cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
890
Views
0
Helpful
17
Replies

access from outside

cbuschini
Level 1
Level 1

Hello All,

I am new here and in the ASA world.

I have a small issue with allowing access to my webserver from the Internet.

Internet -------- Router COLT ---------- ASA ---------- MyLan

I have created an access-list :

access-list acl-out extended permit tcp any object WebServer eq www

I have created a NAT rule :

nat (LANColt,DMZCarax) source static any any destination static WebServer WebServer

The website is reachable when I plugged between the Route Colt and the ASA but not when I try from the Internet ...

Do you have any idea ???

Thanks

Cedric

1 Accepted Solution

Accepted Solutions

Hi,

This is the problem

no nat (DMZCarax,LANColt) source dynamic OBJ_GENERIC_ALL interface

You would have to remove this command which would essentially cause a small outage to all users that use the Dynamic PAT

Then you would enter it with

nat (DMZCarax,LANColt) after-auto source dynamic OBJ_GENERIC_ALL interface

And then the new Static PAT (Port Forward) would work

- Jouni

View solution in original post

17 Replies 17

sganpat
Level 1
Level 1

Do you have Internet access from the inside? Is the IP address that you're translating to publicly routable? Is the translated IP address the same as the outside network of the ASA?

Also, this belongs in the Security --> Firewalling section. You should move it.

Sachin

Hi Sachin,

Yes I do have Internet access from the inside.

Yes the ip address is publicly routable.

Here is a quick description :

62.23.x.x ------ Router Colt [192.168.1.1] ---- [192.168.1.3] ASA [192.168.10.2] ------- [192.168.10.4] Webserver 

Hi,

The provided information is not all we need.

Since your router actually holds the public IP address (and not the ASA) then your options to create a NAT configuraiton for the Web server would either be

  • Configure Static PAT (Port Forward) on the router that points to the ASA IP address 192.168.1.3 and the needed ports and then configure Static PAT (Port Forward) on the ASA from the IP address 192.168.1.3 to the actual IP address of the server for the needed ports and make sure the ACL on the ASA allows the traffic

OR

  • Make sure there is NO NAT between the ASAs "inside" and "outside" interface and configure the Static PAT for the actual server IP 192.168.10.x directly on the Router and make sure the ACL on the ASA allows the traffic.

So first we need to know if the router will see the actual 192.168.10.0/xx network (NONAT on ASA) or will it just see the ASA outside IP address 192.168.1.3

The correct configuraiton format for Static PAT on ASA is for example

object network STATIC-PAT

host 192.168.10.x

nat (inside,outside) static interface service tcp 80 80

This would forward the port TCP/80 if connections are coming to the "interface" IP address of "outside" with that destination port.

- Jouni

Hi Jouni,

Thanks for your reply.

The router only see the ASA on 192.168.1.3 and there is a NAT to this IP

(ip nat inside source static 192.168.1.3 62.23.xx.xx)

There is a NAT between ASAs inside and ouside interfaces.

I have tried to create the static PAR on the ASA. But I still cannot reach the web server from the Internet.

Is the access-list I wrote fine ?

cedric

Hi,

Either post the configuration or post the output of this "packet-tracer" command

packet-tracer input outside tcp 8.8.8.8 12345 192.168.1.3 80

Or use the destination port "443" if that is the one you are using

- Jouni

Hello Jouni,

Sorry for the time to reply.

Here is the output of the packet tracer :

ciscoasa# packet-tracer input LANColt tcp 8.8.8.8 12345 192.168.1.3 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.3     255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: LANColt

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Packets are drop by an ACL.

Here is "sh access-list" :

ciscoasa# sh access-list

access-list cached ACL log flows: total 397, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list LANColt_access_in; 4 elements; name hash: 0xa28dded0

access-list LANColt_access_in line 1 extended permit icmp any any object-group obj-i-all log informational interval 300 (hitcnt=0) 0x1507d1f7

  access-list LANColt_access_in line 1 extended permit icmp any any echo log informational interval 300 (hitcnt=0) 0x188a9836

  access-list LANColt_access_in line 1 extended permit icmp any any echo-reply log informational interval 300 (hitcnt=0) 0xada2a22a

  access-list LANColt_access_in line 1 extended permit icmp any any time-exceeded log informational interval 300 (hitcnt=19) 0xaf99f695

access-list LANColt_access_in line 2 extended permit tcp any any eq www (hitcnt=0) 0x25780758

access-list DMZCarax_access_in; 3 elements; name hash: 0xef6085d

access-list DMZCarax_access_in line 1 extended permit ip any any log debugging interval 300 (hitcnt=20007537) 0x563bb185

access-list DMZCarax_access_in line 2 extended permit icmp any any log informational interval 300 (hitcnt=0) 0x3ddebcbf

access-list DMZCarax_access_in line 3 extended permit udp host 192.168.2.2 any (hitcnt=0) 0xa1c4ec7c

access-list CARAX; 2 elements; name hash: 0xf5e4518b

access-list CARAX line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xc362eb9d

access-list CARAX line 2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xdc4e01b7

access-list LANEurex_access_in; 3 elements; name hash: 0x77b8262a

access-list LANEurex_access_in line 1 extended permit ip object obj-h-Eurex object-group gobj-n-Global-Carax 0x741dc2a6

  access-list LANEurex_access_in line 1 extended permit ip host 193.29.93.173 192.168.20.0 255.255.255.0 (hitcnt=0) 0xbf558d64

  access-list LANEurex_access_in line 1 extended permit ip host 193.29.93.173 192.168.10.0 255.255.255.0 (hitcnt=0) 0xe6964c68

access-list LANEurex_access_in line 2 extended permit ip any any inactive (hitcnt=0) (inactive) 0xe0241ced

access-list LANAbn_access_in; 5 elements; name hash: 0xfc8d5221

access-list LANAbn_access_in line 1 extended permit ip object-group gobj-h-ABN object-group gobj-n-Global-Carax inactive (inactive) 0xe7ef84f4

  access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.102 192.168.20.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0x13f4adc8

  access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.102 192.168.10.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xd1e47353

  access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.103 192.168.20.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xc6f7ec02

  access-list LANAbn_access_in line 1 extended permit ip host 192.168.69.103 192.168.10.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0x0e46a02e

access-list LANAbn_access_in line 2 extended permit ip any any (hitcnt=2) 0x0fdd7231

access-list LANBloom_access_in; 1 elements; name hash: 0xcc39ac70

access-list LANBloom_access_in line 1 extended permit ip any any (hitcnt=7872) 0xc86a3df1

access-list acl-out; 6 elements; name hash: 0x12815e8f

access-list acl-out line 1 extended permit icmp any any object-group obj-i-all (hitcnt=0) 0xc838e767

  access-list acl-out line 1 extended permit icmp any any echo (hitcnt=0) 0x9ab79491

  access-list acl-out line 1 extended permit icmp any any echo-reply (hitcnt=0) 0xa2377349

  access-list acl-out line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0xcb4b3851

access-list acl-out line 2 extended permit gre any host 192.168.10.221 (hitcnt=0) 0xdeafcf2f

access-list acl-out line 3 extended permit tcp any host 192.168.10.221 eq pptp (hitcnt=0) 0xdb7d38da

Thanks in advance.

Hi,

You should use your external interface as the input interface of this test. Not your LAN interface which you are using now. The hosts on the Internet wont be using that as the input interface.

- Jouni

Or,

If this was the interface connected to the router then you either are missing a NAT configuration or you have an overriding NAT configuration in your current configuration which is most likely a Dynamic PAT configuration.

- Jouni

LANColt is the interface facing the router Colt. It is the 192.168.1.3 interface.

ciscoasa# sh nat

Manual NAT Policies (Section 1)

1 (DMZCarax) to (LANColt) source dynamic OBJ_GENERIC_ALL interface

    translate_hits = 18933401, untranslate_hits = 1516833

2 (DMZCarax) to (LANBloom) source static obj-LANCarax obj-LANCarax   destination static obj-LANBloom obj-LANBloom

    translate_hits = 0, untranslate_hits = 15244

3 (DMZCarax) to (LANEurex) source static obj-LANCarax obj-LANCarax   destination static obj-LANEurex obj-LANEurex

    translate_hits = 0, untranslate_hits = 0

4 (DMZCarax) to (LANAbn) source static obj-LANCarax obj-LANCarax   destination static obj-LANAbn obj-LANAbn

    translate_hits = 0, untranslate_hits = 21955

5 (DMZCarax) to (LANMonaco) source static obj-LANCarax obj-LANCarax   destination static obj-LANMonaco obj-LANMonaco

    translate_hits = 0, untranslate_hits = 0

6 (LANMonaco) to (DMZCarax) source static obj-LANMonaco obj-LANMonaco   destination static obj-LANCarax obj-LANCarax

    translate_hits = 0, untranslate_hits = 138065

7 (LANMonaco) to (LANBloom) source static obj-LANMonaco obj-LANMonaco   destination static obj-LANBloom obj-LANBloom

    translate_hits = 0, untranslate_hits = 23

8 (LANMonaco) to (LANAbn) source static obj-LANMonaco obj-LANMonaco   destination static obj-LANAbn obj-LANAbn

    translate_hits = 0, untranslate_hits = 0

9 (LANBloom) to (DMZCarax) source static obj-LANBloom obj-LANBloom   destination static obj-LANCarax obj-LANCarax

    translate_hits = 0, untranslate_hits = 89964

10 (LANBloom) to (LANMonaco) source static obj-LANBloom obj-LANBloom   destination static obj-LANMonaco obj-LANMonaco

    translate_hits = 0, untranslate_hits = 0

11 (LANEurex) to (DMZCarax) source static obj-LANEurex obj-LANEurex   destination static obj-LANCarax obj-LANCarax

    translate_hits = 0, untranslate_hits = 96

12 (LANEurex) to (LANMonaco) source static obj-LANEurex obj-LANEurex   destination static obj-LANMonaco obj-LANMonaco

    translate_hits = 0, untranslate_hits = 0

13 (LANAbn) to (DMZCarax) source static obj-LANAbn obj-LANAbn   destination static obj-LANCarax obj-LANCarax

    translate_hits = 0, untranslate_hits = 49854

14 (LANAbn) to (LANMonaco) source static obj-LANAbn obj-LANAbn   destination static obj-LANMonaco obj-LANMonaco

    translate_hits = 0, untranslate_hits = 0

15 (DMZCarax) to (DMZCarax) source static any any   destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup

    translate_hits = 0, untranslate_hits = 0

16 (LANColt) to (DMZCarax) source static any any   destination static WebServer.Int WebServer.Int inactive

    translate_hits = 0, untranslate_hits = 0

17 (DMZCarax) to (LANColt) source static any any   destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup

    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (DMZCarax) to (LANColt) source static STATIC-PAT interface   service tcp www www

    translate_hits = 0, untranslate_hits = 0

Hi,

Can you rather post the output of

show run nat

- Jouni

Sure

Here it is :

ciscoasa# show run nat

nat (DMZCarax,LANColt) source dynamic OBJ_GENERIC_ALL interface

nat (DMZCarax,LANBloom) source static obj-LANCarax obj-LANCarax destination static obj-LANBloom obj-LANBloom

nat (DMZCarax,LANEurex) source static obj-LANCarax obj-LANCarax destination static obj-LANEurex obj-LANEurex

nat (DMZCarax,LANAbn) source static obj-LANCarax obj-LANCarax destination static obj-LANAbn obj-LANAbn

nat (DMZCarax,LANMonaco) source static obj-LANCarax obj-LANCarax destination static obj-LANMonaco obj-LANMonaco

nat (LANMonaco,DMZCarax) source static obj-LANMonaco obj-LANMonaco destination static obj-LANCarax obj-LANCarax

nat (LANMonaco,LANBloom) source static obj-LANMonaco obj-LANMonaco destination static obj-LANBloom obj-LANBloom

nat (LANMonaco,LANAbn) source static obj-LANMonaco obj-LANMonaco destination static obj-LANAbn obj-LANAbn

nat (LANBloom,DMZCarax) source static obj-LANBloom obj-LANBloom destination static obj-LANCarax obj-LANCarax

nat (LANBloom,LANMonaco) source static obj-LANBloom obj-LANBloom destination static obj-LANMonaco obj-LANMonaco

nat (LANEurex,DMZCarax) source static obj-LANEurex obj-LANEurex destination static obj-LANCarax obj-LANCarax

nat (LANEurex,LANMonaco) source static obj-LANEurex obj-LANEurex destination static obj-LANMonaco obj-LANMonaco

nat (LANAbn,DMZCarax) source static obj-LANAbn obj-LANAbn destination static obj-LANCarax obj-LANCarax

nat (LANAbn,LANMonaco) source static obj-LANAbn obj-LANAbn destination static obj-LANMonaco obj-LANMonaco

nat (DMZCarax,DMZCarax) source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup

nat (LANColt,DMZCarax) source static any any destination static WebServer.Int WebServer.Int inactive

nat (DMZCarax,LANColt) source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup

!

object network STATIC-PAT

nat (DMZCarax,LANColt) static interface service tcp www www

Hi,

This is the problem

no nat (DMZCarax,LANColt) source dynamic OBJ_GENERIC_ALL interface

You would have to remove this command which would essentially cause a small outage to all users that use the Dynamic PAT

Then you would enter it with

nat (DMZCarax,LANColt) after-auto source dynamic OBJ_GENERIC_ALL interface

And then the new Static PAT (Port Forward) would work

- Jouni

Thank Jouni,

I will do this this evening because users are already here browsing the web.

Hi,

I have done what you recommand but it still not working :

ciscoasa(config)# sh run nat

nat (DMZCarax,LANBloom) source static obj-LANCarax obj-LANCarax destination static obj-LANBloom obj-LANBloom

nat (DMZCarax,LANEurex) source static obj-LANCarax obj-LANCarax destination static obj-LANEurex obj-LANEurex

nat (DMZCarax,LANAbn) source static obj-LANCarax obj-LANCarax destination static obj-LANAbn obj-LANAbn

nat (DMZCarax,LANMonaco) source static obj-LANCarax obj-LANCarax destination static obj-LANMonaco obj-LANMonaco

nat (LANMonaco,DMZCarax) source static obj-LANMonaco obj-LANMonaco destination static obj-LANCarax obj-LANCarax

nat (LANMonaco,LANBloom) source static obj-LANMonaco obj-LANMonaco destination static obj-LANBloom obj-LANBloom

nat (LANMonaco,LANAbn) source static obj-LANMonaco obj-LANMonaco destination static obj-LANAbn obj-LANAbn

nat (LANBloom,DMZCarax) source static obj-LANBloom obj-LANBloom destination static obj-LANCarax obj-LANCarax

nat (LANBloom,LANMonaco) source static obj-LANBloom obj-LANBloom destination static obj-LANMonaco obj-LANMonaco

nat (LANEurex,DMZCarax) source static obj-LANEurex obj-LANEurex destination static obj-LANCarax obj-LANCarax

nat (LANEurex,LANMonaco) source static obj-LANEurex obj-LANEurex destination static obj-LANMonaco obj-LANMonaco

nat (LANAbn,DMZCarax) source static obj-LANAbn obj-LANAbn destination static obj-LANCarax obj-LANCarax

nat (LANAbn,LANMonaco) source static obj-LANAbn obj-LANAbn destination static obj-LANMonaco obj-LANMonaco

nat (DMZCarax,DMZCarax) source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup

nat (LANColt,DMZCarax) source static any any destination static WebServer.Int WebServer.Int inactive

nat (DMZCarax,LANColt) source static any any destination static NETWORK_OBJ_10.10.10.0_29 NETWORK_OBJ_10.10.10.0_29 no-proxy-arp route-lookup

!

object network STATIC-PAT

nat (DMZCarax,LANColt) static interface service tcp www www

!

nat (DMZCarax,LANColt) after-auto source dynamic OBJ_GENERIC_ALL interface

ciscoasa(config)# packet-tracer input LANColt tcp 8.8.8.8 12354 192.168.1.3 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC-PAT

nat (DMZCarax,LANColt) static interface service tcp www www

Additional Information:

NAT divert to egress interface DMZCarax

Untranslate 192.168.1.3/80 to 192.168.10.4/80

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: LANColt

input-status: up

input-line-status: up

output-interface: DMZCarax

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)#

Thanks

- Ceders

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: