09-25-2021 01:46 PM
===Goal===
Port forward inbound HTTPS requests on TCP-4434 on the outside interface and translate it to TCP-443 as it is sent to a webserver
===Issue===
When trying to reach the web server using https://[outside IP address]:4434 in Firefox, I am automatically redirected to the AnyConnect webpage to login. I get the same issue with Chrome and Internet Explorer. When trying to go to http://[outside IP address]:4434, the connection times out.
===Configuration Snip===
object network WEBSERVER host 10.0.2.8 nat (inside,outside) static interface service tcp https 4434 ! access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq https access-group OUTSIDE-INBOUND in interface outside
===Troubleshooting===
1. I have run a packet capture on the outside interface for any TCP packets destined for 4434 and I can see the incoming packets; however, the ACL OUTSIDE-INBOUND shows no hits (normal?)
2. Packet-tracer shows packet is allowed on the outside interface
3. Running a wireshark capture on the WEBSERVER indicates it is never receiving the packet
4. I have run a packet capture on all asp-drops to see if there was something there but found no indication of that being the issue
5. No logs seem to point to any problems for anything from either IP address or TCP port 4434
6. The result of "show nat"
ciscoasa(config)# show nat Manual NAT Policies (Section 1) 1 (any) to (outside) source static 10.0.0.0_21 10.0.0.0_21 destination static 10.0.7.0_24 10.0.7.0_24 translate_hits = 0, untranslate_hits = 163 2 (inside) to (outside) source static 10.0.0.0_24 10.0.0.0_24 destination static 10.0.8.0_24 10.0.8.0_24 no-proxy-arp route-lookup translate_hits = 0, untranslate_hits = 0 3 (inside) to (outside) source static 10.0.2.0_24 10.0.2.0_24 destination static 10.0.9.0_24 10.0.9.0_24 no-proxy-arp route-lookup translate_hits = 14, untranslate_hits = 492 4 (outside) to (outside) source dynamic 10.0.7.0_24 interface translate_hits = 0, untranslate_hits = 0 Auto NAT Policies (Section 2) 1 (inside) to (outside) source static WEBSERVER interface service tcp https 4434 translate_hits = 0, untranslate_hits = 0 2 (inside) to (outside) source dynamic 10.0.0.0_21 interface translate_hits = 43261, untranslate_hits = 592
===Request===
Can anyone point me in the right direction as to where to look? I've worked on this issue for some time and cannot for the life of me figure out why the packet is going into the OUTSIDE interface but not coming out the INSIDE interface towards the WEBSERVER.
09-25-2021 05:02 PM
For testing change on the Webserver to Listen on 4434 (instead of 443) - and change below and the test is that works?
object network WEBSERVER host 10.0.2.8 nat (inside,outside) static interface service tcp 4434 4434
also, check on the web Server Logs do you see any hits ? (is this IIS or apache ?)
Another side, Make sure you try to remove the WebServer IP from the NAT list. for testing.
09-25-2021 06:22 PM
@balaji.bandi I changed the port to TCP 4434 instead of 443 and tested to verify I could reach it via Firefox. I was using LibreNMS on a Ubuntu server and just changed to using a Catalyst switch since it would be easier to change ports around. Here is the simple configuration of the switch and also showing that it's routing works:
C3560-CX-CORE#show run | inc http ip http server ip http port 4434 no ip http secure-server C3560-CX-CORE#show run interface g1/0/1 Building configuration... Current configuration : 109 bytes ! interface GigabitEthernet1/0/1 description ASA no switchport ip address 10.0.7.253 255.255.255.252 end C3560-CX-CORE#show ip route | inc 0.0.0.0/0 S* 0.0.0.0/0 [1/0] via 10.0.7.254 C3560-CX-CORE#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 14/17/21 ms
Made the following changes to the ASA:
object network WEBSERVER host 10.0.7.253 nat (inside,outside) static interface service tcp 4434 4434 ! access-list OUTSIDE-INBOUND extended permit tcp any object WEBSERVER eq 4434
I cleared the connections and the xlate and then proceeded to test. I am still able to see the inbound packets on the outside interface packet capture but neither the NAT or ACL counters change.
ciscoasa# show access-list OUTSIDE-INBOUND access-list OUTSIDE-INBOUND; 5 elements; name hash: 0x4324a89a access-list OUTSIDE-INBOUND line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0x5c97af6d access-list OUTSIDE-INBOUND line 2 extended permit icmp any any unreachable (hitcnt=0) 0xf872c3d1 access-list OUTSIDE-INBOUND line 3 extended permit icmp any any echo-reply (hitcnt=0) 0xb534cbb8 access-list OUTSIDE-INBOUND line 4 extended permit icmp any any traceroute (hitcnt=0) 0x25c31fe4 access-list OUTSIDE-INBOUND line 5 extended permit tcp any object WEBSERVER eq 4434 (hitcnt=0) 0x42669da6 access-list OUTSIDE-INBOUND line 5 extended permit tcp any host 10.0.7.253 eq 4434 (hitcnt=0) 0x42669da6
ciscoasa# show nat Manual NAT Policies (Section 1) 1 (any) to (outside) source static 10.0.0.0_21 10.0.0.0_21 destination static 10.0.7.0_24 10.0.7.0_24 translate_hits = 0, untranslate_hits = 165 2 (inside) to (outside) source static 10.0.0.0_24 10.0.0.0_24 destination static 10.0.8.0_24 10.0.8.0_24 no-proxy-arp route-lookup translate_hits = 0, untranslate_hits = 0 3 (inside) to (outside) source static 10.0.2.0_24 10.0.2.0_24 destination static 10.0.9.0_24 10.0.9.0_24 no-proxy-arp route-lookup translate_hits = 21, untranslate_hits = 654 4 (outside) to (outside) source dynamic 10.0.7.0_24 interface translate_hits = 0, untranslate_hits = 0 Auto NAT Policies (Section 2) 1 (inside) to (outside) source static WEBSERVER interface service tcp 4434 4434 translate_hits = 0, untranslate_hits = 0 2 (inside) to (outside) source dynamic 10.0.0.0_21 interface translate_hits = 55567, untranslate_hits = 767
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide