

Maybe is the linksys router, or you have some MTU/fragmentation issues.

Regards,

Cristian Matei.

Stray_Bullet · ‎03-13-2020

Okay so I put my outside interface to DHCP from my ISP and got rid of this code and it worked good.

route outside 0.0.0.0 0.0.0.0 [my.external.gateway.ip] 1

So maybe I am incorrect, but I thought that this...

object-group service WEB-PORTS tcp
 port-object eq www
 port-object eq https
access-list OUTSIDE_IN extended permit tcp any host 172.16.22.2 object-group WEB-PORTS

Would only allow communication through those ports? I was testing last night and with RDP allowed in the windows server firewall. Only with that ACL, I was still allowed to access RDP port 3389. It's almost like the firewall just has my server on the outside interface without any protection except from the servers' firewall.

Cristian Matei · ‎03-13-2020

Hi,

Post the output of "show run object", "show run nat", "show run access-group", "show run access-list" and "packet-tracer input outside tcp 20.20.20.20 4000 172.16.22.2 3389 detailed".

Regards,

Cristian Matei.

Stray_Bullet · ‎03-13-2020

ASA(config)# show run object
object network DMZ_outside
 host 172.16.22.2
object network web-server-fromOutside
 host 172.16.22.2
object network web-server-fromInside
 host 172.16.22.2
object network INSIDE_OUT
 subnet 192.168.22.0 255.255.255.0
object network web-server
 host 172.16.22.2
object network inside-network
 subnet 192.168.22.0 255.255.255.0
object network outside-network
 host 104.229.48.144

ASA(config)# show run nat
!
object network web-server-fromOutside
 nat (DMZ,outside) static interface
object network web-server-fromInside
 nat (DMZ,inside) static outside-network dns
object network INSIDE_OUT
 nat (any,outside) dynamic interface

Critical-ASA(config)# show run access-list
access-list OutsidetoDMZ extended permit object-group WEB_PORTS any object web-server
access-list InsidetoDMZ extended permit object-group WEB_PORTS any object web-server-fromInside

ASA(config)# packet-tracer input outside tcp 20.20.20.20 4000 172.16.22.2 3389 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1bbe676a30, priority=1, domain=permit, deny=false
        hits=85724, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.22.2 using egress ifc  DMZ

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 104.229.46.1 using egress ifc  outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f1bbe7ef1f0, priority=11, domain=permit, deny=true
        hits=1923, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Weird. It appears to not be doing it now. I just upgraded my ASA version to 9.12(3) not sure if that has anything to do with it.