Can you run "packet-tracer

mritter9139 · ‎03-04-2015

Idea

We are trying to set up a simple Port-Forwarding rule on our Cisco ASA 5512. Our goal is to forward requests on port 445 that arrive on our external IP xxx.xxx.129.237 to our internal IP xx.xx.77.237.

We have tried a lot and used Coogle and cisco Forums for troubleshooting. Unfortunately, we could not get a solution that works. I have tried both methods to create the rule (CLI/ASDM).

CLI Perspective

The provided values in this file should give you an overview on our current configuration.

ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password xxxxxxx encrypted
passwd xxxxxxx encrypted
names
!
interface GigabitEthernet0/0
nameif internal
security-level 90
ip address xx.xx.77.1 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
security-level 50
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
security-level 25
no ip address
!
interface GigabitEthernet0/3
description External Interface
nameif external
security-level 0
ip address xxx.xxx.129.237 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NET_INSIDE_NETWORK
subnet xx.xx.77.0 255.255.255.0
description Internet Access from Internal Network
object network NET_VPN
subnet xx.xx.82.0 255.255.255.0
object network HOST_VROUTER
host xx.xx.77.99
object network NET_VIRTUAL_10
subnet xx.xx.10.0 255.255.255.0
description openNebulaNetwork10
object network NET_VIRTUAL_20
subnet xx.xx.20.0 255.255.255.0
description openNebulaNetwork20
object network NET_VIRTUAL_30
subnet xx.xx.30.0 255.255.255.0
description virtualLAN_30
object network NET_VIRTUAL_40
subnet xx.xx.40.0 255.255.255.0
description virtualLAN_40
object network NET_VIRTUAL_50
subnet xx.xx.50.0 255.255.255.0
description virtualLAN_50
object network HOST_DEBIAN_ACCESS_SRV
host xx.xx.77.237
description Debian Access Server
object network HOST_ASA_IP_INTERNAL
host xx.xx.77.1
description Internal IP Address of ASA
object network HOST_LOGSERVER
host xx.xx.10.14
description Alienvault Logserver (SIEM)
object service SSH_Nat_to_445
service tcp destination eq 445
description SSHEXT
object network HOST_EXTERNAL_IP
host xx.xx.129.237
description IP Address of the external interface
object service SSH_Ext
service tcp destination eq ssh
object network STATIC-PAT
host xx.xx.77.237
description DEBIAN ACCESS
object-group network NET-VPNPOOL
object-group network DM_INLINE_NETWORK_1
network-object object NET_INSIDE_NETWORK
network-object object NET_VIRTUAL_10
network-object object NET_VIRTUAL_20
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp

access-list external_access_in extended permit icmp any any
access-list external_access_in extended permit tcp any object HOST_DEBIAN_ACCESS_SRV eq 445
access-list external_access_in extended permit ip any object HOST_DEBIAN_ACCESS_SRV
access-list internal_access_in extended permit ip any any

pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host internal xx.xx.10.14 format emblem
logging permit-hostdown
mtu internal 1500
mtu external 1500

ip local pool VPN_POOL_SUBNET xx.xx.82.100-xx.xx.82.200 mask xx.xx.82.0
icmp unreachable rate-limit 1 burst-size 1

icmp deny any external

nat (external,external) source dynamic NET_VPN interface description Internet for VPN

nat (internal,external) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NET_VPN NET_VPN no-proxy-arp route-lookup
!

object network NET_INSIDE_NETWORK
nat (internal,external) dynamic interface

object network HOST_DEBIAN_ACCESS_SRV
nat (internal,external) static interface service tcp ssh 445

access-group internal_access_in in interface internal
access-group outside_access_in in interface external

route external 0.0.0.0 0.0.0.0 87.193.129.233 2
route internal xx.xx.10.0 255.255.255.0 xx.xx.77.99 1
route internal xx.xx.20.0 255.255.255.0 xx.xx.77.99 1
route internal xx.xx.30.0 255.255.255.0 xx.xx.77.99 1
route internal xx.xx.40.0 255.255.255.0 xx.xx.77.99 1
route internal xx.xx.50.0 255.255.255.0 xx.xx.77.99 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http xx.xx.77.0 255.255.255.0 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5
ssh xx.xx.77.0 255.255.255.0 internal
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns xxxx.xxx.129.10 xxxx.xxx.130.10
!
dhcpd address xx.xx.77.100-xx.xx.77.200 internal
dhcpd enable internal
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1 aes256-sha1
webvpn
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 1
anyconnect profiles client disk0:/client.xml
anyconnect enable
group-policy LaborVPNGroup internal
group-policy LaborVPNGroup attributes
dns-server value xxxxx.xxxx.129.10 xxxx.xxxx.130.10
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
default-domain none
webvpn
anyconnect profiles value client type user
always-on-vpn profile-setting

Perspective CISCO ASDM GUI

Screenshot 1.1 shows the access rules (background) and the NAT Objects settings for our Access Server.

1.1

In Screenshot 1.2 you can see the error we get.

1.2

Jon Marshall · ‎03-04-2015

Can you run "packet-tracer input outside tcp 8.8.8.8 12345 x.x.129.237 445"

and post the results.

Also can you post the out of "sh nat" from the ASA.

Jon

mritter9139 · ‎03-04-2015

Thank you already for your help i found an error.

In the config i posted in my previous post.

Error was

access-group outside_access_in in interface external

corrected to

access-group external_access_in in interface external

However, even with this being corrected I still get the following output on your advised commands.

ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (external) to (external) source dynamic NET_VPN interface   description Internet for VPN
    translate_hits = 346145, untranslate_hits = 6985
2 (internal) to (external) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1   destination static NET_VPN NET_VPN no-proxy-arp route-lookup
    translate_hits = 198, untranslate_hits = 5359115

Auto NAT Policies (Section 2)
1 (internal) to (external) source static HOST_DEBIAN_ACCESS_SRV interface   service tcp ssh 445
    translate_hits = 0, untranslate_hits = 0
2 (any) to (external) source dynamic HOST_VROUTER interface
    translate_hits = 1756, untranslate_hits = 1
3 (internal) to (external) source dynamic NET_VIRTUAL_10 interface
    translate_hits = 616810, untranslate_hits = 8155
4 (internal) to (external) source dynamic NET_VIRTUAL_20 interface
    translate_hits = 0, untranslate_hits = 0
5 (internal) to (external) source dynamic NET_VIRTUAL_30 interface
    translate_hits = 0, untranslate_hits = 0
6 (internal) to (external) source dynamic NET_VIRTUAL_40 interface
    translate_hits = 0, untranslate_hits = 0
7 (internal) to (external) source dynamic NET_VIRTUAL_50 interface
    translate_hits = 0, untranslate_hits = 0
8 (internal) to (external) source dynamic NET_INSIDE_NETWORK interface
    translate_hits = 273078, untranslate_hits = 71123

ciscoasa(config)# packet-tracer input external tcp 8.8.8.8 12345 xx.xx.129.23$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   xx.xx.129.237  255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: external
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Jon Marshall · ‎03-04-2015

The packet-tracer output suggests that it is not finding a NAT rule.

Both your dynamic NAT and static PAT translations are in section 2 from the "sh nat" output and according to that output the static PAT is used first so it should work as far as I can see.

What you can try doing is moving your general dynamic NAT for the internal users to section 3 which would mean your static PAT would definitely take precedence.

Like I say you shouldn't have to do this but it's the only thing I can think of at the moment.

So you would remove this -

object network NET_INSIDE_NETWORK
nat (internal,external) dynamic interface

and replace it with this -

nat (inside,external) after-auto source dynamic NET_INSIDE_NETWORK interface

Jon

mritter9139 · ‎03-04-2015

.

Port Forwarding external request accessing port 445 to internal ip with port 22