CLI Access rule to access WEB SERVER throuhg ASA

Anh Ngo · ‎12-13-2017

Hello Experts,

I have an issue with access rule. I tried to find some document and stydy fews day but dont know why that simple things I'm getting does not work.

The topology is more simple.

Internet--------(out)ASA(int)---------Switch------- 2 WEB Server

I did NAT 2 server with respective IP address are 10.11.11.1/27 and 10.11.11.2/27 To 124.1.1.1/24 and 124.1.1.2/24.

With ASA, my access rule is

access-list 102 extended permit ip any any

access-group 102 interface outside

And it works. From outside I can ping and access to WEB servers.

But when I change the access list to

access-list 103 extended permit tcp any host 124.1.1.1 eq https

access-list 103 extended permit tcp any host 124.1.1.2 eq https

access-group 103 interface outside

I can access no Server. 2 Web server run with https.

Please kindly help me to find where is problem here?

Thank you so much!

Karsten Iwen · ‎12-13-2017

You have to use the real IPs (10.11.11.1 and 10.11.11.2) in your outside ACL.

Anh Ngo · ‎12-13-2017

Thank for your quick response Karsten Iwen.

You are a greate support!

I tried to apply

access-list 103 extended permit tcp any host 10.11.11.1 eq https

access-list 103 extended permit tcp any host 10.11.11.2 eq https

access-group 103 in interface outside

But
the issue is still the same.

Even I tried

access-list 103 extended permit tcp any any eq https.

Do you have any idea?

Thanks.

Georg Pauwen · ‎12-13-2017

Hello,

what do your static NAT objects look like ? Make sure they look like this:

object network Server1
host 10.11.11.1
nat (inside,outside) static 124.1.1.1

object network Server2
host 10.11.11.2
nat (inside,outside) static 124.1.1.2

Karsten Iwen · ‎12-13-2017

What is the result of the following packet-tracer:

packet-tracer input outside tcp 1.2.3.4 1234 124.1.1.1 443

Anh Ngo · ‎12-13-2017

Here it is, Expert.

Sorry I'm using 124.1.1.2 for 124.1.1.1. Thank you.

#packet-tracer input outside tcp 1.2.3.4 1234 124.1.1.2

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network myWebserver2
nat (inside,outside) static 124.1.1.2
Additional Information:
NAT divert to egress interface inside
Untranslate 124.1.1.2/443 to 10.11.11.2/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 103 in interface outside
access-list 103 extended permit tcp any host 10.11.11.2 eq https
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network myWebserver2
nat (inside,outside) static 124.1.1.2
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1024818, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Anh Ngo · ‎12-13-2017

This is my network object

object network myWebServ
host 10.11.11.1
object network myWebserver2
host 10.11.11.2

object network myWebServ
nat (inside,outside) static 124.1.1.1
object network myWebserver2
nat (inside,outside) static 124.1.1.2

Karsten Iwen · ‎12-13-2017

Well, the ASA would correctly un-translate the IP and allow that packet. It really should work.

Enable logging and observe if and how a connection is build when a client accesses the server. also do a "show conn address 10.11.11.2" the moment the client accesses the server.

Anh Ngo · ‎12-13-2017

:( Sadly that I also tried so many way. If you need any information, please ask me, I will show you to find where is issue here.

This is the result for show connection command

# show conn address 10.11.11.2
12 in use, 12889 most used

UDP outside 210.245.100.39:123 inside 10.11.11.2:58505, idle 0:00:32, bytes 48, flags -
UDP outside 210.245.100.39:123 inside 10.11.11.2:53785, idle 0:01:37, bytes 96, flags -
UDP outside 118.102.5.136:123 inside 10.11.11.2:55026, idle 0:00:57, bytes 96, flags -
UDP outside 113.161.84.122:123 inside 10.11.11.2:40757, idle 0:01:05, bytes 96, flags -
TCP inside 10.11.11.2:40878 inside 10.11.10.1:22, idle 0:35:51, bytes 68078, flags UIOB
TCP inside 10.11.11.2:22 inside 10.11.10.3:59336, idle 0:21:19, bytes 6914, flags UIO
TCP outside 113.20.114.177:65243 inside 10.11.11.2:22, idle 0:35:50, bytes 85665, flags UIOB

Thank you Karsten so much.

Karsten Iwen · ‎12-13-2017

At least the last line shows that there is a connection to that server. What did you configure to allow that SSH? Probably you need the same for your Web-server. Is that device really reachable through HTTPS?

Anh Ngo · ‎12-13-2017

Dear Karsten,

What did you configure to allow that SSH? Yes Sir. With access rule "permit any any" I can reach to servers with https and can use putty to SSH server. Everything goes wrong when Client ask to permit only 80, 8080 and HTTPS

Probably you need the same for your Web-server. Is that device really reachable through HTTPS?
Yes we need it run as HTTPS server so its quite hard for me.

Thank you Karsten!

Georg Pauwen · ‎12-13-2017

Hello,

your access list needs to reference the real internal IP addresses of the web servers:

access-list 103 extended permit tcp any host 10.11.11.1 eq https
access-list 103 extended permit tcp any host 10.11.11.2 eq https
access-group 103 in interface outside

Anh Ngo · ‎12-13-2017

Dear Geogre,

yes I'm sure I did that and I think I did right NAT because when I change access rule to

access-list 103 extended permit ip any any

Then everything change to ok.

Anh Ngo · ‎12-13-2017

Dear Geogre,

Karsten also suggested that solution but it did not work.

Even I tried

access-list 103 extended permit tcp any any eq https