11-06-2013 10:38 AM - edited 03-11-2019 08:01 PM
I am trying to set up NAT/PAT for access to a webserver behind the ASA. (Running 8.4)
I have a single Static IP on the outside interface (70.102.23.xxx) and I have a webserver with an IP of 192.168.0.1 and I need to make sure all http requests are sent to it.
I can do this in a IOS router pretty well, but in the ASA I seem to get turned around pretty easily. I would like to do it via CLi but will accept help with doing it via ASDM as well.
I already have created an access list to allow the traffic to the webserver.
access-list outside_access_in extended permit udp any any eq www
access-list outside_access_in extended permit tcp any any eq www
Thanks in advance.
Jeffrey
Solved! Go to Solution.
11-07-2013 08:15 AM
Hi,
Yes, you can use the single "object" created for the ACL rules.
With regards to the "nat" configuration I suggest you remove, it is not needed. The other "nat" configuration before it already contains everything needed. That rule is bidirectional so only one configuration needed for it.
Your "outside_access_in" ACL should be cleaned up a bit also
access-list outside_access_in remark Webserver
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any object WEB-SERVER eq www
access-list outside_access_in remark WEB-SERVER
access-list outside_access_in extended permit udp any object WEB-SERVER eq www
access-list outside_access_in remark WEB-SERVER access
access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124
Do these changes. They should remove some rules (like one permitting ALL traffic) and later insert one of the rules to the correct line in the ACL. Mostly to make the ACL be in better order with regards to the "remark" lines.
no access-list outside_access_in remark Webserver
no access-list outside_access_in extended permit tcp any any eq www
no access-list outside_access_in extended permit ip any any
no access-list outside_access_in extended permit tcp any object WEB-SERVER eq www
no access-list outside_access_in extended permit udp any object WEB-SERVER eq www
access-list outside_access_in line 4 extended permit tcp any object WEB-SERVER eq www
The "packet-tracer" seems fine
Hope this helps
- Jouni
11-11-2013 08:22 AM
Hi,
The target IP address is wrong for the "packet-tracer" command.
Your commands IP address ends with .161 while your interface IP address ends with .162. And when you look at the NAT configurations you are using the "interface" IP address in the Static PAT (Port Forward) configurations.
So test the "packet-tracer" with the .162 target IP address
- Jouni
11-06-2013 10:53 AM
Hi,
The configuration is probably something like this
object network WEB-SERVER
host 192.168.0.1
nat (inside,outside) static interface service tcp 80 80
access-list outside_access_in permit tcp any object WEB-SERVER eq 80
For the exact form we would need to see the current firewall configuration.
If this doesnt get it to work then you should provide us with the output of the command
packet-tracer input outside tcp 1.1.1.1 12345
- Jouni
11-07-2013 07:40 AM
Here is what I got if this helps. (I will test out what you gave me soon)
*I feel there may be some stuff in there that is not needed as all they really need s access to the webserver from the outside world, and shell access over port 39124*
Feel free to tell me if you see something that is not needed (I was trying out ASDM and it may have put a BUNCH of crap in there that is superfluous*
object network Server
host 192.168.0.1
description Created during name migration
object network LOCAL_LAN
subnet 192.168.0.0 255.255.255.0
object network SSLVPN_NETWORK
subnet 192.168.100.0 255.255.255.0
object network WEBSERVER
host 192.168.0.1
object network 70.102.23.162
host 70.102.23.162
object service http
service tcp source eq www destination eq www
object-group service HTTP
service-object tcp source eq www
object-group service SSH
description Remote server access
service-object tcp destination eq 39124
access-list inside_access_in remark Webserver
access-list inside_access_in extended permit udp any any eq www
access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in remark Webserver
access-list outside_access_in extended permit udp any object Server eq www
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in remark Remote Server access
access-list outside_access_in extended permit tcp any object Server eq 39124
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list NAT-EXEMPT extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.0.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLVPN 192.168.100.100-192.168.100.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSLVPN_NETWORK SSLVPN_NETWORK
nat (inside,outside) source static SSLVPN_NETWORK SSLVPN_NETWORK destination static LOCAL_LAN LOCAL_LAN
!
object network LOCAL_LAN
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
11-07-2013 07:50 AM
Hi,
Seems to me that you have a basic Dynamic PAT for Internet access and NAT0 / NAT Exempt for VPN Client traffic.
Adding the Static PAT I suggested should forward the port you need. You seem to have allowed the needed traffic already
access-list outside_access_in remark Webserver
access-list outside_access_in extended permit udp any object Server eq www
access-list outside_access_in remark Remote Server access
access-list outside_access_in extended permit tcp any object Server eq 39124
Naturally you will need the Static PAT for the TCP/39124 also
object network WEB-SERVER-TCP39214
host 192.168.0.1
nat (inside,outside) static interface service tcp 39124 39124
I dont think you need the following configuration
no nat (inside,outside) source static SSLVPN_NETWORK SSLVPN_NETWORK destination static LOCAL_LAN LOCAL_LAN
- Jouni
11-07-2013 08:06 AM
So this is what I currently have in the config.
object network LOCAL_LAN
subnet 192.168.0.0 255.255.255.0
object network SSLVPN_NETWORK
subnet 192.168.100.0 255.255.255.0
object network 70.102.23.162
host 70.102.23.162
object service http
service tcp source eq www destination eq www
object network WEB-SERVER
host 192.168.0.1
object network WEB-SERVER-TCP39214
host 192.168.0.1
object-group service HTTP
service-object tcp source eq www
object-group service SSH
description Remote server access
service-object tcp destination eq 39124
access-list inside_access_in remark Webserver
access-list inside_access_in extended permit udp any any eq www
access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in remark Webserver
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any object WEB-SERVER eq www
access-list outside_access_in remark WEB-SERVER
access-list outside_access_in extended permit udp any object WEB-SERVER eq www
access-list outside_access_in remark WEB-SERVER access
access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124
access-list NAT-EXEMPT extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.0.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLVPN 192.168.100.100-192.168.100.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSLVPN_NETWORK SSLVPN_NETWORK
nat (inside,outside) source static SSLVPN_NETWORK SSLVPN_NETWORK destination static LOCAL_LAN LOCAL_LAN
!
object network LOCAL_LAN
nat (inside,outside) dynamic interface
object network WEB-SERVER
nat (inside,outside) static interface service tcp www www
object network WEB-SERVER-TCP39214
nat (inside,outside) static interface service tcp 39124 39124
access-group outside_access_in in interface outside
You're saying I don't need the: no nat (inside,outside) source static SSLVPN_NETWORK SSLVPN_NETWORK destination static LOCAL_LAN LOCAL_LAN statment?
I thought I needed to add it for both directions. Is this not true?
(I also cleaned up the network objects as you can see and got rid of the "Server" one and just am using the "WEB_SERVER" one. Is this ok? Also both packet-tracer tests passed with port 80 and 39124.
CMNW# packet-tracer input outside tcp 1.1.1.1 12345 50.186.40.128 39124
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network WEB-SERVER-TCP39214
nat (inside,outside) static interface service tcp 39124 39124
Additional Information:
NAT divert to egress interface inside
Untranslate 50.186.40.128/39124 to Server/39124
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network WEB-SERVER-TCP39214
nat (inside,outside) static interface service tcp 39124 39124
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1607, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
CMNW# packet-tracer input outside tcp 1.1.1.1 12345 50.186.40.128 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network WEB-SERVER
nat (inside,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate 50.186.40.128/80 to Server/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any any eq www
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network WEB-SERVER
nat (inside,outside) static interface service tcp www www
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1609, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
11-07-2013 08:15 AM
Hi,
Yes, you can use the single "object" created for the ACL rules.
With regards to the "nat" configuration I suggest you remove, it is not needed. The other "nat" configuration before it already contains everything needed. That rule is bidirectional so only one configuration needed for it.
Your "outside_access_in" ACL should be cleaned up a bit also
access-list outside_access_in remark Webserver
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any object WEB-SERVER eq www
access-list outside_access_in remark WEB-SERVER
access-list outside_access_in extended permit udp any object WEB-SERVER eq www
access-list outside_access_in remark WEB-SERVER access
access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124
Do these changes. They should remove some rules (like one permitting ALL traffic) and later insert one of the rules to the correct line in the ACL. Mostly to make the ACL be in better order with regards to the "remark" lines.
no access-list outside_access_in remark Webserver
no access-list outside_access_in extended permit tcp any any eq www
no access-list outside_access_in extended permit ip any any
no access-list outside_access_in extended permit tcp any object WEB-SERVER eq www
no access-list outside_access_in extended permit udp any object WEB-SERVER eq www
access-list outside_access_in line 4 extended permit tcp any object WEB-SERVER eq www
The "packet-tracer" seems fine
Hope this helps
- Jouni
11-07-2013 08:39 AM
Hi,
Let us know if you got the connections working.
They should work even without the above ACL changes but it would be good to make the above changes.
- Jouni
11-07-2013 08:58 AM
Ok I get what you are saying now. And I was thinking of removing those ACL's as well (They were created when i did something with the ASDM)
Here is how it stands now:
name 192.168.0.1 Server description Server
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LOCAL_LAN
subnet 192.168.0.0 255.255.255.0
object network SSLVPN_NETWORK
subnet 192.168.100.0 255.255.255.0
object network 70.102.23.162
host 70.102.23.162
object service http
service tcp source eq www destination eq www
object network WEB-SERVER
host 192.168.0.1
object network WEB-SERVER-TCP39214
host 192.168.0.1
object-group service HTTP
service-object tcp source eq www
object-group service SSH
description Remote server access
service-object tcp destination eq 39124
access-list inside_access_in remark Webserver
access-list inside_access_in extended permit udp any any eq www
access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in remark WEB-SERVER
access-list outside_access_in extended permit tcp any object WEB-SERVER eq www
access-list outside_access_in remark WEB-SERVER access
access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124
access-list NAT-EXEMPT extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.0.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLVPN 192.168.100.100-192.168.100.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSLVPN_NETWORK SSLVPN_NETWORK
!
object network LOCAL_LAN
nat (inside,outside) dynamic interface
object network WEB-SERVER
nat (inside,outside) static interface service tcp www www
object network WEB-SERVER-TCP39214
nat (inside,outside) static interface service tcp 39124 39124
access-group outside_access_in in interface outside
Look good?
11-07-2013 09:02 AM
Hi,
Yes it looks good to me.
- Jouni
11-08-2013 12:42 PM
Hi,
Answering here with regards to your PM.
The correct default route configuration format is
route outside 0.0.0.0 0.0.0.0
- Jouni
11-08-2013 12:44 PM
So the 1 at the end is not required?
11-08-2013 12:48 PM
Hi,
Its the default value for a staticly configured route. It will be added there automatically so I dont usually enter it there. It will show up in the configuration after you have inserted the command though.
Check the output of "show run route" after you have configured a static route and you should see it.
- Jouni
11-11-2013 08:19 AM
So I made the changes above and now I am testing everything again before heading out in an hour or so and the packet tracer is failing
CMNW(config)# packet-tracer input outside tcp 1.1.1.1 80 70.102.23.161 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 70.102.23.160 255.255.255.252 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
CMNW(config)# packet-tracer input outside tcp 1.1.1.1 12345 70.102.23.161 39124
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 70.102.23.160 255.255.255.252 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
CMNW(config)# packet-tracer input outside tcp 1.1.1.1 80 70.102.23.161 80
What changed??
Current config:
hostname CMNW
enable password RF6LqGyeeuDAGlOY encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.1 Server description Server
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 70.102.23.162 255.255.255.252
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LOCAL_LAN
subnet 192.168.0.0 255.255.255.0
object network SSLVPN_NETWORK
subnet 192.168.100.0 255.255.255.0
object network 70.102.23.162
host 70.102.23.162
object service http
service tcp source eq www destination eq www
object network WEB-SERVER
host 192.168.0.1
object network WEB-SERVER-TCP39214
host 192.168.0.1
object-group service HTTP
service-object tcp source eq www
object-group service SSH
description Remote server access
service-object tcp destination eq 39124
access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in remark WEB-SERVER
access-list outside_access_in extended permit tcp any object WEB-SERVER eq www
access-list outside_access_in remark WEB-SERVER access
access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124
access-list NAT-EXEMPT extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.0.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLVPN 192.168.100.100-192.168.100.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSLVPN_NETWORK SSLVPN_NETWORK
!
object network LOCAL_LAN
nat (inside,outside) dynamic interface
object network WEB-SERVER
nat (inside,outside) static interface service tcp www www
object network WEB-SERVER-TCP39214
nat (inside,outside) static interface service tcp 39124 39124
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.102.23.161 1
11-11-2013 08:22 AM
Hi,
The target IP address is wrong for the "packet-tracer" command.
Your commands IP address ends with .161 while your interface IP address ends with .162. And when you look at the NAT configurations you are using the "interface" IP address in the Static PAT (Port Forward) configurations.
So test the "packet-tracer" with the .162 target IP address
- Jouni
11-11-2013 08:30 AM
Yes thank you! I saw it and posted my reply and then saw yours.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: