Dear Karsten IwenASA's ACL

khanhlaan · ‎09-05-2014

ASA is 5510, ver 8.3(1), I can't forward ports (www, ftp) from outside to DMZ.

My configuration:

outside: IP Public (X.X.X.X)
DMZ: 10.10.10.0/24

access-list outside-in extended permit tcp any interface outside eq www
access-group outside-in in interface outside

nat (DMZ,outside) source dynamic DMZ interface

object network WEB
host 10.10.10.5
nat (DMZ,outside) static interface service tcp www www

asa#sh xlate type static
TCP PAT from DMZ:10.10.10.5 80-80 to outside:X.X.X.X 80-80

asa#sh nat
(DMZ) to (outside) source static WEB interface service tcp www www
translate_hits = 0, untranslate_hits = 0

asa#sh access-list
access-list outside-in line 2 extended permit tcp any interface outside eq www (hitcnt=0) 0xacb645cb

******************************************************************

Syslog: ASA-3-710003: TCP access denied by ACL from Y.Y.Y.Y/64141 to outside:X.X.X.X/80

******************************************************************
ASA# packet-tracer input outside tcp X.X.X.X 80 10.10.10.5 80 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 DMZ

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa88943e0, priority=500, domain=permit, deny=true
        hits=11, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=X.X.X.X, mask=255.255.255.255, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

*************************************************

In access-list, I've changed destination to real IP (10.10.10.5) or public IP, the result was the same.

I don't know which mistake in my configuration. Could anyone help me?

Thank you very much for your help.

Karsten Iwen · ‎09-05-2014

The destination address in the ACL has to be the real IP of the server. And upgrade the ASA to something newer. 8.3(1) was probably the worst version ever on the ASA.

khanhlaan · ‎09-05-2014

Dear Karsten Iwen,

Yes, I've replaced Real IP in ACL, but everything is still the same as before.

I think port forwarding is normally on every firewall, should I upgrade the ASA to newer version ?

Karsten Iwen · ‎09-06-2014

Show your actual config (at least NAT/ACL). And yes, you should upgrade.

khanhlaan · ‎09-06-2014

Dear Karsten Iwen

ASA's ACL/NAT:

ASA Version 8.3(1)

interface Ethernet0/0
description WAN1
duplex full
nameif outside
security-level 0
pppoe client vpdn group WAN1
ip address pppoe
!

interface Ethernet0/2.5
description DMZ
vlan 5
nameif DMZ
security-level 50
ip address 10.10.10.1 255.255.255.0
!

access-list outside-in extended permit tcp any host 10.10.10.5 eq www
access-list outside-in extended permit tcp any host 10.10.10.5 eq ftp

access-group outside-in in interface outside

object network DMZ_NET
subnet 10.10.10.0 255.255.255.0

nat (DMZ,outside) source dynamic DMZ_NET interface

object network WEB
host 10.10.10.5
nat (DMZ,outside) static interface service tcp www www
object network FTP
host 10.10.10.5
nat (DMZ,outside) static interface service tcp ftp ftp
*************************************************
I 've checked NAT (show nat detail, show xlate,...), translation is OK. DMZ to internet is OK, Internet can ping to outside.
Show access-list:
access-list outside-in line 2 extended permit tcp any host 10.10.10.5 eq www (hitcnt=0) 0xacb645cb
access-list outside-in line 3 extended permit tcp any host 10.10.10.5 eq ftp (hitcnt=0) 0xea857100

Packet-tracer: Web & FTP were dropped at ACCESS-LIST (phase 2 or 3) with Implicit Rule.
Does Implicit Rule concern about NAT?

Port Forwarding is a basic function of ASA, should I upgrade?
Thanks for your reply.

Karsten Iwen · ‎09-06-2014

You object NAT is fine, but the following rule is wrong:

nat (DMZ,outside) source dynamic DMZ_NET interface

That one needs to go to the end of the NAT-List:

no nat (DMZ,outside) source dynamic DMZ_NET interface nat (DMZ,outside) after-auto source dynamic DMZ_NET interface

khanhlaan · ‎09-07-2014

Dear Karsten Iwen

I 've configured: nat (DMZ,outside) after-auto source dynamic DMZ_NET interface

the result was still the same.

Karsten Iwen · ‎09-08-2014

did you remove the old rule? Please show your complete NAT-config.

khanhlaan · ‎09-08-2014

Sorry Karsten Iwen, I 've not been at work last time.

Yes, i removed the old rule, show nat detail:

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic LAN_NET interface
translate_hits = 1214968, untranslate_hits = 115784
Source - Origin: 192.168.100.0/24, Translated: X.X.X.X/32

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static FTP interface service tcp ftp ftp
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.10.10.5/32, Translated: X.X.X.X/32
    Service - Protocol: tcp Real: ftp Mapped: ftp
2 (DMZ) to (outside) source static WEB interface service tcp www www
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.10.10.5/32, Translated: X.X.X.X/32
    Service - Protocol: tcp Real: www Mapped: www

Manual NAT Policies (Section 3)
1 (DMZ) to (outside) source dynamic DMZ_NET interface
translate_hits = 2103, untranslate_hits = 8
Source - Origin: 10.10.10.0/24, Translated: X.X.X.X/32

I've read Syslog, and realized that something is wrong:
WEB: ASA-3-710003: TCP access denied by ACL from 123.17.96.224/64141 to outside:X.X.X.X/80
FTP: ASA-2-106016: Deny IP spoof from (X.X.X.X) to 10.10.10.5 on interface outside

With WEB: packet was dropped at outside, but FTP: packet was dropped behind outside although they were configured with the same ACL/NAT rule.
Do you know which ASA's functions can affect NAT/ACL ?
Thanks for your help.

ASA5510_Ver 8.3 can not forward port