10-13-2015 03:31 AM - edited 03-11-2019 11:44 PM
Hi All.
Just having a problem with port-forwarding on ASA5512 v.9.1. The configuration the same as used for port forwarding but it doesn't work.
I need to forward port 443 from outside interface to local device. Local device ip is 192.168.1.90 and SSL VPN server is configured on it. Local ip of ASA (inside interface) is 192.168.2.1 then its connected to Core switch ip 192.168.2.2. Core switch has a local subnet 192.168.1.0/24.
When i login locally as https://192.168.1.90, the SSL VPN login page opens.
Debugging doesn't show any traffic coming from outside to that. Packet tracer on ASA shows NAT problem, configuration below:
object network PBX
host 192.168.1.90
nat (inside,outside) source dynamic any interface
object network PBX
nat (inside,outside) static interface service tcp https https
Appreciate any help. Thanks
10-13-2015 04:12 AM
Hi,
The NAT statement:
object network PBX
nat (inside,outside) static interface service tcp https https
will translate traffic coming on the outside interface with destination IP as asa's public on port 443 to 192.168.1.90/443.
In your update you have mentioned that you tried running packet-tracer and you observed some issues with NAT. What is the error that you see in the packet-tracer output.
You can try making the object NAT to static manual NAT and put it on top so that you can ensure there is no other overlapping NAT rule present:
nat (inside,outside) 1 source static PBX interface service https https
Also ensure you have ACL to permit traffic after un-translation of tcp/443 traffic destined for 192.168.1.90/443..
Share your findings.
Thanks,
R.Seth
10-13-2015 05:05 AM
Hi Rishabh.
The ACL i've got:
access-list outside_access_in remark SSL VPN to PBX
access-list outside_access_in extended permit tcp any object PBX eq https
access-list inside_access_in_1 remark SSL VPN to PBX
access-list inside_access_in_1 extended permit tcp object PBX any eq https
And packet-tracer:
# packet-tracer input outside tcp 8.8.8.8 https 192.168.1.90 https det
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object PBX eq https
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9fa028a0, priority=13, domain=permit, deny=false
hits=0, user_data=0x7fff9b9db1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.1.90, mask=255.255.255.255, port=443, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9edeec20, priority=0, domain=nat-per-session, deny=false
hits=5721791, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f869830, priority=0, domain=inspect-ip-options, deny=true
hits=6478779, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa0564210, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=398057, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff9fae34c0, priority=6, domain=nat-reverse, deny=false
hits=2652, user_data=0x7fff9fadc150, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Does it look like i need to move my NAT rule to top?
Regards,
10-13-2015 05:34 AM
Hi,
In packet-tracer you are trying the real IP for the internal device.
Try the packet tracer with the destination as your ASA's public IP and not the internal IP.
Let us know if it helps.
Thanks,
R.Seth
10-13-2015 05:53 AM
Hi.
But i need to reach local ip from outside using ASA public ip.
i tried this:
# packet-tracer input outside tcp 8.8.8.8 https <ASA WAN IP> https det
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in <ASA WAN IP> 255.255.255.255 identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9edeec20, priority=0, domain=nat-per-session, deny=false
hits=5810133, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f863570, priority=0, domain=permit, deny=true
hits=685701, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Any ideas about that ACL?
Thanks
10-13-2015 06:35 AM
Hi,
The packet trace command is correct, looks like the NAT rule is not getting evaluated, can you try creating a NAT rule for specific host and service on top as mentioned before and check if it helps.
packet-tracer input outside tcp 8.8.8.8 https <ASA WAN IP> https det
Share your findings,
Thanks,
R.Seth
10-13-2015 08:49 AM
Hi,
Still web page is not opening from outside.
Did those changes:
nat (inside,outside) 1 source static PBX interface service HTTPS HTTPS
#packet-tracer input outside tcp 8.8.8.8 https <ASA WAN IP> https
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static PBX interface service HTTPS HTTPS
Additional Information:
NAT divert to egress interface inside
Untranslate <ASA WAN IP>/443 to 192.168.1.90/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object PBX eq https
access-list outside_access_in remark CUE_WEB_access
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9fa028a0, priority=13, domain=permit, deny=false
hits=6, user_data=0x7fff9b9db1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.1.90, mask=255.255.255.255, port=443, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static PBX interface service HTTPS HTTPS
Additional Information:
Static translate 8.8.8.8/443 to 8.8.8.8/443
Forward Flow based lookup yields rule:
in id=0x7fff9e5fbca0, priority=6, domain=nat, deny=false
hits=0, user_data=0x7fffa10d5bd0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=443, tag=0
dst ip/id=<ASA WAN IP>, mask=255.255.255.255, port=443, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9edeec20, priority=0, domain=nat-per-session, deny=false
hits=6034939, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f869830, priority=0, domain=inspect-ip-options, deny=true
hits=6747444, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa0564210, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=407079, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static PBX interface service HTTPS HTTPS
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff9f235900, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x7fffa123ce30, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=443, tag=0
dst ip/id=192.168.1.90, mask=255.255.255.255, port=443, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffa0517050, priority=0, domain=user-statistics, deny=false
hits=3977057, user_data=0x7fffa0a1c3b0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=inside
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff9edeec20, priority=0, domain=nat-per-session, deny=false
hits=6034941, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff9fa458c0, priority=0, domain=inspect-ip-options, deny=true
hits=5915584, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fff9e5eb380, priority=0, domain=user-statistics, deny=false
hits=4724199, user_data=0x7fffa0a1c3b0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6904215, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Looks like everything is ALLOW then where is a problem.
Thanks
10-13-2015 08:56 AM
Hi,
NAT and acts seems to be fine. I think there is some issue with vpn config, I see that the packet-tracer shows ipsec-tunnel. It could be that the traffic after getting permitted is entering the tunnel. Can you check if this traffic is not sent over vpn.
Hint: check the ACL used in crypto-map. :)
Thanks,
R.Seth
10-14-2015 03:32 AM
Hi.
Couldn't see any obvious. There three L2L IPSec and two VPNclient configurations and all are having or pointing to different subnets like local 192.168.1.0/24 to remote 192.168.200.0/24, and crypto ACL has that config so looks ok. I don't how traffic pointing to 192.168.1.90 would go to a tunnel. How can i check that?
Thanks
10-14-2015 04:00 AM
Hi,
You can try checking the real traffic by applying captures on the ingress and egress interface for specific source and destination IP.
capture capo interface outside match tcp any host <public-IP> eq 443
capture capi interface inside match tcp any host 192.168.1.90 eq 443
View captures:
show cap capi
show cap capo
Remove captures:
no cap capi
no cap capo
This way you can check if the traffic hitting the firewall is getting properly translated and leaving the ASA towards inside host.
Share your findings.
Thanks,
R.Seth
10-15-2015 04:15 AM
Hi Rishabh.
I've tried your recommendation, see results below:
# sh cap capi
0 packet captured
0 packet shown
# sh cap capo
37 packets captured
32: 11:55:33.674769 <Remote_WAN_ip>.16889 > <ASA_WAN_ip>.443: S 1979714501:1979714501(0) win 5840 <mss 1442,sackOK,timestamp 157663 0,nop,wscale 1>
33: 11:56:13.104242 <Remote_WAN_ip>.16892 > <ASA_WAN_ip>.443: S 2030584064:2030584064(0) win 5840 <mss 1442,sackOK,timestamp 161605 0,nop,wscale 1>
34: 11:56:16.096659 <Remote_WAN_ip>.16892 > <ASA_WAN_ip>.443: S 2030584064:2030584064(0) win 5840 <mss 1442,sackOK,timestamp 161905 0,nop,wscale 1>
35: 11:56:34.098566 <Remote_WAN_ip>.16892 > <ASA_WAN_ip>.443: S 2030584064:2030584064(0) win 5840 <mss 1442,sackOK,timestamp 163705 0,nop,wscale 1>
36: 11:56:54.376857 <Remote_WAN_ip>.16898 > <ASA_WAN_ip>.443: S 2058663125:2058663125(0) win 5840 <mss 1442,sackOK,timestamp 165732 0,nop,wscale 1>
37: 11:56:57.373424 <Remote_WAN_ip>.16898 > <ASA_WAN_ip>.443: S 2058663125:2058663125(0) win 5840 <mss 1442,sackOK,timestamp 166032 0,nop,wscale 1>
Then checking NAT hits:
# sh nat det
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static PBX interface service HTTPS HTTPS
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.1.90/32, Translated: <ASA WAN IP>/30
Service - Origin: tcp source eq https destination eq https , Translated: tcp source eq https destination eq https
i don't see statistics for translating <ASA WAN IP> to 192.168.1.90.
Should it be translating (outside, inside)?
Regards,
10-15-2015 04:34 AM
Hi,
Based on your packet-tracer output looks like the configuration is correct but the captures show that the traffic is hitting the firewalls outside interface and not making to the inside interface.
To check what is happening to the traffic you can try couple of things:
1. Check syslogs/ ASDM logs for this traffic and check what is ASA doing with this traffic.
2. Apply ASP drop captures to check if ASA is dropping the traffic due to some security reason/protocol anomaly.
ASP capture captures everything which ASA would drop so the buffer might get full before capturing intended traffic. So you should try this more than once to collect correct data:
configure: cap asp type asp-drop all
view: show cap asp. Try to filter these for appropriate traffic and check if you see any drops here and check the reason for drop.
remove: no cap asp
Share your findings.
Thanks,
R.Seth
10-20-2015 12:50 AM
Hi Rishabh.
I haven't tried your suggestion as i think we're going too far away so i start checking the configuration as i thought there is a problem with NAT configuration. When i was creating Static NAT forwarding using your command it was asking for Object service which i didn't have so i created it in ASDM as:
object service HTTPS
service tcp source eq https destination eq https
description HTTPS SSL VPN access
This Object service didn't work correctly, once i removed: destination eq https, phones started working using SSL VPN.
Now, I've got another question.
I want to use a different port, for example, port 444. I did change it in PBX and Object service and SSL VPN works if you use web browser as you can assign port 444 there, but the phones don't work as they always use port 443 to connect.
I tried manipulate Object service but nothing works. So i need to create some kind of rule like that:
Incoming ASA port 443 --> Forwarding to PBX port 444
Outgoing PBX port 444 --> ASA outgoing port 443
Regards,
10-21-2015 02:46 AM
Hi,
You can create a static NAT for the same
Sample conifg:
object service 444
service tcp source eq 444
object service 443
service tcp source eq https
object network PBX_real
host 10.1.1.1
object network PBX_public
host 100.1.1.1
nat (inside,outside) source static PBX_real PBX_pubic service 443 444
Hope it helps!!!
Thanks,
R.Seth
Mark the answer as correct if it helps in resolving your query!!!
10-23-2015 02:50 PM
Thanks for suggestion. i'll try that at some stage.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide