Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 9.1(4) access-list and nat issue

Hello,

I have a very weird issue.  Here what I am trying to accomplish:

-  inside server:  192.168.1.84

-  outside server:  94.95.96.97

-  port 2222 is open on the inside server

94.95.96.97:2222 should go to 192.168.1.84:2222 and is allowed from ANY host on the internet

94.95.96.97:22 should go to 192.168.1.84:2222 and is ONLY  allowed from 11.11.11.11

here are my rules

object network OUTSIDE_IP

host 94.95.96.97

object network ACCESS_ON_22

host 192.168.1.84

nat (inside,outside) static OUTSIDE_IP service tcp 2222 22

object network ACCESS_ON_2222

host 192.168.1.84

nat (inside,outside) static OUTSIDE_IP service tcp 2222 2222

access-list outside_access_in extended permit tcp any object ACCESS_ON_2222 eq 2222

access-list outside_access_in extended permit tcp host 11.11.11.11 object ACCESS_ON_22 eq 2222

And here is the issue:

The host restriction access-list (11.11.11.11) only works when I remove the first access list.  Otherwise, any external host can access 94.95.96.97:22 and get to 192.168.1.84:2222.  I also notice that by leaving only the second access-list rule host 11.11.11.11 can get to port 2222 and 22!  Again, i need ANY host to be able to access 192.168.1.84:2222 and only 11.11.11.11 to access 192.168.1.84:22.  Can you point to what I am doing wrong or is it a bug with ASA 9.1(5)?

PS.  this is my first ever post so excuse me if I am not being very clear or not formatting things properly

3 REPLIES
New Member

ASA 9.1(4) access-list and nat issue

Hi Alex,

This not a bug in the code. The issue here is that the real port in both cases is the same i.e, 2222. On ASA versions 8.3 and above the access-list uses the real ports and IP addresses to allow traffic to an internal host.

Having configured both NAT statements the ASA on the outside interface is already actively listening for port 22 and 2222 connections on the public IP address of 94.95.96.97. Now, when traffic from 11.11.11.11 comes in on port either ports the NAT rule is passed and the first access list entry makes sure that all traffic to the internal server is permitted irrespective of what ACL is configured below it.

If you run "show access-list outside_access_in", you will see no hit counts on the second rule. This is because the traffic from 11.11.11.11 also qualifies to hit the first rule and since it appears first, the second rule becomes redundant.

I'll check to see if we can blackhole the traffic from 11.11.11.11 on port 2222 specifically so that this traffic gets denied.

So the conclusion is that what you see in this case is expected behavior based on the code that you are running.

-Swaraj

New Member

ASA 9.1(4) access-list and nat issue

Thank you for a very quick reply, Swaraj!

This is what I suspected.  Although, I was hoping that object network name in the access-list would make the difference. 

> I'll check to see if we can blackhole the traffic from 11.11.11.11 on port 2222 specifically so that this traffic gets denied.

I think this is the opposite of what I am trying to accomplish.  I want 11.11.11.11 to be the ONLY host to have access on port 22.  All other hosts including 11.11.11.11 should be able to access port 2222. 

Alex

New Member

Re: ASA 9.1(4) access-list and nat issue

I am still unable to get around this issue.  I am back to thinking that this is a bug and unexpected behaviour.  Logically, ANY traffic coming on outside port 22 should only trigger the following object network and access list:

object network ACCESS_ON_22

host 192.168.1.84

nat (inside,outside) static OUTSIDE_IP service tcp 2222 22

access-list outside_access_in extended permit tcp host 11.11.11.11 object ACCESS_ON_22 eq 2222

I am just not sure how can traffic coming in outside port 22 trigger a nat and access list rule that strictly refers to outside port 2222.  It makes very little sense or I simply don't understand the logic behind it.  At any rate, how would one propely deal with a situation like mine.  I am sure I'm not the only one out there!

477
Views
0
Helpful
3
Replies