01-18-2019 03:06 AM - edited 09-03-2019 01:10 AM
Dear community,
I know this question was asked a couple of times already, but nevertheless I couldn't manage it to get it running.
I have the following setup
INTERNET <=> ASA5508-X <=> Internal-Web-Server
We just have one public ip, that is assigned to outside-interface of the ASA5508-X. Our internal WebServer is listening on port 5555.
The intention is to access the internal-web-server via internet.
In this regards I did the following config:
object network network_dmz
subnet 192.168.5.0 255.255.255.0
object network reverse_proxy
host 192.168.5.2
object network vpn
host 192.168.1.103
nat (outside,dmz) source static any any destination static reverse_proxy reverse_proxy service upload_in upload_in no-proxy-arp
Manual NAT Policies (Section 1)
3 (dmz) to (outside) source static network_dmz network_dmz destination static vpn vpn no-proxy-arp
translate_hits = 39, untranslate_hits = 39
Source - Origin: 192.168.5.0/24, Translated: 192.168.5.0/24
Destination - Origin: 192.168.1.103/32, Translated: 192.168.1.103/32
Auto NAT Policies (Section 2)
2 (dmz) to (outside) source dynamic network_dmz interface
translate_hits = 16, untranslate_hits = 0
Source - Origin: 192.168.5.0/24, Translated: [IP]/32
Manual NAT Policies (Section 1)
1 (outside) to (dmz) source static any any destination static reverse_proxy reverse_proxy service upload_in upload_in no-proxy-arp
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 192.168.5.2/32, Translated: 192.168.5.2/32
Service - Origin: tcp source eq 9555 , Translated: tcp source eq 9555
8 (outside) to (outside) source dynamic vpn interface
translate_hits = 2585, untranslate_hits = 34
Source - Origin: 192.168.1.103/32, Translated: [IP]/32
Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic network_backbone interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.1.0/24, Translated: [IP]/32
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside-inbound; 6 elements; name hash: 0x493b324d
[...]
access-list outside-inbound line 6 extended permit tcp any object reverse_proxy eq www (hitcnt=1) 0x9c24c3b7
access-list outside-inbound line 6 extended permit tcp any host 192.168.5.2 eq www (hitcnt=1) 0x9c24c3b7
Any idea to get that running.
Greetings,
niLuxx
01-18-2019 05:13 AM
Sorry, i have overseen the packet-tracer comment:
Here is the output (hopefully that makes sense).
ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 192.168.5.2 9555
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.5.2 using egress ifc dmz
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-18-2019 05:17 AM - edited 01-18-2019 05:17 AM
Sorry, I also had to adjust the ACE for real port:
access-list outside-inbound line 6 extended permit tcp any object reverse_proxy eq 9555 (hitcnt=0) 0x84bb306f
access-list outside-inbound line 6 extended permit tcp any host 192.168.5.2 eq 9555 (hitcnt=0) 0x84bb306f
Here is the packet tracer output:
Just for info. I'm connect to system via VPN (maybe that influences the packet tracer).
ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 192.168.5.2 9555
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.5.2 using egress ifc dmz
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-inbound in interface outside
access-list outside-inbound extended permit tcp any object reverse_proxy eq 9555
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network network_dmz
nat (dmz,outside) dynamic interface
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-18-2019 05:29 AM - edited 01-18-2019 05:47 AM
Here is your problem:-
object network network_dmz
nat (dmz,outside) dynamic interface
This needs to be below your more specific nat rule
EDIT: For example, you could remove that nat entry for network_dmz object and create the nat rule globally and define it as "after-auto".
nat (DMZ,OUTSIDE) after-auto source dynamic network_dmz interface
ASA(config)# show nat
Auto NAT Policies (Section 2)
1 (DMZ) to (OUTSIDE) source static reverse_proxy interface service tcp 9555 10555
translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (DMZ) to (OUTSIDE) source dynamic network_dmz interface
translate_hits = 0, untranslate_hits = 0
Manual NAT (Section 3) nat rules will be processed after the more specific Auto NAT rule for your reverse_proxy.
HTH
01-20-2019 09:21 PM
Here is your problem:-
object network network_dmz
nat (dmz,outside) dynamic interface
This needs to be below your more specific nat rule
Hi,
this already is below the more specified NAT rule. Furthermore I disabled all other DMZ-NAT rules. But still no success. Inside the ASA log (ASDM, first page), I cannot even see a message when I try to access the ASA with this specific port. If I'm using the port 443 (VPN), it is showing a message. That's the reason why I assume, that something other has to be the cause. Maybe there is a rule on ASA site, prohibits every connection, instead of VPN and SIP calls (fritzbox)?! No idea...
Best regards,
niLuxx
01-20-2019 09:23 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide