cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
920
Views
0
Helpful
11
Replies

Simple 8.3 firewall rules issue

anowell
Level 1
Level 1

I am new to 8.3 and any help is much appreciated!

I need to allow access from any IP on the internet to a server on the inside but my firewall is denying access due to an access-list issue (I believe).  I need users on the internet to use the IP address that is applied to my outside interface, specify TCP port 24499 and NAT them through to a server on the inside.  When I configured the outside ACL and a corresponding NAT rule the connection is being blocked due to the ACL.  I am testing from the internet and using the capture feature to view the connection.  I am also using the "packet-tracer" and the firewall tells me that the connection fails due to an ACL issue.  Here is my config, captures and packet-tracer.

Thanks in advance!

++++++++++

CONFIG

access-list OUTSIDE extended permit tcp any host 10.10.10.6 eq 24499

access-group OUTSIDE in interface OUTSIDE

object network SYNC_SERVER
  host 10.10.10.6

object network SYNC_SERVER
  nat (INSIDE,OUTSIDE) static interface service tcp 24499 24499

++++++++++++

PACKET_TRACER

ASA# packet-tracer input OUTSIDE tcp 65.33.3.3 4444 98.26.6.21 24499

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   98.26.6.21    255.255.255.255 identity
              
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

+++++++++++++

CAPTURE

ASA# sh access-list pcap
access-list pcap; 1 elements; name hash: 0x39c806fe
access-list pcap line 1 extended permit tcp any any eq 24499 (hitcnt=7) 0x3795d772

ASA# sh capture
capture tony type raw-data access-list tony interface OUTSIDE [Capturing - 122 bytes]

ASA# sh capture pcap

7 packets captured

   1: 18:30:32.556978 802.1Q vlan#1 P0 63.23.2.99.32389 > 98.26.6.21.24499: S 3527242145:3527242145(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
    2: 18:30:35.561097 802.1Q vlan#1 P0 63.23.2.99.32389 > 98.26.6.21.24499: S 3527242145:3527242145(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
    3: 18:30:41.554750 802.1Q vlan#1 P0 63.23.2.99.32389 > 98.26.6.21.24499: S 3527242145:3527242145(0) win 16384 <mss 1260,nop,nop,nop,nop>
    4: 18:31:00.722679 802.1Q vlan#1 P0 63.23.2.99.3303 > 98.26.6.21.24499: S 3106203956:3106203956(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
    5: 18:31:03.716881 802.1Q vlan#1 P0 63.43.2.99.3303 > 98.26.6.21.24499: S 3106203956:3106203956(0) win 16384 <mss 1260,nop,wscale 0,nop,nop,nop,nop>
    6: 18:31:09.791661 802.1Q vlan#1 P0 63.23.2.99.3303 > 98.26.6.21.24499: S 3106203956:3106203956(0) win 16384 <mss 1260,nop,nop,nop,nop>

+++++++++++++

After running the test I am not seeing any hit counts on my outside ACL.

ASA# sh access-list OUTSIDE
access-list OUTSIDE; 1 elements; name hash: 0x97f9426
access-list OUTSIDE line 1 extended permit tcp any host 10.10.10.6 eq 24499 log informational interval 300 (hitcnt=0) 0xc73bec9a

1 Accepted Solution

Accepted Solutions

What is the purpose of this line?

nat (OUTSIDE,OUTSIDE) source dynamic obj-10.10.11.0 interface

Could you pls. remove this and let us know?

The packet-tracer output clearly says that you are trying to talk to the outside interface on that tcp port 24499 and the firewall itself is simply not listening on that port at all.

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   98.26.6.21    255.255.255.255 identity

-KS

View solution in original post

11 Replies 11

manish arora
Level 6
Level 6

Can you check few things :-

1> There isn't any access list applied to the inside interface.

2> the server is listening on the port 24499 internally.

Manish

No access-list on the inside interface and I was able to verify that the server is listening on port TCP 24499.

Thanks so much for taking a look.  Any other ideas?

Can you run the packet tracer again with a random ip rather then using 63.x.x.x ip ?

I am running a packet tracer right now and the outside acl is checked after the NAT process.

Please post output using some other public ip address, just to see the difference. Also clear xlate before doing that.

Manish

Manish,

Thanks so much for all the help!  Here is the info you requested.

++++++++++

ASA# clear xlate
INFO: 29 xlates deleted
ASA#
ASA# packet-tracer input OUTSIDE tcp 54.33.22.3 4444 98.26.6.21 24499

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   98.26.6.21    255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

anowell

try this in the global config mode :-

nat (inside,outside) after-auto source dynamic any interface

Manish

Okay, here is what I got.

ASA(config)# clear xlate

INFO: 12 xlates deleted

ASA(config)# packet-tracer input OUTSIDE tcp 54.33.22.3 4444  98.26.6.21 24499

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   98.26.6.21    255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ASA(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list OUTSIDE; 1 elements; name hash: 0x97f9426

access-list OUTSIDE line 1 extended permit tcp any host 10.10.10.6 eq 24499 log informational interval 300 (hitcnt=0) 0xc73bec9a

+++++++

ASA(config)# sh run nat

nat (OUTSIDE,OUTSIDE) source dynamic obj-10.10.11.0 interface

nat (INSIDE,any) source static any any destination static obj-10.10.11.0 obj-10.10.11.0

nat (INSIDE,any) source static obj-10.10.11.0 obj-10.10.11.0

!

object network obj-10.10.11.0

nat (OUTSIDE,OUTSIDE) dynamic interface

object network obj-10.10.10.0

nat (INSIDE,OUTSIDE) dynamic interface

object network SYNC_SERVER

nat (INSIDE,OUTSIDE) static interface service tcp 24499 24499

!

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

ASA(config)# show nat

Manual NAT Policies (Section 1)

1 (OUTSIDE) to (OUTSIDE) source dynamic obj-10.10.11.0 interface

    translate_hits = 0, untranslate_hits = 0

2 (INSIDE) to (any) source static any any destination static obj-10.10.11.0 obj-10.10.11.0

    translate_hits = 0, untranslate_hits = 0

3 (INSIDE) to (any) source static obj-10.10.11.0 obj-10.10.11.0

    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (INSIDE) to (OUTSIDE) source static SYNC_SERVER interface service tcp 24499 24499

    translate_hits = 0, untranslate_hits = 0

2 (INSIDE) to (OUTSIDE) source dynamic obj-10.10.10.0 interface

    translate_hits = 987, untranslate_hits = 95

3 (OUTSIDE) to (OUTSIDE) source dynamic obj-10.10.11.0 interface

    translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)

1 (INSIDE) to (OUTSIDE) source dynamic any interface

    translate_hits = 0, untranslate_hits = 0

what version of 8.3 are you running ? should check the Bugkit now as the config seems preety much perfect.

Manish

What is the purpose of this line?

nat (OUTSIDE,OUTSIDE) source dynamic obj-10.10.11.0 interface

Could you pls. remove this and let us know?

The packet-tracer output clearly says that you are trying to talk to the outside interface on that tcp port 24499 and the firewall itself is simply not listening on that port at all.

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   98.26.6.21    255.255.255.255 identity

-KS

That was it!

Thank you all for the help, I really appreciate it.

Glad to hear and thanks for rating and marking it solved. Now the packet-tracer output should NOT show you identity. It will show you the nat rule.

-KS

Good Catch Ms. Sankar

Manish

Review Cisco Networking for a $25 gift card