Solved: ChrisNo problem, I figured - Page 2

chris.hall6777 · ‎10-15-2015

I work mainly with Barracuda firewalls and my Cisco command line is bad bad.

I have a cisco 5515 at 216.x.x.39 and I need to forward port 46611 to an internal ip address 10.10.3.7 port 9000

my inside interface is nas-main

oustide interface is twtc

I tried using ASDM and it didn't work and currently I am trying command line, but I keep getting error messages with my nat command.

Also, please detailed help would be appreciated, as I said my cisco command line experience is lacking.

Thanks in adavance.

Jon Marshall · ‎10-16-2015

Can you remove a line from your configuration temporarily.

So type this -

"no access-group global_access global"

Then in this order -

1) run "sh nat" and save the output

2) run the same packet-tracer command as before

3) run "sh nat" again

post results.

Jon

chris.hall6777 · ‎10-16-2015

am getting an error message on the command

no access-group global_access global

it is putting a marker at the a in the first access

Jon Marshall · ‎10-16-2015

Not sure why, it's in your configuration.

Can you post output of "sh run access-group".

Jon

chris.hall6777 · ‎10-16-2015

got it I had to do config t first

but now run sh nat is not working.

I am at the enable level

Jon Marshall · ‎10-16-2015

At the enable mode it should just be "sh nat".

Jon

chris.hall6777 · ‎10-16-2015

ok got the info

first sh nat

enable
BAEng(config)# sh nat
Manual NAT Policies (Section 1)
1 (NAS-Main) to (TWTC) source static any interface unidirectional
translate_hits = 1655, untranslate_hits = 0
2 (NAS-QA1) to (TWTC) source static any interface unidirectional
translate_hits = 0, untranslate_hits = 0
3 (NAS-QA2) to (TWTC) source static any interface unidirectional
translate_hits = 0, untranslate_hits = 0
4 (BTC) to (TWTC) source static BTC-ClearOS BTC-Email inactive
translate_hits = 0, untranslate_hits = 0
5 (BTC) to (TWTC) source static BTC-Metric-Private BTC-Metric-Public service E
ncryptedMail EncryptedMail
translate_hits = 0, untranslate_hits = 0
6 (BTC) to (TWTC) source static BTC-Email-Private BTC-Email-Public service BTC
-EmailPort25 BTC-EmailPort25
translate_hits = 0, untranslate_hits = 0
7 (BTC) to (TWTC) source static BTC-Email-Private BTC-Email-Public service BTC
-ICMP BTC-ICMP
translate_hits = 0, untranslate_hits = 0
8 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR-
VPN-UDP-1194 ENGR-VPN-UDP-1194
translate_hits = 0, untranslate_hits = 0
9 (NAS-Main) to (TWTC) source static ENGR-OpenVPN DM_INLINE_NETWORK_1 service
ENGR-VPN-1194 ENGR-VPN-1194
translate_hits = 0, untranslate_hits = 0
10 (NAS-Main) to (TWTC) source static GIt-SERVER NASMAIN-Public service SSH SS
H
translate_hits = 0, untranslate_hits = 0
11 (NAS-Main) to (TWTC) source static Terastation BTC-Email service SSH SSH
translate_hits = 0, untranslate_hits = 0
12 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR
12 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR
translate_hits = 0, untranslate_hits = 0
13 (NAS-Main) to (TWTC) source static TS3000-Build NASMAIN-Public service TSbu
ild-4343-2 TSbuild-4343-2
translate_hits = 0, untranslate_hits = 0
14 (NAS-Main) to (TWTC) source static WEBAccess-FW interface service WEBAccess
-FW-Port-2 WEBAccess-FW-Port-2
translate_hits = 0, untranslate_hits = 0
15 (NAS-Main) to (TWTC) source static TestRail-private NASMAIN-Public service
TestRAil-80-2 TestRAil-80-2
translate_hits = 0, untranslate_hits = 0
16 (NAS-Main) to (TWTC) source static TS-WEbAccess-Test-private interface serv
ice Web-Access-Test-2 Web-Access-Test-2
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (BTC) to (TWTC) source static BTC-ClearOS BTC-Public
translate_hits = 0, untranslate_hits = 37
2 (VideoConference) to (TWTC) source static VC VideoConferencePublic
translate_hits = 0, untranslate_hits = 37

Manual NAT Policies (Section 3)
1 (BTC) to (TWTC) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
BAEng(config)#

then tracer

BAEng(config)# packet-tracer input nas-main tcp 10.10.0.2 12345 8.8.8.8 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 TWTC

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (NAS-Main,TWTC) source static any interface unidirectional
Additional Information:
Static translate 10.10.0.2/12345 to 216.54.247.34/12345

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2228, packet dispatched to next module

Result:
input-interface: NAS-Main
input-status: up
input-line-status: up
output-interface: TWTC
output-status: up
output-line-status: up
Action: allow

BAEng(config)#

then second sh

BAEng(config)# sh nat
Manual NAT Policies (Section 1)
1 (NAS-Main) to (TWTC) source static any interface unidirectional
translate_hits = 2301, untranslate_hits = 0
2 (NAS-QA1) to (TWTC) source static any interface unidirectional
translate_hits = 0, untranslate_hits = 0
3 (NAS-QA2) to (TWTC) source static any interface unidirectional
translate_hits = 0, untranslate_hits = 0
4 (BTC) to (TWTC) source static BTC-ClearOS BTC-Email inactive
translate_hits = 0, untranslate_hits = 0
5 (BTC) to (TWTC) source static BTC-Metric-Private BTC-Metric-Public service E
ncryptedMail EncryptedMail
translate_hits = 0, untranslate_hits = 0
6 (BTC) to (TWTC) source static BTC-Email-Private BTC-Email-Public service BTC
-EmailPort25 BTC-EmailPort25
translate_hits = 0, untranslate_hits = 0
7 (BTC) to (TWTC) source static BTC-Email-Private BTC-Email-Public service BTC
-ICMP BTC-ICMP
translate_hits = 0, untranslate_hits = 0
8 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR-
VPN-UDP-1194 ENGR-VPN-UDP-1194
translate_hits = 0, untranslate_hits = 0
9 (NAS-Main) to (TWTC) source static ENGR-OpenVPN DM_INLINE_NETWORK_1 service
ENGR-VPN-1194 ENGR-VPN-1194
translate_hits = 0, untranslate_hits = 0
10 (NAS-Main) to (TWTC) source static GIt-SERVER NASMAIN-Public service SSH SS
H
translate_hits = 0, untranslate_hits = 0
11 (NAS-Main) to (TWTC) source static Terastation BTC-Email service SSH SSH
translate_hits = 0, untranslate_hits = 0
12 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR
-VPN-443 ENGR-VPN-443
translate_hits = 0, untranslate_hits = 0
13 (NAS-Main) to (TWTC) source static TS3000-Build NASMAIN-Public service TSbu
ild-4343-2 TSbuild-4343-2
translate_hits = 0, untranslate_hits = 0
14 (NAS-Main) to (TWTC) source static WEBAccess-FW interface service WEBAccess
-FW-Port-2 WEBAccess-FW-Port-2
translate_hits = 0, untranslate_hits = 0
15 (NAS-Main) to (TWTC) source static TestRail-private NASMAIN-Public service
TestRAil-80-2 TestRAil-80-2
translate_hits = 0, untranslate_hits = 0
16 (NAS-Main) to (TWTC) source static TS-WEbAccess-Test-private interface serv
ice Web-Access-Test-2 Web-Access-Test-2
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (BTC) to (TWTC) source static BTC-ClearOS BTC-Public
translate_hits = 0, untranslate_hits = 39
2 (VideoConference) to (TWTC) source static VC VideoConferencePublic
translate_hits = 0, untranslate_hits = 40

Manual NAT Policies (Section 3)
1 (BTC) to (TWTC) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
BAEng(config)#

chris.hall6777 · ‎10-16-2015

disabling the group opened up outside internet.

Jon Marshall · ‎10-16-2015

Do you mean it worked ?

Jon

chris.hall6777 · ‎10-16-2015

yes, we can surf the internet now, just not sure how open we are.

What did that group do?

Jon Marshall · ‎10-16-2015

You are not open at all because you have no acl on your TWTC interface so nothing can come in except return traffic to clients.

Basically all traffic is allowed from a higher interface to a lower interface by default so NAS-Main should be allowed out.

You can configure interface acls or global acls which apply to all interfaces and interface acls take precedence.

By the looks of it the global_access acl was created for the server access that you mentioned was working.

What you should have done was to create the acl and apply it to the TWTC interface inbound just allowing that port.

But you created a global acl and applied it inbound only allowing that port to your server.

But a global acl applies inbound to all interfaces including the NAS-Main interface so you effectively blocked all traffic.

When you rebooted the device any new connections were then blocked.

By taking it off traffic is now allowed by default from the NAS-Main interface to the TWTC interface.

So don't worry about any access from outside because like I say you would need an acl on the TWTC interface applied inbound for traffic to be initiated from outside.

If you want access back to your server then just create a new acl copying the global_access acl but probably with a better name eg.

TWTC_access_in

and apply it to your TWTC interface -

"access-group TWTC_access_in in interface TWTC"

make sure you only allow the ports you need so basically a copy of the global_access acl.

Does all that make sense ?

Any queries, clarifications please ask.

Jon

Jon Marshall · ‎10-16-2015

That looks better.

Can you test from a client and then if it is working post back here and I'll explain what went wrong.

Jon

chris.hall6777 · ‎10-19-2015

Jon,

Thank you for your help on Friday, sorry not to thank you then, but had to go deal with another problem the popped up.

Things seem to be ok. I need to work on getting some of the old rules removed and turning on a few of the ones we disabled.

Also, to finish up the port forwarder correctly.

But I wanted to say, thank you!!!!

Jon Marshall · ‎10-19-2015

Chris

No problem, I figured things might be a bit hectic for you.

By all means post a new question if you need to when looking at the port forwarding.

Jon

Port Forward 46611 on ASA 5515