Solved: ASA, Anyconnect and DMZ

Weeltin · ‎11-26-2013

Hello,

I got a bit of a problem, with my asa config.

The asa is configured to allow anyconnect, with local users.

but after i added the following NAT statement and ACL on outside, i cant connect with Anyconnect.

nat (DMZ,OUTSIDE) source static HOST_DMZ-NAS-FTP interface

access-list OUTSIDE_access_in extended permit tcp any object HOST_DMZ-NAS-FTP eq ftp

How do i get that to work again??

Jouni Forss · ‎11-27-2013

Hi,

You have an overriding NAT configuration.

We should see a UN-NAT Phase in the very start before any kind of ACCESS-LIST Phase.

You probably have a Dynamic PAT configuration for the DMZ in Section 1 Manual NAT that is causing the problems

Since you can't share the configuration I can't really do anything else than try to give an alternative configuration that should make it work but its not the ideal setup since your Dynamic PAT rule should not be at such a high priority anyway. That is if I am correct in my above guess about the problem.

Remove the Auto NAT / Network Object NAT I suggested

object network HOST_DMZ-NAS-FTP

no nat (DMZ,OUTSIDE) static interface service tcp 21 21

Notice that we leave the "host" statement under the "object" still. We only remove the "nat" command.

You then need to add these

object service FTP

service tcp source eq 21

nat (DMZ,OUTSIDE) 1 source static HOST_DMZ-NAS-FTP interface service FTP FTP

Then try again.

- Jouni

View solution in original post

Jouni Forss · ‎11-26-2013

Hi,

You have done Static NAT for some Internal device to your actual ASA "OUTSIDE" interface IP address.

All traffic destined to your ASA External interface will be forwarded to the Internal host.

Please remove the NAT configuration

no nat (DMZ,OUTSIDE) source static HOST_DMZ-NAS-FTP interface

Instead configure Static PAT (Port Forward) if you are going to use the interface IP address of "OUTSIDE" as the public IP address.

object network HOST_DMZ-NAS-FTP

host

nat (DMZ,OUTSIDE) static interface service tcp 21 21

And you can keep the ACL same as the above

If this doesnt help then clarify the need you have for the NAT above.

Hope this helps

- Jouni

Weeltin · ‎11-27-2013

Hi JouniFross,

It didnt help, other than now the VPN is working, but now there aint any FTP access.

just to clarify what i need to get working.

VPN (Anyconnect) so my travling users can connect when they have a need for it.

FTP Access (DMZ) so the server department can share files with partners and vpn users before they connect to VPN

we have 2 DNS entries.

VPN.xxxxxx.xxx pointing on our public IP

NAS.xxxxxx.xxx pointing on our public IP port 21

Jouni Forss · ‎11-27-2013

Hi,

If the suggested NAT configuration works depends on the rest of your NAT configurations.

Please either share you NAT configurations or share us a "packet-tracer" output

packet-tracer input OUTSIDE tcp 1.1.1.1 12345 21

This will give us some clue about the problem

I would have to guess that the problem is still another NAT rule that is overriding the Static PAT (Port Forward) I suggested

- Jouni

Weeltin · ‎11-27-2013

Sadly i aint allowed to share full config, or part of it.

did the packet-tracer command:

Result of the command: "packet-tracer input OUTSIDE tcp 1.1.1.1 12345 21"

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss · ‎11-27-2013

Hi,

You have an overriding NAT configuration.

We should see a UN-NAT Phase in the very start before any kind of ACCESS-LIST Phase.

You probably have a Dynamic PAT configuration for the DMZ in Section 1 Manual NAT that is causing the problems

Since you can't share the configuration I can't really do anything else than try to give an alternative configuration that should make it work but its not the ideal setup since your Dynamic PAT rule should not be at such a high priority anyway. That is if I am correct in my above guess about the problem.

Remove the Auto NAT / Network Object NAT I suggested

object network HOST_DMZ-NAS-FTP

no nat (DMZ,OUTSIDE) static interface service tcp 21 21

Notice that we leave the "host" statement under the "object" still. We only remove the "nat" command.

You then need to add these

object service FTP

service tcp source eq 21

nat (DMZ,OUTSIDE) 1 source static HOST_DMZ-NAS-FTP interface service FTP FTP

Then try again.

- Jouni

Weeltin · ‎11-27-2013

It seems that it works now..

Thanks so much for the help.

Jouni Forss · ‎11-27-2013

Hi,

Glad to hear it works

So the most probably cause is that you have a Dynamic PAT configuration configured as such a high priority that it overrides the original Auto NAT / Network Object NAT we tried.

You will might see a configuration like this currently in your NAT configurations

nat (DMZ,OUTSIDE) source dynamic any interface

Which would then be reason for the problem above.

The solution in that case would have been to change it to

nat (DMZ,OUTSIDE) after-auto source dynamic any interface

This would move the Dynamic PAT configuration to the very end of the NAT configurations. Naturally without looking at the rest of the configurations then I dont know if there is anything that would be affected by this chance so you should probably leave the configuration as it is.

Just though I'd mention this.

- Jouni