Re: Port Forward HTTPS from 4434 OUTSIDE to 443 INSIDE

Tyson Joachims · ‎09-25-2021

===Goal===
Port forward inbound HTTPS requests on TCP-4434 on the outside interface and translate it to TCP-443 as it is sent to a webserver

===Issue===
When trying to reach the web server using https://[outside IP address]:4434 in Firefox, I am automatically redirected to the AnyConnect webpage to login. I get the same issue with Chrome and Internet Explorer. When trying to go to http://[outside IP address]:4434, the connection times out.

===Configuration Snip===

object network WEBSERVER
host 10.0.2.8
nat (inside,outside) static interface service tcp https 4434
!
access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq https
access-group OUTSIDE-INBOUND in interface outside

===Troubleshooting===
1. I have run a packet capture on the outside interface for any TCP packets destined for 4434 and I can see the incoming packets; however, the ACL OUTSIDE-INBOUND shows no hits (normal?)
2. Packet-tracer shows packet is allowed on the outside interface
3. Running a wireshark capture on the WEBSERVER indicates it is never receiving the packet
4. I have run a packet capture on all asp-drops to see if there was something there but found no indication of that being the issue
5. No logs seem to point to any problems for anything from either IP address or TCP port 4434
6. The result of "show nat"

ciscoasa(config)# show nat
Manual NAT Policies (Section 1)
1 (any) to (outside) source static 10.0.0.0_21 10.0.0.0_21 destination static 10.0.7.0_24 10.0.7.0_24
translate_hits = 0, untranslate_hits = 163
2 (inside) to (outside) source static 10.0.0.0_24 10.0.0.0_24 destination static 10.0.8.0_24 10.0.8.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static 10.0.2.0_24 10.0.2.0_24 destination static 10.0.9.0_24 10.0.9.0_24 no-proxy-arp route-lookup
translate_hits = 14, untranslate_hits = 492
4 (outside) to (outside) source dynamic 10.0.7.0_24 interface
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static WEBSERVER interface service tcp https 4434
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic 10.0.0.0_21 interface
translate_hits = 43261, untranslate_hits = 592

===Request===
Can anyone point me in the right direction as to where to look? I've worked on this issue for some time and cannot for the life of me figure out why the packet is going into the OUTSIDE interface but not coming out the INSIDE interface towards the WEBSERVER.

balaji.bandi · ‎09-25-2021

For testing change on the Webserver to Listen on 4434 (instead of 443) - and change below and the test is that works?

object network WEBSERVER
host 10.0.2.8
nat (inside,outside) static interface service tcp 4434 4434

also, check on the web Server Logs do you see any hits ? (is this IIS or apache ?)

Another side, Make sure you try to remove the WebServer IP from the NAT list. for testing.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tyson Joachims · ‎09-25-2021

@balaji.bandi I changed the port to TCP 4434 instead of 443 and tested to verify I could reach it via Firefox. I was using LibreNMS on a Ubuntu server and just changed to using a Catalyst switch since it would be easier to change ports around. Here is the simple configuration of the switch and also showing that it's routing works:

C3560-CX-CORE#show run | inc http
ip http server
ip http port 4434
no ip http secure-server
C3560-CX-CORE#show run interface g1/0/1
Building configuration...

Current configuration : 109 bytes
!
interface GigabitEthernet1/0/1
 description ASA
 no switchport
 ip address 10.0.7.253 255.255.255.252
end

C3560-CX-CORE#show ip route | inc 0.0.0.0/0
S*    0.0.0.0/0 [1/0] via 10.0.7.254
C3560-CX-CORE#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/17/21 ms

Made the following changes to the ASA:

object network WEBSERVER
 host 10.0.7.253
 nat (inside,outside) static interface service tcp 4434 4434
!
access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq 4434

I cleared the connections and the xlate and then proceeded to test. I am still able to see the inbound packets on the outside interface packet capture but neither the NAT or ACL counters change.

ciscoasa# show access-list OUTSIDE-INBOUND
access-list OUTSIDE-INBOUND; 5 elements; name hash: 0x4324a89a
access-list OUTSIDE-INBOUND line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0x5c97af6d
access-list OUTSIDE-INBOUND line 2 extended permit icmp any any unreachable (hitcnt=0) 0xf872c3d1
access-list OUTSIDE-INBOUND line 3 extended permit icmp any any echo-reply (hitcnt=0) 0xb534cbb8
access-list OUTSIDE-INBOUND line 4 extended permit icmp any any traceroute (hitcnt=0) 0x25c31fe4
access-list OUTSIDE-INBOUND line 5 extended permit tcp any object WEBSERVER eq 4434 (hitcnt=0) 0x42669da6
  access-list OUTSIDE-INBOUND line 5 extended permit tcp any host 10.0.7.253 eq 4434 (hitcnt=0) 0x42669da6

ciscoasa# show nat
Manual NAT Policies (Section 1)
1 (any) to (outside) source static 10.0.0.0_21 10.0.0.0_21  destination static 10.0.7.0_24 10.0.7.0_24
    translate_hits = 0, untranslate_hits = 165
2 (inside) to (outside) source static 10.0.0.0_24 10.0.0.0_24  destination static 10.0.8.0_24 10.0.8.0_24 no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static 10.0.2.0_24 10.0.2.0_24  destination static 10.0.9.0_24 10.0.9.0_24 no-proxy-arp route-lookup
    translate_hits = 21, untranslate_hits = 654
4 (outside) to (outside) source dynamic 10.0.7.0_24 interface
    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static WEBSERVER interface  service tcp 4434 4434
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic 10.0.0.0_21 interface
    translate_hits = 55567, untranslate_hits = 767