Solved: Re: Servers on outside interface on ASA 8.3

Martin Kling · ‎01-28-2011

Hello

I want to publish servers on the outside interface of an ASA 5510 with 8.3(2). I does not work for me! I can put them on a own ip but not the interface. The logs say "Denied by ACL" but no ACLs are incremented and show nat does not show any hits.

Working code (lab-code) with servers not on the interface IP:

/////////////////////////////////////////////////////////////////////////////////////////////////

interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.3.99 255.255.255.0
no shut

interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.10.1.254 255.255.255.0
no shut
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 1.1.1.92 255.255.255.192
no shut
!

object network mySSL
host 10.10.1.1
nat (dmz,outside) static 1.1.1.93 service tcp 443 443

object network myWeb
host 10.10.1.1
nat (dmz,outside) static 1.1.1.93 service tcp 80 80

access-list outside-access extended permit tcp any object mySSL eq 443 log
access-list outside-access extended permit tcp any object myWeb eq 80 log
access-group outside-access in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.126 1

object-group network my-inside-net
network 192.168.3.0 255.255.255.0
nat (inside,outside) source dynamic my-inside-net interface

/////////////////////////////////////////////////////////////////////////////////////////////////

When I want to put the servers on the outside interface the only differences are:

object network mySSL
host 10.10.1.1
nat (dmz,outside) static interface service tcp 443 443

object network myWeb
host 10.10.1.1
nat (dmz,outside) static interface service tcp 80 80

/////////////////////////////////////////////////////////////////////////////////////////////////

Can somebody please explain what I have missed!!!

Regards, //Kling

CCIE #36669 (Security)
Cisco Fire Jumper

Maykol Rojas · ‎02-05-2011

Hi,

This is the one that I wanted you to put as after auto:

nat (inside,outside) source dynamic my-inside-net interface

Please do the following

no nat (inside,outside) source dynamic my-inside-net interface
nat (inside,outside) after source dynamic my-inside-net interface

Let me know how it goes.

Thanks.

Mike

View solution in original post

Maykol Rojas · ‎01-29-2011

Hello,

Seems like an overlaping translation. To confirm that, would you please send us the output from packet tracer? What we need to do s to play with the translations that you have. If you like, please try to put the dynamic nat as after auto, to rule out any problems with overlaping.

The packet tracer would be like

packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.x 80

Paste the output, Ill help you out.

Cheers

Mike

Martin Kling · ‎02-01-2011

Thank you!

I will test it as as I get access to the lab

Regards, Kling

CCIE #36669 (Security)
Cisco Fire Jumper

Martin Kling · ‎02-05-2011

Hello

Packet-tracer of server on the outside interface

ciscoasa(config)# packet-tracer input outside tcp 4.2.2.2 1025 1.1.1.92 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 1.1.1.92 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

-----------------------------------------------------------------------------------

Packet-tracer of server on a separate IP

ciscoasa(config)# packet-tracer input outside tcp 4.2.2.2 1025 1.1.1.93 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network myWeb
nat (dmz,outside) static 1.1.1.93 service tcp www www
Additional Information:
NAT divert to egress interface dmz
Untranslate 1.1.1.93/80 to 10.10.1.1/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-access in interface outside
access-list outside-access extended permit tcp any object myWeb eq www log
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network myWeb
nat (dmz,outside) static 1.1.1.93 service tcp www www
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 0, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)#

Can someone se why it becomes this way?

Thank you in advance //Kling

CCIE #36669 (Security)
Cisco Fire Jumper

Maykol Rojas · ‎02-05-2011

Hi,

Are you using the dynamic PAT for regular internet access to the outside IP as after auto as suggested? Would you please the output of show run NAT?

Cheers

Mike

Martin Kling · ‎02-05-2011

Hello

ciscoasa(config)# sh run nat
nat (inside,outside) source dynamic my-inside-net interface
!
object network mySSL
nat (dmz,outside) static interface service tcp https https
object network myWeb
nat (dmz,outside) static interface service tcp www www

Regards, //kling

CCIE #36669 (Security)
Cisco Fire Jumper

Maykol Rojas · ‎02-05-2011

Hi,

This is the one that I wanted you to put as after auto:

nat (inside,outside) source dynamic my-inside-net interface

Please do the following

no nat (inside,outside) source dynamic my-inside-net interface
nat (inside,outside) after source dynamic my-inside-net interface

Let me know how it goes.

Thanks.

Mike

Martin Kling · ‎02-05-2011

Works Great!!!

Thank you

Regards //Kling

CCIE #36669 (Security)
Cisco Fire Jumper

Maykol Rojas · ‎02-05-2011

Hi,

No problem.

Cheers

Mike