NAT and internal WebServer - Page 2

niLuxx · ‎01-18-2019

Dear community,

I know this question was asked a couple of times already, but nevertheless I couldn't manage it to get it running.

I have the following setup

INTERNET <=> ASA5508-X <=> Internal-Web-Server

We just have one public ip, that is assigned to outside-interface of the ASA5508-X. Our internal WebServer is listening on port 5555.

The intention is to access the internal-web-server via internet.

In this regards I did the following config:

object network network_dmz
subnet 192.168.5.0 255.255.255.0

object network reverse_proxy
host 192.168.5.2

object network vpn
host 192.168.1.103

nat (outside,dmz) source static any any destination static reverse_proxy reverse_proxy service upload_in upload_in no-proxy-arp

Manual NAT Policies (Section 1)
3 (dmz) to (outside) source static network_dmz network_dmz destination static vpn vpn no-proxy-arp
translate_hits = 39, untranslate_hits = 39
Source - Origin: 192.168.5.0/24, Translated: 192.168.5.0/24
Destination - Origin: 192.168.1.103/32, Translated: 192.168.1.103/32

Auto NAT Policies (Section 2)
2 (dmz) to (outside) source dynamic network_dmz interface
translate_hits = 16, untranslate_hits = 0
Source - Origin: 192.168.5.0/24, Translated: [IP]/32

Manual NAT Policies (Section 1)
1 (outside) to (dmz) source static any any destination static reverse_proxy reverse_proxy service upload_in upload_in no-proxy-arp
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 192.168.5.2/32, Translated: 192.168.5.2/32
Service - Origin: tcp source eq 9555 , Translated: tcp source eq 9555
8 (outside) to (outside) source dynamic vpn interface
translate_hits = 2585, untranslate_hits = 34
Source - Origin: 192.168.1.103/32, Translated: [IP]/32

Auto NAT Policies (Section 2)
1 (outside) to (outside) source dynamic network_backbone interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.1.0/24, Translated: [IP]/32

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside-inbound; 6 elements; name hash: 0x493b324d

[...]
access-list outside-inbound line 6 extended permit tcp any object reverse_proxy eq www (hitcnt=1) 0x9c24c3b7
access-list outside-inbound line 6 extended permit tcp any host 192.168.5.2 eq www (hitcnt=1) 0x9c24c3b7

Any idea to get that running.

Greetings,

niLuxx

niLuxx · ‎01-18-2019

Sorry, i have overseen the packet-tracer comment:

Here is the output (hopefully that makes sense).

ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 192.168.5.2 9555

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.5.2 using egress ifc dmz

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

niLuxx · ‎01-18-2019

Sorry, I also had to adjust the ACE for real port:

access-list outside-inbound line 6 extended permit tcp any object reverse_proxy eq 9555 (hitcnt=0) 0x84bb306f
access-list outside-inbound line 6 extended permit tcp any host 192.168.5.2 eq 9555 (hitcnt=0) 0x84bb306f

Here is the packet tracer output:

Just for info. I'm connect to system via VPN (maybe that influences the packet tracer).

ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 192.168.5.2 9555

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.5.2 using egress ifc dmz

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-inbound in interface outside
access-list outside-inbound extended permit tcp any object reverse_proxy eq 9555
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network network_dmz
nat (dmz,outside) dynamic interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Rob Ingram · ‎01-18-2019

Here is your problem:-

object network network_dmz
nat (dmz,outside) dynamic interface

This needs to be below your more specific nat rule

EDIT: For example, you could remove that nat entry for network_dmz object and create the nat rule globally and define it as "after-auto".

nat (DMZ,OUTSIDE) after-auto source dynamic network_dmz interface

ASA(config)# show nat

Auto NAT Policies (Section 2)
1 (DMZ) to (OUTSIDE) source static reverse_proxy interface service tcp 9555 10555
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (DMZ) to (OUTSIDE) source dynamic network_dmz interface
translate_hits = 0, untranslate_hits = 0

Manual NAT (Section 3) nat rules will be processed after the more specific Auto NAT rule for your reverse_proxy.

HTH

niLuxx · ‎01-20-2019

Here is your problem:-
object network network_dmz
nat (dmz,outside) dynamic interface
This needs to be below your more specific nat rule

Hi,

this already is below the more specified NAT rule. Furthermore I disabled all other DMZ-NAT rules. But still no success. Inside the ASA log (ASDM, first page), I cannot even see a message when I try to access the ASA with this specific port. If I'm using the port 443 (VPN), it is showing a message. That's the reason why I assume, that something other has to be the cause. Maybe there is a rule on ASA site, prohibits every connection, instead of VPN and SIP calls (fritzbox)?! No idea...

Best regards,

niLuxx

Deepak Kumar · ‎01-20-2019

Hi,
Then please share running configuration of the device.

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!