Solved: Firewall rule Asa 5506

mmzzaq · ‎02-21-2020

I need a host on the production vlan with a service running on port 60443 to be reachable from the outside by an external internet host. I've created the appropriate ACL and NAT rules but the traffic doesn't go through. A packet tracer simulation says:

Seems like the implicit rule is blocking? Which is weird to me because I've created this ACL rule on the outside interface:

Real time log says:

I really don't understand why since I have the rule in place on the outside interface which should allow the traffic.

This is the rule I've created shown through the cli (I've censored the ip's):

access-list outside_access_in line 1 extended permit tcp host EXTERNALHOST eq 60443 host HOSTINPRODVLAN (hitcnt=0) 0x133987a2

Now when I change the "Destination Service" from protocol TCP and port 60443 (which my local host is running) to IP (all traffic), the rule works and traffic flows but I need it to be limited to port 60443.

What am I doing wrong? I haven't created an ACL rule on the production interface, is that the problem?

Note:

- The ExternalHost and its ip are defined correctly as network object.

- The HostInProductionVLAN is defined correctly as network object.

- The HostInProductionVLAN and its service are locally reachable.

mmzzaq · ‎02-21-2020

Yes it's a bit messy I understand. I need to censor the confidential parts first if I post a running config. Would you be so kind to take a look at this first (IP's censored):

access-list outside_access_in line 1 extended permit tcp host EXTERNALHOST eq 60443 host HOSTINPRODVLAN (hitcnt=0) 0x133987a2

It's a show access-list command from the command line. It should allow traffic from the EXTERNALHOST to HOSTINPRODVLAN on port 60443. Or have I done it wrong and specified the 60443 as source port on the EXTERNALHOST? (it should be the destination port on HOSTINPRODVLAN).

View solution in original post

Georg Pauwen · ‎02-21-2020

Hello,

I think the access list should look like this:

access-list outside_access_in line 1 extended permit tcp host EXTERNALHOST host HOSTINPRODVLAN eq 60443

View solution in original post

mmzzaq · ‎02-21-2020

Wow I actually think I found a bug in either ASDM or the Asa's firmware because ASDM had put the port number at that wrong place when entering that rule through ASDM. I used this now through CLI:

access-list outside_access_in line 1 extended permit tcp host EXTERNALHOST host HOSTINPRODVLAN eq 60443

and it finally works! The astonishing thing is, when I edit the last entered CLI rule in ASDM and look into the details, it looks exactly the same as the earlier rule I entered through ASDM, only now under the hood the port number is in the correct place. I can't believe this, I've been banging my head on the wall whole day thinking I was doing something wrong.

I've probably should've done a show access-list from cli earlier and I've probably should've done everything from CLI but it's kinda hard when it's not your daily job and you rarely work on an Asa.

Either way, thanks!

View solution in original post

Georg Pauwen · ‎02-21-2020

Hello,

it is kind of hard to tell from the output you have posted what is actually configured. Can you post the running config of the ASA ?

mmzzaq · ‎02-21-2020

Yes it's a bit messy I understand. I need to censor the confidential parts first if I post a running config. Would you be so kind to take a look at this first (IP's censored):

access-list outside_access_in line 1 extended permit tcp host EXTERNALHOST eq 60443 host HOSTINPRODVLAN (hitcnt=0) 0x133987a2

It's a show access-list command from the command line. It should allow traffic from the EXTERNALHOST to HOSTINPRODVLAN on port 60443. Or have I done it wrong and specified the 60443 as source port on the EXTERNALHOST? (it should be the destination port on HOSTINPRODVLAN).

Georg Pauwen · ‎02-21-2020

Hello,

I think the access list should look like this:

access-list outside_access_in line 1 extended permit tcp host EXTERNALHOST host HOSTINPRODVLAN eq 60443

mmzzaq · ‎02-21-2020

Wow I actually think I found a bug in either ASDM or the Asa's firmware because ASDM had put the port number at that wrong place when entering that rule through ASDM. I used this now through CLI:

access-list outside_access_in line 1 extended permit tcp host EXTERNALHOST host HOSTINPRODVLAN eq 60443

and it finally works! The astonishing thing is, when I edit the last entered CLI rule in ASDM and look into the details, it looks exactly the same as the earlier rule I entered through ASDM, only now under the hood the port number is in the correct place. I can't believe this, I've been banging my head on the wall whole day thinking I was doing something wrong.

I've probably should've done a show access-list from cli earlier and I've probably should've done everything from CLI but it's kinda hard when it's not your daily job and you rarely work on an Asa.

Either way, thanks!

paul driver · ‎02-21-2020

Hello

Could try :
object-network HOSTINPRODVLAN
host x.x.x.x
nat (inside,outside) static interface service tcp 60443 60443
access-list outside_access_in extended permit tcp host EXTERNALHOST host HOSTINPRODVLAN eq 60443

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mmzzaq · ‎02-21-2020

Hi I've solved it already just now but just dropping by to say thanks for your reply and effort.

Georg Pauwen · ‎02-21-2020

How did you solve it ?

mmzzaq · ‎02-21-2020

See my messages above. By changing the port in mentioned rule to the correct spot. I actually think ASDM bugged there.