07-26-2016 09:12 AM - edited 03-12-2019 01:03 AM
Hi,
We have one ASA 5505 version 9.1(5) and we need to open the 55055 TCP port on firewall that redirect to port TCP 80 on QNAP Viostor ip 192.168.11.254
I have added one object network in this way:
Object network Viostor
host 192.168.11.54
description QNAP_Viostor
nat rule:
nat (inside,outside) static interface service tcp 80 55055
Firewall rule:
access-list outside_access_in line 8 remark Viostor
access-list outside_access_in line 9 extended permit tcp any object Viostor eq 55055
When i try to connect with the Android app Vmobile i see this notify on ASA log:
TCP request discarded from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055
The ASA does not have UDP server that services the UDP request
I don't understand why UDP instead of TCP.
Please help me!
Thanks
Solved! Go to Solution.
08-02-2016 10:38 AM
Ahmed, thanks for your replies... however you are missing an important thing (ASA sw version). Packet tracer is showing NAT is not being hit; and on this sw version ACL does not use the external_IP or mapped IP, but the real_IP instead.
s.be00001, please do the following:
object service 55055
service tcp source eq 55055
object service www
service tcp source www
!
nat (inside,outside) 1 source static Viostor interface service www 55055
!
access-list outside_access_in line 9 extended permit tcp any object Viostor eq www
Run the packet-tracer again and send us the results:
packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed
08-01-2016 08:24 AM
Hello my friend,
packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed
And paste the complete results here, also let me know the ASA software version you are running.
Regards!
08-01-2016 08:43 AM
Hi,
Thank you for the answer!
The ASA versione is 9.1(5) ASDM 7.1(6)
The host is 192.168.11.254, not 192.168.11.54 (sorry my mistake).
This is the output:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9dfc8, priority=1, domain=permit, deny=false
hits=166471376, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in MY_EXTERNAL_IP 255.255.255.255 identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=6388618, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x 0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9ec08, priority=0, domain=permit, deny=true
hits=109852, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, prot ocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Why asa said "flow is denied by configured rule" on phase 4?
Thanks!
08-01-2016 09:09 AM
In this version, the NAT should hit first than the ACL and I am not seeing it is hitting it.
Please share with me the show run nat and show run access-group outputs.
08-01-2016 11:58 PM
ASA# show run nat
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.31.254.128_25 NETWORK_OBJ_172.31.254.128_25 no-proxy-arp route-lookup
nat (inside,outside) source static Inside Inside destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24 no-proxy-arp
nat (inside,outside) source dynamic inside-networkNEW interface
nat (inside,outsidebackup) source static inside-networkNEW inside-networkNEW destination static remote-networkNEW remote-networkNEW
nat (inside,outsideBackup) source dynamic inside-networkNEW interface
nat (inside,outsideBackup) source static any any destination static NETWORK_OBJ_172.31.254.128_25 NETWORK_OBJ_172.31.254.128_25 no-proxy-arp route-lookup
!
object network Inside
nat (inside,outside) dynamic interface
object network drytek
nat (inside,outsideBackup) static 172.31.254.253
object network Rete_HD
nat (inside,outside) dynamic interface
object network RETE_172.16.0.0
nat (inside,outside) dynamic interface
object network Guest_Client
nat (GUEST,outside) dynamic interface
object network Viostor
nat (inside,outside) static interface service tcp www 55055
ASA# show run access-group
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outsidebackup_access_in in interface outsideBackup
access-group GUEST_access_in in interface GUEST
08-02-2016 01:19 AM
Hi;
Your issue is that ACL is dropping your packet it’s also verified via packet tracer:
You need to modify the ACL and allow the outside users to hit on your public IP on port 55055.
access-list outside_access_in line 9 extended permit tcp any host <EXTERNAL_IP> eq 55055
As a Packet Flow through an ASA Firewall it always checks ACL first then go for NAT statement.
Thanks & Best regards;
08-02-2016 01:54 AM
Nope..
Same issue..
08-02-2016 01:54 AM
Hi;
Either modify the existing Line 9 or insert a new line that allow users to access your external_ip on port 55055.
Thanks & Best regards;
08-02-2016 01:58 AM
Nope..
Same issue..
08-02-2016 10:38 AM
Ahmed, thanks for your replies... however you are missing an important thing (ASA sw version). Packet tracer is showing NAT is not being hit; and on this sw version ACL does not use the external_IP or mapped IP, but the real_IP instead.
s.be00001, please do the following:
object service 55055
service tcp source eq 55055
object service www
service tcp source www
!
nat (inside,outside) 1 source static Viostor interface service www 55055
!
access-list outside_access_in line 9 extended permit tcp any object Viostor eq www
Run the packet-tracer again and send us the results:
packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed
08-04-2016 01:07 AM
ASA# packet-tracer input outside tcp 8.8.8.8 1025 MY_EXTERNAL_IP 55055 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9dfc8, priority=1, domain=permit, deny=false
hits=239250585, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
NAT divert to egress interface inside
Untranslate MY_EXTERNAL_IP/55055 to 192.168.11.54/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_2
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object gre
service-object tcp destination eq pptp
object-group network DM_INLINE_NETWORK_2
network-object 192.168.0.0 255.255.0.0
network-object object Rete_HD
network-object object RETE_172.16.0.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbfa2790, priority=13, domain=permit, deny=false
hits=0, user_data=0xc9e5c4a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.0.0, mask=255.255.0.0, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
Static translate 8.8.8.8/1025 to 8.8.8.8/1025
Forward Flow based lookup yields rule:
in id=0xcd7918c0, priority=6, domain=nat, deny=false
hits=0, user_data=0xcd792200, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=MY_EXTERNAL_IP, mask=255.255.255.255, port=55055, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=9393297, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbea3c10, priority=0, domain=inspect-ip-options, deny=true
hits=11281329, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd8aeda8, priority=70, domain=inspect-http, deny=false
hits=1408694, user_data=0xcd8ad6a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc87ca40, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=136477, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcd782960, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xcd792148, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.11.54, mask=255.255.255.255, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcef66280, priority=0, domain=user-statistics, deny=false
hits=11182223, user_data=0xcddb8bb8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=inside
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=9393299, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcbe7a1f0, priority=0, domain=inspect-ip-options, deny=true
hits=11190843, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xcef66cd8, priority=0, domain=user-statistics, deny=false
hits=11258692, user_data=0xcddb8bb8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11587603, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
08-04-2016 08:31 AM
Great! so now results are different and traffic is allowed. Could you please confirm this with real traffic?
Finally, if you think this issue has been solved, please mark useful answers.
Thanks! :)
08-05-2016 07:01 AM
Thanks but still not working.
Same issue: The ASA does not have UDP server that services the UDP request
Very sad...
08-05-2016 08:18 AM
Hi,
Now there is a little bit confusion. One side you are asking about traffic to allow from external IP tcp port 55055 which traffic is allowed (packet tracer output) & second side your traffic is denied due to udp server to services udp request.
Can you ask your application team and get more detail information about your application behavior?
Thanks & Best regards
08-05-2016 08:53 AM
I agree with Ahmed, is this UDP or TCP traffic? it is not the same. Packet-tracer was used to serve TCP traffic, not UDP.
Now, if you are not sure of this...
capture outside interface outside match tcp any host [Outside interface IP] eq 55055 match udp any host [Outside interface IP] eq 55055
2. Read the captures and copy the output to paste the results here.
show capture outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide