cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2513
Views
0
Helpful
19
Replies

NAT and internal WebServer

niLuxx
Level 1
Level 1

Dear community,

 

I know this question was asked a couple of times already, but nevertheless I couldn't manage it to get it running.

I have the following setup

 

INTERNET <=> ASA5508-X <=> Internal-Web-Server

 

We just have one public ip, that is assigned to outside-interface of the ASA5508-X. Our internal WebServer is listening on port 5555. 

The intention is to access the internal-web-server via internet.

In this regards I did the following config:

 

object network network_dmz
subnet 192.168.5.0 255.255.255.0

 

object network reverse_proxy
host 192.168.5.2

 

object network vpn
host 192.168.1.103

 

nat (outside,dmz) source static any any destination static reverse_proxy reverse_proxy service upload_in upload_in no-proxy-arp

 

 

Manual NAT Policies (Section 1)
3 (dmz) to (outside) source static network_dmz network_dmz destination static vpn vpn no-proxy-arp
translate_hits = 39, untranslate_hits = 39
Source - Origin: 192.168.5.0/24, Translated: 192.168.5.0/24
Destination - Origin: 192.168.1.103/32, Translated: 192.168.1.103/32

Auto NAT Policies (Section 2)
2 (dmz) to (outside) source dynamic network_dmz interface
translate_hits = 16, untranslate_hits = 0
Source - Origin: 192.168.5.0/24, Translated: [IP]/32

 

 

Manual NAT Policies (Section 1)
1 (outside) to (dmz) source static any any destination static reverse_proxy reverse_proxy service upload_in upload_in no-proxy-arp
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 192.168.5.2/32, Translated: 192.168.5.2/32
Service - Origin: tcp source eq 9555 , Translated: tcp source eq 9555
8 (outside) to (outside) source dynamic vpn interface
translate_hits = 2585, untranslate_hits = 34
Source - Origin: 192.168.1.103/32, Translated: [IP]/32

Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic network_backbone interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.1.0/24, Translated: [IP]/32

 

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside-inbound; 6 elements; name hash: 0x493b324d

[...]
access-list outside-inbound line 6 extended permit tcp any object reverse_proxy eq www (hitcnt=1) 0x9c24c3b7
access-list outside-inbound line 6 extended permit tcp any host 192.168.5.2 eq www (hitcnt=1) 0x9c24c3b7

 

Any idea to get that running.

 

Greetings,

niLuxx

19 Replies 19

Hi,
I assume from the outside the user connects on port 80, but the dmz server is actually running tcp/5555? In the ACL you need to reference the real port not the mapped port. Example below (nat is configured under the object, not globally):-

object network reverse_proxy
host 192.168.5.2
nat (dmz,outside) static interface service tcp 5555 80

access-list outside-inbound extended permit tcp any object reverse_proxy eq 5555

HTH

I do not clearly understand that. Aren't there 4 ports in game at all?

 

Machines: Client <=> ASA <=> DMZ-Server

Ports: Random-Port (Client) <=> 5555(ASA-Listening-Port - public) <=> Random-Port (ASA-Internal-Port) <=> Port 80 (DMZ-Server-Listensing-Port)

 

That means, it would be the way around. Outside the ASA is listening on 5555, and the DMZ is listening on 80. The protocol is http.

Is that possible?

 

object network reverse_proxy
host 192.168.5.2
nat (dmz,outside) static interface service tcp 80 5555

access-list outside-inbound extended permit tcp any object reverse_proxy eq 80

 

You said "Our internal WebServer is listening on port 5555" so I assumed that is the real port that the server is listening on? If you meant that the client will connect to the server on port 5555, which nat translates to port 80 of the dmz server, yes you just need to reflect that in the nat and acl configuration.

nat (dmz,outside) static interface service tcp <realport> <mappedport>
access-list outside-inbound extended permit tcp any object reverse_proxy eq <realport>

I tried that out, but unfortunately it is still not working.

show nat doesn't even show any hit for this NAT rule.

 

Does it have an influence if the same ip is used for:

- public ip outside interface (PPPOE)

- for SIP-Clients behind the ASA (but they only have UDP rules)

- for VPN access

 

Greetings,

niLuxx

No, I don't see why.

You may have a rogue nat rule that is above the new nat rule, check that out.
Also please run packet tracer and upload the output.

E.g:-
packet-tracer input [src_interface] protocol src_addr src_port dest_addr dest_port [detailed]

maybe, i can post the NAT rules:

 

Just one comment. The port 80, was an example. I use 9555 and 10555 instead

 

Manual NAT Policies (Section 1)
1 (jump) to (outside) source static network_jump network_jump destination static vpn vpn no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
2 (dmz) to (outside) source static network_dmz network_dmz destination static vpn vpn no-proxy-arp
translate_hits = 85, untranslate_hits = 85
3 (internal) to (outside) source static network_internal network_internal destination static vpn vpn no-proxy-arp route-lookup
translate_hits = 3114, untranslate_hits = 3121
4 (fritzbox) to (outside) source static fritzbox_host interface service udp_in udp_out
translate_hits = 54, untranslate_hits = 14
5 (fritzbox) to (outside) source static fritzbox interface service 5060 5060
translate_hits = 64, untranslate_hits = 5
6 (fritzbox) to (outside) source static network_fritzbox network_fritzbox destination static vpn vpn no-proxy-arp route-lookup
translate_hits = 5, untranslate_hits = 5
7 (outside) to (outside) source dynamic vpn interface
translate_hits = 4279, untranslate_hits = 49

Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static reverse_proxy interface service tcp 9555 10555
translate_hits = 0, untranslate_hits = 0
2 (outside) to (outside) source dynamic network_backbone interface
translate_hits = 0, untranslate_hits = 0
3 (dmz) to (outside) source dynamic network_dmz interface
translate_hits = 39, untranslate_hits = 0
4 (jump) to (outside) source dynamic network_jump interface
translate_hits = 0, untranslate_hits = 0
5 (fritzbox) to (outside) source dynamic network_fritzbox interface
translate_hits = 846, untranslate_hits = 2
6 (internal) to (outside) source dynamic network_internal interface
translate_hits = 5323, untranslate_hits = 29

 

object network network_backbone
nat (outside,outside) dynamic interface
object network network_internal
nat (internal,outside) dynamic interface
object network network_fritzbox
nat (fritzbox,outside) dynamic interface
object network network_jump
nat (jump,outside) dynamic interface
object network network_dmz
nat (dmz,outside) dynamic interface
object network reverse_proxy
nat (dmz,outside) static interface service tcp 9555 10555
access-group outside-inbound in interface outside
access-group acl_ip_jump in interface jump

Hello,

 

a simple static NAT translation should work just as RIJ stated. Post the full configuration of your ASA, as well as a schematic drawing of your topology. I see a Fritzbox in the partial config you posted, how does that fit in ? Is the ASA the actual Internet facing edge device, or is the Fritzbox in front of it ?

Hi Georg,

 

Thanks for reply. No, the fritzbox is in IP-Client mode and is just handling the SIP phones.

The architecture is quite simple:

 

INTERNET <=> VDSL Modem <=> ASA <=> DMZ-Server

 

The other internal networks are connected to a Layer-3-Switch, but that shouldn't have any influence to this topic

 

Hello,

 

what is the VDSL modem doing ? Is it in bridge mode ? What type/brand ?

So 10555 is the mapped port that the client uses to connect to the application? And 9555 is the actual real port in use by the webserver?

Nothing has hit that nat rule:-
1 (dmz) to (outside) source static reverse_proxy interface service tcp 9555 10555
translate_hits = 0, untranslate_hits = 0

What did you configure for the ACL?

Let me say it this way:

 

I want to use 9555 to access the DMZ-Server from outside (that means the ASA should listen on this port, or better, should forward it).

The port 10555 is the real port, our DMZ-Server is listening on.

Here the ACL:

 


access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside-inbound; 6 elements; name hash: 0x493b324d
access-list outside-inbound line 1 extended permit icmp any host 192.168.7.6 (hitcnt=0) 0x03b01238
access-list outside-inbound line 2 extended permit tcp any host 192.168.7.6 eq sip (hitcnt=0) 0x02831a14
access-list outside-inbound line 3 extended permit udp any host 192.168.7.6 range 7078 7109 (hitcnt=14) 0x37c5b168
access-list outside-inbound line 4 extended permit udp any host 192.168.7.6 range 6078 6097 (hitcnt=0) 0xc8bac4cb
access-list outside-inbound line 5 extended permit udp any host 192.168.7.6 eq sip (hitcnt=6) 0x6c334ecd
access-list outside-inbound line 6 extended permit tcp any object reverse_proxy eq 10555 (hitcnt=0) 0x84bb306f
access-list outside-inbound line 6 extended permit tcp any host 192.168.5.2 eq 10555 (hitcnt=0) 0x84bb306f
access-list AnyConnect_Client_Local_Print; 8 elements; name hash: 0xe76ce9d1
access-list AnyConnect_Client_Local_Print line 1 extended deny ip any4 any4 (hitcnt=0) 0x1431053a
access-list AnyConnect_Client_Local_Print line 2 extended permit tcp any4 any4 eq lpd (hitcnt=0) 0xf431783b
access-list AnyConnect_Client_Local_Print line 3 remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print line 4 extended permit tcp any4 any4 eq 631 (hitcnt=0) 0x0a055e45
access-list AnyConnect_Client_Local_Print line 5 remark Windows' printing port
access-list AnyConnect_Client_Local_Print line 6 extended permit tcp any4 any4 eq 9100 (hitcnt=0) 0x077d9659
access-list AnyConnect_Client_Local_Print line 7 remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print line 8 extended permit udp any4 host 224.0.0.251 eq 5353 (hitcnt=0) 0xaad2a11b
access-list AnyConnect_Client_Local_Print line 9 remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print line 10 extended permit udp any4 host 224.0.0.252 eq 5355 (hitcnt=0) 0xbf7a7137
access-list AnyConnect_Client_Local_Print line 11 remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print line 12 extended permit tcp any4 any4 eq 137 (hitcnt=0) 0xe657df61
access-list AnyConnect_Client_Local_Print line 13 extended permit udp any4 any4 eq netbios-ns (hitcnt=0) 0x3094a846
access-list acl_ip_jump; 2 elements; name hash: 0x8d358ded
access-list acl_ip_jump line 1 extended permit ip object jumphost object network_internal (hitcnt=0) 0x3679810e
access-list acl_ip_jump line 1 extended permit ip host 192.168.6.2 10.0.0.0 255.255.0.0 (hitcnt=0) 0x3679810e
access-list acl_ip_jump line 2 extended permit ip object jumphost host 192.168.5.2 (hitcnt=0) 0xab0642d4
access-list acl_ip_jump line 2 extended permit ip host 192.168.6.2 host 192.168.5.2 (hitcnt=0) 0xab0642d4

Ok, if 10555 is the real port and 9555 is the mapped port, then you need to modify your nat rule.

You have this:-
object network reverse_proxy
nat (dmz,outside) static interface service tcp 9555 10555

...but the syntax should be this:-
nat (dmz,outside) static interface service tcp <realport> <mappedport>

Therefore:-
nat (dmz,outside) static interface service tcp 10555 9555

HTH