10-05-2013 04:50 PM - edited 03-11-2019 07:47 PM
Hi!
I want to access to an inside machine: 192.168.67.245 on tcp port 80, from the outside using my plublic IP: 1.1.1.1 (example)
Here is what i did:
access-list outisde_access_in permit tcp any host 192.168.67.245 eq 80
access-list outisde_access_in permit tcp any host 1.1.1.1 eq 80
object network My_inside_machine
host 192.168.67.245
nat (inside,outside) static interface service tcp 80 80
When i try to browse: http://1.1.1.1 from outside (My home), i have something like:
3 | Oct 06 2013 | 00:02:50 | my_home_ip | 18159 | 1.1.1.1 | 80 | TCP access denied by ACL from my_home_ip/18159 to outside:1.1.1.1/80 |
What is wrong whith my config ?
ASA 5505
ASDM 7.1
ASA 9.1
Solved! Go to Solution.
10-05-2013 05:19 PM
Hi,
Well the configurations looks otherwise good but I have a doubt about your ACL
The name is "outisde_access_in" though I would imagine that it should usually be "outside_access_in". Now that the ACL name matters but just thinking if the ACL is at all attached to an interface.
I would check the output of the following command
show run access-group
This will tell what ACLs (name) are attached to which interface and in which direction.
I am wondering if the ACL is attached to the interface?
You can also use "packet-tracer" commands to test the ASA rules
packet-tracer input outside tcp
This commands output should tell if there is some problem with the ASA configurations.
- Jouni
10-05-2013 05:53 PM
Hi,
As you can see you have not attached the ACL you mention in the original post to any interface.
You have only configure an ACL named "global_access" and it applies to all interfaces on the ASA.
However I think you should see an UN-NAT phase in the "packet-tracer" but that is not true in the above. So I think there might be a problem with some other NAT configurations
Would need to see the output of
show run nat
- Jouni
10-05-2013 06:01 PM
Hi,
This NAT rule if overriding the Static PAT you have configured for the port TCP/80
nat (inside,outside) source dynamic any interface
You will have to remove it and add it in another format
no nat (inside,outside) source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
You will also have to make the ACL rule to allow the traffic since as I mentioned above you have another ACL attached on the device compared to the one you have mentioned in the original post
- Jouni
10-05-2013 05:19 PM
Hi,
Well the configurations looks otherwise good but I have a doubt about your ACL
The name is "outisde_access_in" though I would imagine that it should usually be "outside_access_in". Now that the ACL name matters but just thinking if the ACL is at all attached to an interface.
I would check the output of the following command
show run access-group
This will tell what ACLs (name) are attached to which interface and in which direction.
I am wondering if the ACL is attached to the interface?
You can also use "packet-tracer" commands to test the ASA rules
packet-tracer input outside tcp
This commands output should tell if there is some problem with the ASA configurations.
- Jouni
10-05-2013 05:49 PM
Result of the command: "show run access-group"
access-group global_access global
Result of the command: "packet-tracer input outside tcp my_home_ip 12345 Public_IP 80"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in Public_IP 255.255.255.255 identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Which rule is configured to deny the traffic ??!
10-05-2013 05:53 PM
Hi,
As you can see you have not attached the ACL you mention in the original post to any interface.
You have only configure an ACL named "global_access" and it applies to all interfaces on the ASA.
However I think you should see an UN-NAT phase in the "packet-tracer" but that is not true in the above. So I think there might be a problem with some other NAT configurations
Would need to see the output of
show run nat
- Jouni
10-05-2013 05:57 PM
Result of the command: "show run nat"
nat (any,any) source static NETWORK_OBJ_172.19.16.0_20 NETWORK_OBJ_172.19.16.0_20
nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.16.0_20 NETWORK_OBJ_172.19.16.0_20 no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.67.248_29 NETWORK_OBJ_192.168.67.248_29 no-proxy-arp route-lookup
!
object network My_inside_machine
nat (inside,outside) static interface service tcp www www
10-05-2013 06:01 PM
Hi,
This NAT rule if overriding the Static PAT you have configured for the port TCP/80
nat (inside,outside) source dynamic any interface
You will have to remove it and add it in another format
no nat (inside,outside) source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
You will also have to make the ACL rule to allow the traffic since as I mentioned above you have another ACL attached on the device compared to the one you have mentioned in the original post
- Jouni
10-05-2013 06:17 PM
Everything seems to be okey
Thank you very much JouniForss.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide