Hi and thanks for the fast reply.

The packet-tracer wasn't having any problems as I configured the nat as "static (inside,outside)" pointing to an additional public IP address. Since there were more services (such as SMTP) connected to outside servers the company told me to nat over the primary public IP that is assigned to the outside interface. The result is even worse, since now the ACL implicit deny is stopping me. I added an explicit deny with log just to get to the desription, but still don't get it.

OK I swapped the external IP for X.X.X.X, truncated sensitive info with [trunc] and send here the console output and the config.

ASA# packet-tracer input outside tcp 8.8.8.8 1056 X.X.X.X 443 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) outside-interface PROBLEM_SERVER netmask 255.255.255.255 norandomseq

nat-control

  match ip inside host PROBLEM_SERVER outside any

    static translation to outside-interface

    translate_hits = 2166, untranslate_hits = 1361

Additional Information:

NAT divert to egress interface inside

Untranslate outside-interface/0 to PROBLEM_SERVER/0 using netmask 255.255.255.255

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   outside-interface 255.255.255.255 identity

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd5120ed0, priority=0, domain=permit, deny=true

        hits=3335, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ASA# sh access-list | i 0xd5120ed0                                         

ASA# sh access-list OUTSIDE_IN   

access-list OUTSIDE_IN; 4 elements

access-list OUTSIDE_IN line 1 remark allow echo requests

access-list OUTSIDE_IN line 2 extended permit icmp any host outside-interface echo log informational interval 300 (hitcnt=0) 0x3d8de1bc

access-list OUTSIDE_IN line 3 remark allow web to internal server

access-list OUTSIDE_IN line 4 extended permit tcp any host outside-interface eq www (hitcnt=0) 0x3fce57d6

access-list OUTSIDE_IN line 5 remark allow https to internal server

access-list OUTSIDE_IN line 6 extended permit tcp any host outside-interface eq https (hitcnt=0) 0xf5acf247

access-list OUTSIDE_IN line 7 remark default deny with log

access-list OUTSIDE_IN line 8 extended deny ip any any log informational interval 300 (hitcnt=2) 0x2dc51227

ASA#

########################

ASA# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ASA

domain-name [trunc]

enable password [trunc] encrypted

names

name 192.168.34.0 farm-lan

[trunc]

name 172.16.1.254 asa-mgmgt-interface description Management Interface

name [X.X.X.X] outside-interface description public IP address

name 10.0.1.0 testo-lan

name 192.168.0.0 inside-lan

name 10.0.0.0 labs-lan

name 192.168.52.0 guest-lan

name 172.16.1.0 admin-lan

name 10.0.1.254 ASA-testo-GW

name 10.0.1.10 testo-base

[trunc]

name 192.168.0.2 PROBLEM_SERVER

[trunc]

name 10.0.0.254 ASA-labs-GW

!            

interface Ethernet0/0

description network for guests

nameif guest

security-level 50

ip address 192.168.52.254 255.255.255.0

!

interface Ethernet0/1

description internal VLAN trunk

no nameif

no security-level

no ip address

!

interface Ethernet0/1.3

description labs-lan

vlan 3

nameif labs

security-level 100

ip address ASA-labs-GW 255.255.255.0

!

interface Ethernet0/1.4

description testo-lan

vlan 4

nameif testo

security-level 100

ip address ASA-testo-GW 255.255.255.0

!

interface Ethernet0/1.7

description inside-lan

vlan 7

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Ethernet0/2

description WAN

nameif outside

security-level 0

ip address outside-interface 255.255.255.248

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address asa-mgmgt-interface 255.255.255.0

management-only

!

passwd [trunc] encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring

dns server-group DefaultDNS

domain-name [trunc]

same-security-traffic permit inter-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

port-object eq 993

port-object eq imap4

port-object eq 5223

port-object eq 587

object-group network ASA-LAN-interface

description inside interface from router

network-object host 192.168.0.254

object-group network Private-IP-Range

description RFC 1918

network-object labs-lan 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object inside-lan 255.255.0.0

object-group network admin-stations

[trunc]

object-group network Servers

network-object host PROBLEM_SERVER

object-group service imapssl tcp

description encrypted imap

port-object eq 993

object-group service authsmtp tcp

description iCloud authenticated SMTP

port-object eq 587

object-group service iclouddav tcp

description iCloud DAV sync for calender etc

port-object eq 5223

access-list INSIDE_OUT remark permits ip access to ASA LAN interface

access-list INSIDE_OUT extended permit ip inside-lan 255.255.255.0 object-group ASA-LAN-interface log disable

access-list INSIDE_OUT remark permit snmp access from LAN to ASA

access-list INSIDE_OUT extended permit udp inside-lan 255.255.255.0 object-group ASA-LAN-interface eq snmp log disable

access-list INSIDE_OUT remark permits ping access to ASA LAN interface

access-list INSIDE_OUT extended permit icmp inside-lan 255.255.255.0 object-group ASA-LAN-interface echo log disable

access-list INSIDE_OUT remark allow network testing for all

access-list INSIDE_OUT extended permit icmp inside-lan 255.255.255.0 any log disable

access-list INSIDE_OUT remark testing workstations

access-list INSIDE_OUT extended permit ip object-group admin-stations any log disable

access-list INSIDE_OUT remark DNS lookup

access-list INSIDE_OUT extended permit object-group TCPUDP object-group Servers any eq domain log disable

access-list INSIDE_OUT remark time sync with outside world

access-list INSIDE_OUT extended permit udp host PROBLEM_SERVER any eq ntp log disable

access-list INSIDE_OUT remark allow PROBLEM_SERVER SMTP outside

access-list INSIDE_OUT extended permit tcp host PROBLEM_SERVER any eq smtp log disable

access-list INSIDE_OUT remark allow PROBLEM_SERVER any traffic testing

access-list INSIDE_OUT extended permit tcp host PROBLEM_SERVER any

access-list INSIDE_OUT remark permits web access

access-list INSIDE_OUT extended permit tcp inside-lan 255.255.255.0 any object-group DM_INLINE_TCP_1 log disable

access-list INSIDE_OUT remark default deny with log

access-list INSIDE_OUT extended deny ip any any log

[trunc]

access-list OUTSIDE_IN remark allow echo requests

access-list OUTSIDE_IN extended permit icmp any host outside-interface echo log

access-list OUTSIDE_IN remark allow web to internal server

access-list OUTSIDE_IN extended permit tcp any host outside-interface eq www

access-list OUTSIDE_IN remark allow https to internal server

access-list OUTSIDE_IN extended permit tcp any host outside-interface eq https

access-list OUTSIDE_IN remark default deny with log

access-list OUTSIDE_IN extended deny ip any any log informational interval 300

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging asdm informational

logging host inside [trunc]

logging debug-trace

mtu guest 1500

mtu labs 1500

mtu testo 1500

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool VPN_IP_Pool 192.168.0.210-192.168.0.220 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (outside) 2 [trunc] netmask 255.0.0.0

nat (guest) 2 guest-lan 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 inside-lan 255.255.255.0

static (labs,inside) labs-lan labs-lan netmask 255.255.255.0 norandomseq

static (testo,inside) testo-lan testo-lan netmask 255.255.255.0 norandomseq

static (inside,outside) outside-interface PROBLEM_SERVER netmask 255.255.255.255 norandomseq

static (inside,testo) inside-lan inside-lan netmask 255.255.255.0 norandomseq

static (inside,labs) inside-lan inside-lan netmask 255.255.255.0 norandomseq

[trunc]

access-group INSIDE_OUT in interface inside

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 [trunc] 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable 8080

http admin-lan 255.255.255.0 management

http inside-lan 255.255.255.0 inside

snmp-server host inside excalibur community public

snmp-server location Germany

snmp-server contact admin@febit.de

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

[trunc]

no crypto isakmp nat-traversal

telnet admin-lan 255.255.255.0 management

telnet timeout 5

ssh inside-lan 255.255.255.0 inside

ssh admin-lan 255.255.255.0 management

ssh timeout 15

ssh version 2

console timeout 0

management-access management

dhcpd address 192.168.52.10-192.168.52.30 guest

dhcpd dns [trunc] interface guest

dhcpd lease 14400 interface guest

dhcpd enable guest

!

threat-detection basic-threat

threat-detection statistics

!

class-map internal_routing_map

description disables SYN randomization for internal routes

match access-list internal_routing_acl

class-map inspection_default

match default-inspection-traffic

!

!            

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 4096

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect rsh

  inspect sip 

  inspect netbios

  inspect icmp

  inspect http

policy-map internal_routing_policy

class internal_routing_map

  set connection random-sequence-number disable

!

service-policy global_policy global

service-policy internal_routing_policy interface inside

webvpn

port 4433

dtls port 4433

[trunc]

: end

ASA# 

Hello David, thank you very much for the prompt reaction!!!

I still cannot make this thing work, even with your advise. Somehow I cannot get a single hitcount on the WWW and HTTPS rules, every time I (or other external PCs) try to connect they land on line 8 of the ACL. VERY WEIRD!

I tried with browser and tried even telnet IP... 80 / 433 respectively. No way to get through!

ASA# sh run | i static

static (inside,outside) tcp interface www PROBLEM_SERVER www netmask 255.255.255.255  norandomseq

static (inside,outside) tcp interface https PROBLEM_SERVER https netmask 255.255.255.255  norandomseq

static (labs,inside) labs-lan labs-lan netmask 255.255.255.0 norandomseq

static (testo,inside) testo-lan testo-lan netmask 255.255.255.0 norandomseq

static (inside,testo) inside-lan inside-lan netmask 255.255.255.0 norandomseq

static (inside,labs) inside-lan inside-lan netmask 255.255.255.0 norandomseq

ASA#

ASA# sh access-list OUTSIDE_IN

access-list OUTSIDE_IN; 4 elements

access-list OUTSIDE_IN line 1 remark allow echo requests

access-list OUTSIDE_IN line 2 extended permit icmp any interface outside echo log informational interval 300 (hitcnt=0) 0xe2af2171

access-list OUTSIDE_IN line 3 remark allow web to internal server

access-list OUTSIDE_IN line 4 extended permit tcp any interface outside eq www log informational interval 300 (hitcnt=0) 0x7c40f258

access-list OUTSIDE_IN line 5 remark allow https to internal server

access-list OUTSIDE_IN line 6 extended permit tcp any interface outside eq https log informational interval 300 (hitcnt=0) 0x503e0f80

access-list OUTSIDE_IN line 7 remark default deny with log

access-list OUTSIDE_IN line 8 extended deny ip any any log informational interval 300 (hitcnt=876) 0x2dc51227

ASA# sh xlate

287 in use, 949 most used

PAT Global outside-interface(80) Local PROBLEM_SERVER(80)

PAT Global outside-interface(443) Local PROBLEM_SERVER(443)

[etc....]

Can you capture the syslogs (at level 6) when you attempt to access the web server from the outside?  That should help clear things up.

You can also try running packet-tracer sourced from the outside client, destined to the outside interface IP on tcp/80 to see what it shows.

Sincerely,

David.

Hello David, the syslog obviously records "TCP access denied by ACL". But I still cannot what is wron with mine...

Hi Boian,

Please note that I CAN SOLVE YOUR PROBLEM, but only if you supply the information I request.

If the syslog includes the text, "TCP access denied by ACL", then I must assume that this is syslog 710003, in which case you are not hitting the interface ACL, but instead an implicit ACL which is applied to traffic destined "to-us" for services the ASA hosts.

But, this shouldn't be happening, as a static PAT statement will override locally hosted services.

Can you check the output of "show nat"?

Sincerely,

David.

Hi David, sorry, my output was shortened: you are correct:

%ASA-3-710003: TCP access denied by ACL from ZZZZ/65344 to inside:XXXX/443

Yes, this was implicit ACL: look at the dump above that I provided:

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd5120ed0, priority=0, domain=permit, deny=true

        hits=3335, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

As you can imagine this ID=0xd5120ed0 does not belong to my configured ACLs

Contd. relevant excerpt of sh nat:

NAT policies on Interface inside:

  match tcp inside host PROBLEM_SERVER eq 80 outside any

    static translation to outside-interface/80

    translate_hits = 0, untranslate_hits = 0

  match tcp inside host PROBLEM_SERVER eq 443 outside any

    static translation to outside-interface/443

    translate_hits = 0, untranslate_hits = 6

  match ip inside inside-lan 255.255.255.0 inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside inside-lan 255.255.255.0 outside any

    dynamic translation to pool 1 (outside-interface [Interface PAT])

    translate_hits = 49192, untranslate_hits = 2850

Sorry for the bad language, David, already tired.

The packet-tracer (see above) is not correct. Believe it or not I called an external partner and he could actually connect to the server. What is this? I was trying to test from the internal LAN behind the inside interface and I could not do that, I could not even ping the public IP, that's why i thought the packet tracer was "judging" correct!

Why?

Hi Boian,

You will never be able to connect to the NATed/PATed (ie: Public IP) from the Inside network of the ASA.  This is just how the ASA is designed.  If your client is located off the internal interface, then you need to connect to the Real IP of the server.  If you want to test your configuration, you must test from a device located on the Outside interface.

For the syslogs, if an interface ACL was blocking the packet (even the implicit deny at the bottom), you would see syslog messages 106023 or 106100.  Syslog 710003 has a different meaning/purpose.  It is specific to access attempts to services hosted by the ASA - which essentially tells me your NAT rule is not working.

Sincerely,

David.

Hmm, but what else services can be hosted on ports 80 & 443. OK I have to go now, so thanks a lot and will update&feedback tomorrow!

Hi Boian,

Can you confirm that the server is accessible externally?  Since you said a partner was able to access it?

Note: You cannot access the server by it's NATed/PATed IP from the inside.

Sincerely,

David.

Hi David,

yes, I can confirm that with the "interface" settings the server is accessible now. I marked your first answer as correct.

Thanks a million!