01-06-2011 03:41 PM - edited 03-11-2019 12:31 PM
I am new to 8.3 and any help is much appreciated!
I need to allow access from any IP on the internet to a server on the inside but my firewall is denying access due to an access-list issue (I believe). I need users on the internet to use the IP address that is applied to my outside interface, specify TCP port 24499 and NAT them through to a server on the inside. When I configured the outside ACL and a corresponding NAT rule the connection is being blocked due to the ACL. I am testing from the internet and using the capture feature to view the connection. I am also using the "packet-tracer" and the firewall tells me that the connection fails due to an ACL issue. Here is my config, captures and packet-tracer.
Thanks in advance!
++++++++++
CONFIG
access-list OUTSIDE extended permit tcp any host 10.10.10.6 eq 24499
access-group OUTSIDE in interface OUTSIDE
object network SYNC_SERVER
host 10.10.10.6
object network SYNC_SERVER
nat (INSIDE,OUTSIDE) static interface service tcp 24499 24499
++++++++++++
PACKET_TRACER
ASA# packet-tracer input OUTSIDE tcp 65.33.3.3 4444 98.26.6.21 24499
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 98.26.6.21 255.255.255.255 identity
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
+++++++++++++
CAPTURE
ASA# sh access-list pcap
access-list pcap; 1 elements; name hash: 0x39c806fe
access-list pcap line 1 extended permit tcp any any eq 24499 (hitcnt=7) 0x3795d772
ASA# sh capture
capture tony type raw-data access-list tony interface OUTSIDE [Capturing - 122 bytes]
ASA# sh capture pcap
7 packets captured
1: 18:30:32.556978 802.1Q vlan#1 P0 63.23.2.99.32389 > 98.26.6.21.24499: S 3527242145:3527242145(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
2: 18:30:35.561097 802.1Q vlan#1 P0 63.23.2.99.32389 > 98.26.6.21.24499: S 3527242145:3527242145(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
3: 18:30:41.554750 802.1Q vlan#1 P0 63.23.2.99.32389 > 98.26.6.21.24499: S 3527242145:3527242145(0) win 16384 <mss 1260,nop,nop,nop,nop>
4: 18:31:00.722679 802.1Q vlan#1 P0 63.23.2.99.3303 > 98.26.6.21.24499: S 3106203956:3106203956(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
5: 18:31:03.716881 802.1Q vlan#1 P0 63.43.2.99.3303 > 98.26.6.21.24499: S 3106203956:3106203956(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
6: 18:31:09.791661 802.1Q vlan#1 P0 63.23.2.99.3303 > 98.26.6.21.24499: S 3106203956:3106203956(0) win 16384 <mss 1260,nop,nop,nop,nop>
+++++++++++++
After running the test I am not seeing any hit counts on my outside ACL.
ASA# sh access-list OUTSIDE
access-list OUTSIDE; 1 elements; name hash: 0x97f9426
access-list OUTSIDE line 1 extended permit tcp any host 10.10.10.6 eq 24499 log informational interval 300 (hitcnt=0) 0xc73bec9a
Solved! Go to Solution.
01-06-2011 07:39 PM
What is the purpose of this line?
nat (OUTSIDE,OUTSIDE) source dynamic obj-10.10.11.0 interface
Could you pls. remove this and let us know?
The packet-tracer output clearly says that you are trying to talk to the outside interface on that tcp port 24499 and the firewall itself is simply not listening on that port at all.
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 98.26.6.21 255.255.255.255 identity
-KS
01-06-2011 04:59 PM
Can you check few things :-
1> There isn't any access list applied to the inside interface.
2> the server is listening on the port 24499 internally.
Manish
01-06-2011 05:45 PM
No access-list on the inside interface and I was able to verify that the server is listening on port TCP 24499.
Thanks so much for taking a look. Any other ideas?
01-06-2011 05:56 PM
Can you run the packet tracer again with a random ip rather then using 63.x.x.x ip ?
I am running a packet tracer right now and the outside acl is checked after the NAT process.
Please post output using some other public ip address, just to see the difference. Also clear xlate before doing that.
Manish
01-06-2011 06:09 PM
Manish,
Thanks so much for all the help! Here is the info you requested.
++++++++++
ASA# clear xlate
INFO: 29 xlates deleted
ASA#
ASA# packet-tracer input OUTSIDE tcp 54.33.22.3 4444 98.26.6.21 24499
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 98.26.6.21 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-06-2011 06:33 PM
try this in the global config mode :-
nat (inside,outside) after-auto source dynamic any interface
Manish
01-06-2011 06:41 PM
Okay, here is what I got.
ASA(config)# clear xlate
INFO: 12 xlates deleted
ASA(config)# packet-tracer input OUTSIDE tcp 54.33.22.3 4444 98.26.6.21 24499
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 98.26.6.21 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA(config)# sh access-listaccess-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300access-list OUTSIDE; 1 elements; name hash: 0x97f9426access-list OUTSIDE line 1 extended permit tcp any host 10.10.10.6 eq 24499 log informational interval 300 (hitcnt=0) 0xc73bec9a+++++++
ASA(config)# sh run nat
nat (OUTSIDE,OUTSIDE) source dynamic obj-10.10.11.0 interface
nat (INSIDE,any) source static any any destination static obj-10.10.11.0 obj-10.10.11.0
nat (INSIDE,any) source static obj-10.10.11.0 obj-10.10.11.0
!
object network obj-10.10.11.0
nat (OUTSIDE,OUTSIDE) dynamic interface
object network obj-10.10.10.0
nat (INSIDE,OUTSIDE) dynamic interface
object network SYNC_SERVER
nat (INSIDE,OUTSIDE) static interface service tcp 24499 24499
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
ASA(config)# show nat
Manual NAT Policies (Section 1)
1 (OUTSIDE) to (OUTSIDE) source dynamic obj-10.10.11.0 interface
translate_hits = 0, untranslate_hits = 0
2 (INSIDE) to (any) source static any any destination static obj-10.10.11.0 obj-10.10.11.0
translate_hits = 0, untranslate_hits = 0
3 (INSIDE) to (any) source static obj-10.10.11.0 obj-10.10.11.0
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source static SYNC_SERVER interface service tcp 24499 24499
translate_hits = 0, untranslate_hits = 0
2 (INSIDE) to (OUTSIDE) source dynamic obj-10.10.10.0 interface
translate_hits = 987, untranslate_hits = 95
3 (OUTSIDE) to (OUTSIDE) source dynamic obj-10.10.11.0 interface
translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (INSIDE) to (OUTSIDE) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
01-06-2011 07:07 PM
what version of 8.3 are you running ? should check the Bugkit now as the config seems preety much perfect.
Manish
01-06-2011 07:39 PM
What is the purpose of this line?
nat (OUTSIDE,OUTSIDE) source dynamic obj-10.10.11.0 interface
Could you pls. remove this and let us know?
The packet-tracer output clearly says that you are trying to talk to the outside interface on that tcp port 24499 and the firewall itself is simply not listening on that port at all.
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 98.26.6.21 255.255.255.255 identity
-KS
01-06-2011 08:12 PM
That was it!
Thank you all for the help, I really appreciate it.
01-06-2011 08:20 PM
Glad to hear and thanks for rating and marking it solved. Now the packet-tracer output should NOT show you identity. It will show you the nat rule.
-KS
01-06-2011 10:02 PM
Good Catch Ms. Sankar
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide