Solved: ASA 8.4 Pat RPF-Check and HTTP Server

dan.letkeman · ‎02-11-2012

Hello,

I am moving all of my nat/pat from my 2800 series to my ASA. I have a few things working including multiple outside ip addresses and dynamic nat, as well as outside access for a few servers.

My two probems are as follows:

1).

For the life of me I cannot get pat working when I want to access and internal web server using a different port on the outside interface.

For example I have added this:

network object test.obj

host 192.168.184.11

nat (inside,outside) static outside-ip-100.1.1.1 8080 www

This adds the nat statments into the network object nat list and it all make sense. Then I add the acl:

access-list outside_access_in extended permit tcp any object test.obj eq http-81

I see no hits on the acl when I try from an outside device, and the packet-tracer keeps telling me I have a nat problem with the reverse path forwarding check.

xlate shows this:

5520-fw# show xlate | i 100.1.1.1

TCP PAT from inside:192.168.184.11 80-80 to outside:100.1.1.1 81-81

NAT from inside:192.168.184.11 to outside:100.1.1.1

I have no idea why, I have followed many examples and I still get nothing. I also get no access to the internet on the computer running the web server unless I add another dynamic nat statement pointing a different network object with the same host ip to the same outside ip address. eg:

network object test.obj-dynamic

host 192.168.184.11

nat (inside,outside) dynamic outside-ip-100.1.1.1

Still after that I get no connection from the outside to the web server

2.)

Second problem.

I had moved our main web server over to the asa and access from the outside worked for a few minutes, I think, as I had hits on the acl. Then it stopped working and the logs showed a huge list of teardowns and it looked like they were all dns requests. I am assuming this is a problem with the virtual hosts on the web server and the dns inspection that the asa is doing. So I added the dns command at the end of the nat command and it did not solve my problem. So I am thinking the first problem with the RPF-check is related to this problem.

I have a couple of other web servers going through the asa with no problems but they are not running on apache and using virtual hosts, they are single stand alone web servers.

Any idea what I am doing wrong?

Thanks,

Dan.

Julio Carvajal · ‎02-13-2012

Hello Dan,

Okay so basically this is what you need: access the ASA using port 8080 And then be redirected to the internal host on port 80 right?

object network web03-p81

host 10.5.0.13

object service http-proxy

service tcp source eq 8080

object service http

service tcp source eq 80

object network internet.77

host 77.77.77.77

Outside ip is 77.77.77.77 and internal box is 10.5.0.13 right?

So lets do it like this:

nat (inside,outside) source static web03-p81 internet.77 service http http-proxy

access-list outside_access_in permit tcp any host 10.5.0.13 eq 80

access-group outside_access_in in interface outside

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

dan.letkeman · ‎02-12-2012

I think there is some kind of bug in the ASA. I setup a test web server (192.168.75.208), and I added two network objects

object network dan-laptop-pat

nat (inside,outside) static interface service tcp www www

object network dan-laptop

nat (any,outside) dynamic interface

So the device can get out onto the internet because of the second statement and I can access it remotely because of the first statement. So everything works fine.....

But when I use packet-tracer and I run a test it says it doesn't work! Yet it actually works....

Proof from the log file that it works:

6|Feb 12 2012|08:59:11|302014|68.171.231.80|43273|192.168.75.208|80|Teardown TCP connection 28185054 for outside:68.171.231.80/43273 to inside:192.168.75.208/80 duration 0:00:01 bytes 5904 TCP FINs

6|Feb 12 2012|08:59:09|302013|68.171.231.80|43273|192.168.75.208|80|Built inbound TCP connection 28185054 for outside:68.171.231.80/43273 (68.171.231.80/43273) to inside:192.168.75.208/80 (217.77.77.77/80)

Any ideas on what is happening?

Dan.

Julio Carvajal · ‎02-12-2012

Hello Dan,

Yeap, you are doing the packet tracer to the private ip address, you should do it to the public ip address of the server.

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dan.letkeman · ‎02-12-2012

Thank you for the reply, I have been pulling my hair out on this one....

If I use the public ip as you stated it all looks like it works fine in the packet tracer but in reality it does not work.

For example:

object network dan-laptop

host 192.168.75.208

object network dan-laptop-pat

host 192.168.75.208

This WORKS:

object network laptop-pat

nat (inside,outside) static interface service tcp www www

!

nat (inside,outside) after-auto source static laptop internet-75

access-list outside_access_in extended permit object http any object dan-laptop-pat

This DOES NOT WORK:

object network laptop-pat

nat (inside,outside) static interface service tcp www 81

!

nat (inside,outside) after-auto source static laptop internet-75

access-list outside_access_in extended permit object http-81 any object dan-laptop-pat

Am I doing the wrong kind of nat to make this work?

Thanks

Dan.

dan.letkeman · ‎02-13-2012

Found out it was a problem with the web server not accepting the request like that. I tried a different web server and now the port translation works.

Julio Carvajal · ‎02-13-2012

Hello Dan,

That is correct, As I told you before the configuration its okay.

Please mark the question as answered, so future users can learn from this.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dan.letkeman · ‎02-13-2012

Sorry I spoke to soon this is not solved and still not working. I cannot PAT anything on my asa using 8.4. Looks like this may be a bug because no scenario works.

Julio Carvajal · ‎02-13-2012

Hello Dan,

So you are saying your internal users cannot get PATeed to the outside interface

Please provide sh run nat, then we will start working on captures if I do not see something strange.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dan.letkeman · ‎02-13-2012

My issue is with outside access in. Not inside access out, that seems to be fine.

For example if I do this:

object network web03

host 10.5.0.13

object network web03-p81

host 10.5.0.13

object service http-proxy

service tcp destination eq 8080

object network internet.77

host 77.77.77.77

object network web03-p81

nat (inside,outside) static internet.77 service tcp www 8080

!

nat (inside,outside) after-auto source static web03 internet.77

access-list outside_access_in extended permit object http-proxy any object web03-p81

When trying to access the web server using http://77.77.77.77:8080 the log shows that the device is trying to access it using port 80???

18:31:15

106023

68.121.131.81

20347

10.5.0.13

80

Deny tcp src outside:68.121.131.81/20347 dst inside:10.5.0.13/80 by access-group "outside_access_in" [0x0, 0x0]

If I add an access list that allows port 80 it all works, yet I am typing :8080 in the web address...

Julio Carvajal · ‎02-13-2012

object service http-proxy

no service tcp destination eq 8080

service tcp source eq 8080

Then give it a try!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dan.letkeman · ‎02-13-2012

Still no go. It is still hitting the box using port 80 instead of 8080 according to the logs

4

Feb 13 2012

19:04:43

106023

68.121.131.80

63464

10.5.0.13

80

Deny tcp src outside:68.121.131.80/63464 dst inside:10.5.0.13/80 by access-group "outside_access_in" [0x0, 0x0]

I also tried from a different external system and still same problem.

Julio Carvajal · ‎02-13-2012

Hello Dan,

Okay so basically this is what you need: access the ASA using port 8080 And then be redirected to the internal host on port 80 right?

object network web03-p81

host 10.5.0.13

object service http-proxy

service tcp source eq 8080

object service http

service tcp source eq 80

object network internet.77

host 77.77.77.77

Outside ip is 77.77.77.77 and internal box is 10.5.0.13 right?

So lets do it like this:

nat (inside,outside) source static web03-p81 internet.77 service http http-proxy

access-list outside_access_in permit tcp any host 10.5.0.13 eq 80

access-group outside_access_in in interface outside

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dan.letkeman · ‎02-13-2012

Ok, so this works sort of....I can access the site using http://77.77.77.77:8080 now, but I can still access the site using http://77.77.77.77/, but I don't want to be able to do that.

Julio Carvajal · ‎02-13-2012

Hello Dan,

So remove all you configured before related to that and left what I sent you, that is the only one that should work from an outside user!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dan.letkeman · ‎02-13-2012

Yes, everything was removed and I entered in what you sent But I still can access it on port 80 and 8080 from the outside.

Dan.