Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.4 Pat RPF-Check and HTTP Server

Hello,

I am moving all of my nat/pat from my 2800 series to my ASA.  I have a few things working including multiple outside ip addresses and dynamic nat, as well as outside access for a few servers.

My two probems are as follows:

1).

For the life of me I cannot get pat working when I want to access and internal web server using a different port on the outside interface.

For example I have added this:

network object test.obj

host 192.168.184.11

nat (inside,outside) static outside-ip-100.1.1.1 8080 www

This adds the nat statments into the network object nat list and it all make sense.  Then I add the acl:

access-list outside_access_in extended permit tcp any object test.obj eq http-81

I see no hits on the acl when I try from an outside device, and the packet-tracer keeps telling me I have a nat problem with the reverse path forwarding check.

xlate shows this:

5520-fw# show xlate | i 100.1.1.1

TCP PAT from inside:192.168.184.11 80-80 to outside:100.1.1.1 81-81

NAT from inside:192.168.184.11 to outside:100.1.1.1

I have no idea why, I have followed many examples and I still get nothing.  I also get no access to the internet on the computer running the web server unless I add another dynamic nat statement pointing a different network object with the same host ip to the same outside ip address.  eg:

network object test.obj-dynamic

host 192.168.184.11

nat (inside,outside) dynamic outside-ip-100.1.1.1

Still after that I get no connection from the outside to the web server

2.)

Second problem.

I had moved our main web server over to the asa and access from the outside worked for a few minutes, I think, as I had hits on the acl.  Then it stopped working and the logs showed a huge list of teardowns and it looked like they were all dns requests.  I am assuming this is a problem with the virtual hosts on the web server and the dns inspection that the asa is doing.  So I added the dns command at the end of the nat command and it did not solve my problem.  So I am thinking the first problem with the RPF-check is related to this problem. 

I have a couple of other web servers going through the asa with no problems but they are not running on apache and using virtual hosts, they are single stand alone web servers.

Any idea what I am doing wrong?

Thanks,

Dan.

1 ACCEPTED SOLUTION

Accepted Solutions

ASA 8.4 Pat RPF-Check and HTTP Server

Hello Dan,

Okay so basically this is what you need: access the ASA using port 8080 And then be redirected to the internal host on port 80 right?

object network web03-p81

host 10.5.0.13

object service http-proxy

service tcp source eq 8080

object service http

service tcp source eq 80

object network internet.77

host 77.77.77.77

Outside ip is 77.77.77.77 and internal box is 10.5.0.13 right?

So lets do it like this:

nat (inside,outside) source static web03-p81 internet.77 service http http-proxy

access-list outside_access_in permit tcp any host 10.5.0.13 eq 80

access-group outside_access_in in interface outside

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
19 REPLIES
New Member

ASA 8.4 Pat RPF-Check and HTTP Server

I think there is some kind of bug in the ASA.  I setup a test web server (192.168.75.208), and I added two network objects

object network dan-laptop-pat

nat (inside,outside) static interface service tcp www www

object network dan-laptop

nat (any,outside) dynamic interface

So the device can get out onto the internet because of the second statement and I can access it remotely because of the first statement.  So everything works fine.....

But when I use packet-tracer and I run a test it says it doesn't work!  Yet it actually works....

Proof from the log file that it works:

6|Feb 12 2012|08:59:11|302014|68.171.231.80|43273|192.168.75.208|80|Teardown TCP connection 28185054 for outside:68.171.231.80/43273 to inside:192.168.75.208/80 duration 0:00:01 bytes 5904 TCP FINs

6|Feb 12 2012|08:59:09|302013|68.171.231.80|43273|192.168.75.208|80|Built inbound TCP connection 28185054 for outside:68.171.231.80/43273 (68.171.231.80/43273) to inside:192.168.75.208/80 (217.77.77.77/80)

Any ideas on what is happening?

Dan.

ASA 8.4 Pat RPF-Check and HTTP Server

Hello Dan,

Yeap, you are doing the packet tracer to the private ip address, you should do it to the public ip address of the server.

Do rate helpful posts

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 8.4 Pat RPF-Check and HTTP Server

Thank you for the reply, I have been pulling my hair out on this one....

If I use the public ip as you stated it all looks like it works fine in the packet tracer but in reality it does not work. 

For example:

object network dan-laptop

host 192.168.75.208

object network dan-laptop-pat

host 192.168.75.208

This WORKS:

object network laptop-pat

nat (inside,outside) static interface service tcp www www

!

nat (inside,outside) after-auto source static laptop internet-75

access-list outside_access_in extended permit object http any object dan-laptop-pat

This DOES NOT WORK:

object network laptop-pat

nat (inside,outside) static interface service tcp www 81

!

nat (inside,outside) after-auto source static laptop internet-75

access-list outside_access_in extended permit object http-81 any object dan-laptop-pat

Am I doing the wrong kind of nat to make this work?

Thanks

Dan.

New Member

ASA 8.4 Pat RPF-Check and HTTP Server

Found out it was a problem with the web server not accepting the request like that.  I tried a different web server and now the port translation works.

ASA 8.4 Pat RPF-Check and HTTP Server

Hello Dan,

That is correct, As I told you before the configuration its okay.

Please mark the question as answered, so future users can learn from this.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 8.4 Pat RPF-Check and HTTP Server

Sorry I spoke to soon this is not solved and still not working.  I cannot PAT anything on my asa using 8.4. Looks like this may be a bug because no scenario works.

ASA 8.4 Pat RPF-Check and HTTP Server

Hello Dan,

So you are saying your internal users cannot get PATeed to the outside interface

Please provide sh run nat, then we will start working on captures if I do not see something strange.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 8.4 Pat RPF-Check and HTTP Server

My issue is with outside access in.  Not inside access out, that seems to be fine.

For example if I do this:

object network web03

host 10.5.0.13

object network web03-p81

host 10.5.0.13

object service http-proxy

service tcp destination eq 8080

object network internet.77

host 77.77.77.77

object network web03-p81

nat (inside,outside) static internet.77 service tcp www 8080

!

nat (inside,outside) after-auto source static web03 internet.77

access-list outside_access_in extended permit object http-proxy any object web03-p81

When trying to access the web server using http://77.77.77.77:8080  the log shows that the device is trying to access it using port 80???



18:31:1510602368.121.131.812034710.5.0.1380Deny tcp src outside:68.121.131.81/20347 dst inside:10.5.0.13/80 by access-group "outside_access_in" [0x0, 0x0]

If I add an access list that allows port 80 it all works, yet I am typing :8080 in the web address...

ASA 8.4 Pat RPF-Check and HTTP Server

object service http-proxy

no service tcp destination eq 8080

service tcp source eq 8080

Then give it a try!!!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 8.4 Pat RPF-Check and HTTP Server

Still no go.  It is still hitting the box using port 80 instead of 8080 according to the logs

4Feb 13 201219:04:4310602368.121.131.806346410.5.0.1380Deny tcp src outside:68.121.131.80/63464 dst inside:10.5.0.13/80 by access-group "outside_access_in" [0x0, 0x0]

I also tried from a different external system and still same problem. 

ASA 8.4 Pat RPF-Check and HTTP Server

Hello Dan,

Okay so basically this is what you need: access the ASA using port 8080 And then be redirected to the internal host on port 80 right?

object network web03-p81

host 10.5.0.13

object service http-proxy

service tcp source eq 8080

object service http

service tcp source eq 80

object network internet.77

host 77.77.77.77

Outside ip is 77.77.77.77 and internal box is 10.5.0.13 right?

So lets do it like this:

nat (inside,outside) source static web03-p81 internet.77 service http http-proxy

access-list outside_access_in permit tcp any host 10.5.0.13 eq 80

access-group outside_access_in in interface outside

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 8.4 Pat RPF-Check and HTTP Server

Ok, so this works sort of....I can access the site using http://77.77.77.77:8080 now, but I can still access the site using http://77.77.77.77/, but I don't want to be able to do that. 

ASA 8.4 Pat RPF-Check and HTTP Server

Hello Dan,

So remove all you configured before related to that and left what I sent you, that is the only one that should work from an outside user!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 8.4 Pat RPF-Check and HTTP Server

Yes, everything was removed and I entered in what you sent  But I still can access it on port 80 and 8080 from the outside.

Dan.

New Member

ASA 8.4 Pat RPF-Check and HTTP Server

Oh wait, I forgot to remove one other thing.  That is the other nat statement that allowed the server to get out to the internet.

Without that the server could not get out.

ASA 8.4 Pat RPF-Check and HTTP Server

Please post entire config, to see why is that happening!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 8.4 Pat RPF-Check and HTTP Server

So your config you sent me works perfectly, but my server cannot get out onto the internet, I think I need another nat statement, but when I add another nat statement then i can access the server using port 80 from the outside, so I must be doing something wrong.

ASA Version 8.4(3)

!

hostname gvsd-asa-5520-fw

names

dns-guard

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.10.10.10 255.255.255.252

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 77.77.77.70 255.255.255.192

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 172.16.0.102

name-server 172.16.0.101

domain-name domain.com

object network 10.20.10.1

host 10.20.10.1

description Astaro Web Filter  

object network 172.16.0.0

range 172.16.0.0 172.16.254.254

description Data Network  

object network 192.168.0.0

subnet 192.168.0.0 255.255.0.0

object network 10.10.10.1

host 10.10.10.1

description gw-2821-01  

object network 10.10.10.9

host 10.10.10.9

description gw-2821-02  

object network NETWORK_OBJ_10.250.0.0_28

subnet 10.250.0.0 255.255.255.240

description VPN Test

object network 172.16.187.0

subnet 172.16.187.0 255.255.255.0

description GVC Wifi  

object network 10.7.0.0

subnet 10.7.0.0 255.255.0.0

description Guest Network  

object network 10.10.10.46

host 10.10.10.46

description astarogw  

object network 10.11.0.0

subnet 10.11.0.0 255.255.0.0

description GVSD I.T Network

object network 10.11.200.0

subnet 10.11.200.0 255.255.255.0

description DO I.T Network

object network merlin-67.75

host 77.77.77.75

description Merlin-67.75

object network helpdesk.domain.com

host 10.5.0.125

description Helpdesk Server for HTTP site

object network merlin-67.123

host 77.77.77.123

object network 10.5.0.0

subnet 10.5.0.0 255.255.255.0

description GVSD Server Network

object network intermapper.domain.com

host 10.5.0.150

description intermapper.domain.com

object network merlin-67.120

host 77.77.77.120

object network merlin-67.105

host 77.77.77.105

object network merlin-67.106

host 77.77.77.106

object network merlin-67.116

host 77.77.77.116

object network merlin-67.117

host 77.77.77.117

object network merlin-67.118

host 77.77.77.118

object network merlin-67.121

host 77.77.77.121

object network merlin-67.122

host 77.77.77.122

object network merlin-67.95

host 77.77.77.95

object network merlin-67.99

host 77.77.77.99

object network merlin-67.68

host 77.77.77.68

object network merlin-67.69

host 77.77.77.69

object network merlin-67.70

host 77.77.77.70

object network merlin-67.71

host 77.77.77.71

object network 172.16.187.22

host 172.16.187.22

description GVC Test Host

object network library.domain.com

host 10.5.0.85

description Library Server

object network netstorage.domain.com

host 10.5.0.35

description Netstorage server

object network sm.domain.com

host 10.5.0.87

description Sucess Maker Server

object network vibe.domain.com

host 10.5.0.27

description Vibe Server

object network mobilesync.domain.com

host 10.5.0.32

description Mobilesync Server

object network powerschool.domain.com

host 10.5.0.181

description PowerSchool Application Server

object service powerschool-5071

service tcp source eq 5071 destination eq 5071

object service powerschool-7880

service tcp source eq 7880 destination eq 7880

object service powerschool-7980

service tcp source eq 7980 destination eq 7980

object network astaro-mail

host 10.30.10.2

object service http-81

service tcp destination eq 81

object service http-82

service tcp destination eq 82

object service http-83

service tcp destination eq 83

object service http-84

service tcp destination eq 84

object service http-85

service tcp destination eq 85

object network merlin-67.77

host 77.77.77.77

object network dan-laptop

host 192.168.75.208

object service http-proxy

service tcp source eq 8080

object service http-proxy-2

service tcp destination eq 8080

object network web03-p8080

host 10.5.0.13

object service http-8080

service tcp source eq 8080

object service www

service tcp source eq www

object-group service ff-system udp

description ff system management

port-object eq 1091

object-group service http-81-1 tcp

port-object eq 81

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit object http-81 any object dan-laptop

access-list outside_access_in remark helpdesk webiste

access-list outside_access_in extended permit tcp any object helpdesk.domain.com eq www

access-list outside_access_in extended permit tcp any object library.domain.com eq www

access-list outside_access_in extended permit tcp any object netstorage.domain.com eq https

access-list outside_access_in extended permit tcp any object sm.domain.com eq www

access-list outside_access_in extended permit tcp any object sm.domain.com eq https inactive

access-list outside_access_in extended permit tcp any object mobilesync.domain.com eq https

access-list outside_access_in extended permit tcp any object powerschool.domain.com eq www

access-list outside_access_in extended permit tcp any object powerschool.domain.com eq https

access-list outside_access_in extended permit object powerschool-5071 any object powerschool.domain.com

access-list outside_access_in extended permit object powerschool-7880 any object powerschool.domain.com

access-list outside_access_in extended permit object powerschool-7980 any object powerschool.domain.com

access-list outside_access_in extended permit tcp any object astaro-mail eq smtp inactive

access-list outside_access_in extended permit tcp any object vibe.domain.com eq https

access-list outside_access_in extended permit tcp any object intermapper.domain.com eq www

access-list outside_access_in extended permit tcp any host 10.5.0.13 eq www

access-list inside_access_in extended deny ip object 172.16.187.22 any inactive

access-list inside_access_in remark blsd - web accesss

access-list inside_access_in extended permit tcp object 10.7.0.0 any eq 88

access-list inside_access_in extended deny udp object 10.7.0.0 range 1 65535 any range 1 65535

access-list inside_access_in extended deny tcp object 10.7.0.0 range 1 65535 any range 1 65535

access-list inside_access_in extended permit ip any any

access-list inside_access_out extended permit ip any any

access-list outside_access_out extended permit ip any any

access-list netflow-hosts extended permit ip any any

access-list http-s extended permit tcp any any eq www inactive

pager lines 24

logging enable

logging asdm informational

flow-export destination inside 10.11.200.104 2055

flow-export destination inside 10.11.200.193 2055

flow-export template timeout-rate 1

flow-export delay flow-create 30

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool VPN-L2TP-IPSEC-POOL 10.250.0.4-10.250.0.14 mask 255.255.255.224

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static web03-p8080 merlin-67.77 service www http-8080

!

object network 172.16.0.0

nat (inside,outside) dynamic interface

object network 10.10.10.1

nat (inside,outside) dynamic interface

object network 10.10.10.9

nat (inside,outside) dynamic interface

object network 10.7.0.0

nat (inside,outside) dynamic interface

object network 10.10.10.46

nat (inside,outside) dynamic interface

object network 10.11.0.0

nat (inside,outside) dynamic interface

object network helpdesk.domain.com

nat (any,any) static merlin-67.123

object network intermapper.domain.com

nat (any,any) static merlin-67.120

object network library.domain.com

nat (any,any) static merlin-67.121

object network netstorage.domain.com

nat (any,any) static merlin-67.122

object network sm.domain.com

nat (any,any) static merlin-67.116

object network vibe.domain.com

nat (any,any) static merlin-67.117

object network mobilesync.domain.com

nat (any,any) static merlin-67.118

object network powerschool.domain.com

nat (any,any) static merlin-67.106

object network astaro-mail

nat (any,any) static merlin-67.106

!

nat (inside,outside) after-auto source static dan-laptop merlin-67.75

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

!

router eigrp 100

no auto-summary

eigrp stub receive-only

network 10.10.10.8 255.255.255.252

passive-interface outside

!

route outside 0.0.0.0 0.0.0.0 77.77.77.65 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

snmp-server host inside 10.5.0.150 community public version 2c udp-port 161

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

!

class-map type regex match-any http

match regex youtube

class-map type inspect http match-any http_inspect_regex

match request uri regex class http

class-map http-s

match access-list http-s

class-map type regex match-any URLBlockList

description Match Traffic for Inspection

match regex Torrent-Info_Hash

class-map type inspect http match-all asdm_medium_security_methods

match not request method head

match not request method post

match not request method get

class-map inspection_default

match default-inspection-traffic

class-map netflow-traffic

match access-list netflow-hosts

class-map type regex match-any class-limit

match regex dropbox

class-map type inspect http match-all BlockURLsClass

match request uri regex class URLBlockList

!

!

policy-map type inspect http URL

parameters

match request uri regex dropbox

  reset

policy-map global_policy

class http-s

  inspect http URL

class inspection_default

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

  inspect dns

class netflow-traffic

  flow-export event-type all destination 10.11.200.104

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map test_pol

!

service-policy global_policy global

smtp-server 10.5.0.20

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

New Member

ASA 8.4 Pat RPF-Check and HTTP Server

I think I have it figured out now.  I guess I deleted too many things.  I added the nat statement back for the orginal object and now I can get out to the internet again and I can only access the server using port 8080.

object network web03.domain.com

nat (inside,outside) dynamic internet.77

Without this the server could not get out onto the internet. 

Thank you very much for your time, this has helped me very much.

Dan.

ASA 8.4 Pat RPF-Check and HTTP Server

I think I have it figured out now

Sure, glad I could help¨

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
1074
Views
9
Helpful
19
Replies