07-26-2016 09:12 AM - edited 03-12-2019 01:03 AM
Hi,
We have one ASA 5505 version 9.1(5) and we need to open the 55055 TCP port on firewall that redirect to port TCP 80 on QNAP Viostor ip 192.168.11.254
I have added one object network in this way:
Object network Viostor
host 192.168.11.54
description QNAP_Viostor
nat rule:
nat (inside,outside) static interface service tcp 80 55055
Firewall rule:
access-list outside_access_in line 8 remark Viostor
access-list outside_access_in line 9 extended permit tcp any object Viostor eq 55055
When i try to connect with the Android app Vmobile i see this notify on ASA log:
TCP request discarded from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055
The ASA does not have UDP server that services the UDP request
I don't understand why UDP instead of TCP.
Please help me!
Thanks
Solved! Go to Solution.
08-02-2016 10:38 AM
Ahmed, thanks for your replies... however you are missing an important thing (ASA sw version). Packet tracer is showing NAT is not being hit; and on this sw version ACL does not use the external_IP or mapped IP, but the real_IP instead.
s.be00001, please do the following:
object service 55055
service tcp source eq 55055
object service www
service tcp source www
!
nat (inside,outside) 1 source static Viostor interface service www 55055
!
access-list outside_access_in line 9 extended permit tcp any object Viostor eq www
Run the packet-tracer again and send us the results:
packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed
08-01-2016 08:24 AM
Hello my friend,
packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed
And paste the complete results here, also let me know the ASA software version you are running.
Regards!
08-01-2016 08:43 AM
Hi,
Thank you for the answer!
The ASA versione is 9.1(5) ASDM 7.1(6)
The host is 192.168.11.254, not 192.168.11.54 (sorry my mistake).
This is the output:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9dfc8, priority=1, domain=permit, deny=false
hits=166471376, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in MY_EXTERNAL_IP 255.255.255.255 identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=6388618, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x 0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9ec08, priority=0, domain=permit, deny=true
hits=109852, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, prot ocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Why asa said "flow is denied by configured rule" on phase 4?
Thanks!
08-01-2016 09:09 AM
In this version, the NAT should hit first than the ACL and I am not seeing it is hitting it.
Please share with me the show run nat and show run access-group outputs.
08-01-2016 11:58 PM
ASA# show run nat
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.31.254.128_25 NETWORK_OBJ_172.31.254.128_25 no-proxy-arp route-lookup
nat (inside,outside) source static Inside Inside destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24 no-proxy-arp
nat (inside,outside) source dynamic inside-networkNEW interface
nat (inside,outsidebackup) source static inside-networkNEW inside-networkNEW destination static remote-networkNEW remote-networkNEW
nat (inside,outsideBackup) source dynamic inside-networkNEW interface
nat (inside,outsideBackup) source static any any destination static NETWORK_OBJ_172.31.254.128_25 NETWORK_OBJ_172.31.254.128_25 no-proxy-arp route-lookup
!
object network Inside
nat (inside,outside) dynamic interface
object network drytek
nat (inside,outsideBackup) static 172.31.254.253
object network Rete_HD
nat (inside,outside) dynamic interface
object network RETE_172.16.0.0
nat (inside,outside) dynamic interface
object network Guest_Client
nat (GUEST,outside) dynamic interface
object network Viostor
nat (inside,outside) static interface service tcp www 55055
ASA# show run access-group
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outsidebackup_access_in in interface outsideBackup
access-group GUEST_access_in in interface GUEST
08-02-2016 01:19 AM
Hi;
Your issue is that ACL is dropping your packet it’s also verified via packet tracer:
You need to modify the ACL and allow the outside users to hit on your public IP on port 55055.
access-list outside_access_in line 9 extended permit tcp any host <EXTERNAL_IP> eq 55055
As a Packet Flow through an ASA Firewall it always checks ACL first then go for NAT statement.
Thanks & Best regards;
08-02-2016 01:54 AM
Nope..
Same issue..
08-02-2016 01:54 AM
Hi;
Either modify the existing Line 9 or insert a new line that allow users to access your external_ip on port 55055.
Thanks & Best regards;
08-02-2016 01:58 AM
Nope..
Same issue..
08-02-2016 10:38 AM
Ahmed, thanks for your replies... however you are missing an important thing (ASA sw version). Packet tracer is showing NAT is not being hit; and on this sw version ACL does not use the external_IP or mapped IP, but the real_IP instead.
s.be00001, please do the following:
object service 55055
service tcp source eq 55055
object service www
service tcp source www
!
nat (inside,outside) 1 source static Viostor interface service www 55055
!
access-list outside_access_in line 9 extended permit tcp any object Viostor eq www
Run the packet-tracer again and send us the results:
packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed
08-04-2016 01:07 AM
ASA# packet-tracer input outside tcp 8.8.8.8 1025 MY_EXTERNAL_IP 55055 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9dfc8, priority=1, domain=permit, deny=false
hits=239250585, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
NAT divert to egress interface inside
Untranslate MY_EXTERNAL_IP/55055 to 192.168.11.54/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_2
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object gre
service-object tcp destination eq pptp
object-group network DM_INLINE_NETWORK_2
network-object 192.168.0.0 255.255.0.0
network-object object Rete_HD
network-object object RETE_172.16.0.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbfa2790, priority=13, domain=permit, deny=false
hits=0, user_data=0xc9e5c4a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.0.0, mask=255.255.0.0, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
Static translate 8.8.8.8/1025 to 8.8.8.8/1025
Forward Flow based lookup yields rule:
in id=0xcd7918c0, priority=6, domain=nat, deny=false
hits=0, user_data=0xcd792200, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=MY_EXTERNAL_IP, mask=255.255.255.255, port=55055, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=9393297, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbea3c10, priority=0, domain=inspect-ip-options, deny=true
hits=11281329, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd8aeda8, priority=70, domain=inspect-http, deny=false
hits=1408694, user_data=0xcd8ad6a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc87ca40, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=136477, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcd782960, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xcd792148, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.11.54, mask=255.255.255.255, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcef66280, priority=0, domain=user-statistics, deny=false
hits=11182223, user_data=0xcddb8bb8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=inside
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=9393299, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcbe7a1f0, priority=0, domain=inspect-ip-options, deny=true
hits=11190843, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xcef66cd8, priority=0, domain=user-statistics, deny=false
hits=11258692, user_data=0xcddb8bb8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11587603, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
08-04-2016 08:31 AM
Great! so now results are different and traffic is allowed. Could you please confirm this with real traffic?
Finally, if you think this issue has been solved, please mark useful answers.
Thanks! :)
08-05-2016 07:01 AM
Thanks but still not working.
Same issue: The ASA does not have UDP server that services the UDP request
Very sad...
08-05-2016 08:18 AM
Hi,
Now there is a little bit confusion. One side you are asking about traffic to allow from external IP tcp port 55055 which traffic is allowed (packet tracer output) & second side your traffic is denied due to udp server to services udp request.
Can you ask your application team and get more detail information about your application behavior?
Thanks & Best regards
08-05-2016 08:53 AM
I agree with Ahmed, is this UDP or TCP traffic? it is not the same. Packet-tracer was used to serve TCP traffic, not UDP.
Now, if you are not sure of this...
capture outside interface outside match tcp any host [Outside interface IP] eq 55055 match udp any host [Outside interface IP] eq 55055
2. Read the captures and copy the output to paste the results here.
show capture outside
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: