11-06-2013 10:38 AM - edited 03-11-2019 08:01 PM
I am trying to set up NAT/PAT for access to a webserver behind the ASA. (Running 8.4)
I have a single Static IP on the outside interface (70.102.23.xxx) and I have a webserver with an IP of 192.168.0.1 and I need to make sure all http requests are sent to it.
I can do this in a IOS router pretty well, but in the ASA I seem to get turned around pretty easily. I would like to do it via CLi but will accept help with doing it via ASDM as well.
I already have created an access list to allow the traffic to the webserver.
access-list outside_access_in extended permit udp any any eq www
access-list outside_access_in extended permit tcp any any eq www
Thanks in advance.
Jeffrey
Solved! Go to Solution.
11-11-2013 12:25 PM
So I am on site and I am testing the remote access on port 80 and ssh on 39124 and it is not working for some reason.,..
I am not sure why. Packet tracer looks fine when I run it.
11-11-2013 12:51 PM
Hi,
Are you testing from the Internet or behind the ASA from the internal network?
Since the Static PAT (Port Forward) configurations that we did only work from the external network (behind "outside" interface)
For you to be able to connect to the public IP address from the internal network you would have to configure some other NAT configurations.
But I am not sure from where you are trying to connect.
- Jouni
11-11-2013 01:22 PM
At the time I was connecting out via my cell phone hotspot.
I am now back at my office and still cannot connect tot he server at the internal IP of 192.168.0.1 via port 39124
Here is the config again.
name 192.168.0.1 Server description Server
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 70.102.23.162 255.255.255.252
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LOCAL_LAN
subnet 192.168.0.0 255.255.255.0
object network SSLVPN_NETWORK
subnet 192.168.100.0 255.255.255.0
object network 70.102.23.162
host 70.102.23.162
object service http
service tcp source eq www destination eq www
object network WEB-SERVER
host 192.168.0.1
object network WEB-SERVER-TCP39214
host 192.168.0.1
object-group service HTTP
service-object tcp source eq www
object-group service SSH
description Remote server access
service-object tcp destination eq 39124
access-list inside_access_in extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in remark WEB-SERVER
access-list outside_access_in extended permit tcp any object WEB-SERVER eq www
access-list outside_access_in remark WEB-SERVER access
access-list outside_access_in extended permit tcp any object WEB-SERVER eq 39124
access-list outside_access_in extended permit udp any object WEB-SERVER-TCP39214 eq 39124
access-list outside_access_in extended permit udp any object WEB-SERVER eq 39124
access-list NAT-EXEMPT extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.0.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLVPN 192.168.100.100-192.168.100.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SSLVPN_NETWORK SSLVPN_NETWORK
!
object network LOCAL_LAN
nat (inside,outside) dynamic interface
object network WEB-SERVER
nat (inside,outside) static interface service tcp www www
object network WEB-SERVER-TCP39214
nat (inside,outside) static interface service tcp 39124 39124
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.102.23.161 1
Any help is appreciated.
11-11-2013 01:43 PM
Hi,
You could try TCP Ping from the ASA itself and see if those ports on the host reply to the ASA.
ping tcp 192.168.0.1 80
ping tcp 192.168.0.1 39124
The ASA will essentially send TCP SYN to the host and you should see "!" if the TCP Ping is succesfull. Pretty much like with the normal ping command.
Have you confirmed that those ports answer from the internal network? Are the ACL rules getting hitcounts when you check with the command "show access-list" ? Notice that the "packet-tracer" command increases the hitcount each time so better to check the current hitcount and then try from the external network.
If we want complete confirmation about the situation we would need to configure a traffic capture but probably best to check the above 2 things.
Naturally if you can monitor ASA logs through ASDM for example when connecting to the server it would be easy to see if the connection is coming to the ASA and then what happens to it.
I can't see anything wrong with the ASA configuration at the moment. Atleast havent noticed anything yet.
- Jouni
11-11-2013 01:50 PM
Yes both of those pings work. Also when I was on site and connected to the local LAN I was able to telnet on both those ports.
What kind of packet capture would you like set up for the ASDM?
11-11-2013 01:51 PM
As for the counters I am not seeing them go up at all:
access-list inside_access_in; 2 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=0) 0x60dc925d
access-list inside_access_in line 2 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0x3a0c50b5
access-list outside_access_in; 6 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit icmp any any echo (hitcnt=0) 0x2a287810
access-list outside_access_in line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x54b872f3
access-list outside_access_in line 3 remark WEB-SERVER
access-list outside_access_in line 4 extended permit tcp any object WEB-SERVER eq www (hitcnt=0) 0x6d0acdc0
access-list outside_access_in line 4 extended permit tcp any host 192.168.0.1 eq www (hitcnt=11) 0x6d0acdc0
access-list outside_access_in line 5 remark WEB-SERVER access
access-list outside_access_in line 6 extended permit tcp any object WEB-SERVER eq 39124 (hitcnt=0) 0x1125a6a4
access-list outside_access_in line 6 extended permit tcp any host 192.168.0.1 eq 39124 (hitcnt=25) 0x1125a6a4
access-list outside_access_in line 7 extended permit udp any object WEB-SERVER-TCP39214 eq 39124 (hitcnt=0) 0x98c99e62
access-list outside_access_in line 7 extended permit udp any host 192.168.0.1 eq 39124 (hitcnt=0) 0x98c99e62
access-list outside_access_in line 8 extended permit udp any object WEB-SERVER eq 39124 (hitcnt=0) 0x8b2db537
access-list outside_access_in line 8 extended permit udp any host 192.168.0.1 eq 39124 (hitcnt=0) 0x8b2db537
access-list NAT-EXEMPT; 1 elements; name hash: 0x147e016b
access-list NAT-EXEMPT line 1 extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0xef022860
access-list SPLIT_TUNNEL; 2 elements; name hash: 0x63aa8f22
access-list SPLIT_TUNNEL line 1 standard permit 192.168.0.0 255.255.255.0 (hitcnt=0) 0x4f11a7a4
access-list SPLIT_TUNNEL line 2 standard permit 192.168.100.0 255.255.255.0 (hitcnt=0) 0x00fb5725
11-11-2013 02:15 PM
Hi,
Are you saying that all of the hitcounts in the following output are the result of the "packet-tracer" command?
access-list outside_access_in line 4 extended permit tcp any object WEB-SERVER eq www (hitcnt=0) 0x6d0acdc0
access-list outside_access_in line 4 extended permit tcp any host 192.168.0.1 eq www (hitcnt=11) 0x6d0acdc0
access-list outside_access_in line 5 remark WEB-SERVER access
access-list outside_access_in line 6 extended permit tcp any object WEB-SERVER eq 39124 (hitcnt=0) 0x1125a6a4
access-list outside_access_in line 6 extended permit tcp any host 192.168.0.1 eq 39124 (hitcnt=25)
If that is true then it doesnt really make sense.
This would mean the Internet connection through the ASA should not work either.
How are you managing the ASA? Are you doing it now remotely or locally at the site? Does the site perhaps have another external connection through which you connect to the ASA?
If there is another external connection then it would raise a possible question regarding the routing. Then it might be that the actual server was using some other networking device as its default gateway out of the network and therefore the external connections through the ASA would naturally not work.
TCP Ping reply could be explained by the fact that the ASA is directly connected to the same network which means the server can reply directly to ASA but nothing past it if the default gateway device is something else.
But all of this is just guessing.
If you can connect to the ASA through its external interface for management purposes then there should be no reason why the NAT configurations should not work.
If you cannot connect remotely to the ASA external interface then the problem would be its external connection.
- Jouni
11-11-2013 02:19 PM
When i attempt to SSH in on port 39124 this is the only counter that goes up:
access-list outside_access_in line 6 extended permit tcp any host 192.168.0.1 eq 39124 (hitcnt=37) 0x1125a6a4
And it only goes up one at a time.
11-11-2013 02:20 PM
And I can connect to the ASA just fine remotely. I am currently in there via CLI and ASDM.
11-11-2013 02:25 PM
Hi,
If the hitcount for the ACL rules that you have created are increasing when you attempt the connection and you are managing the ASA remotely then there should be no problem with the connection between ASA and the ISP.
That leads to the next question. Would this customer have any other external connection to the Internet other than the one through the ASA? Is the LAN servers default gateway pointing to the ASA or where?
If the server replies to the TCP Ping from the ASA I would imagine that the server should also reply from the remote network if the routing is fine. ASA rules seem to be fine atleast.
If its not a default gateway or routing problem then it seems wierd.
Maybe you could save the configuration and reboot the firewall if that is possible.
- Jouni
11-11-2013 02:28 PM
The site only has one WAN access point and that is the outside interface of the ASA.
Should there be a reverse ACL like:
access-list inside_access_in extended permit tcp any object WEB-SERVER eq 39124 ?
I can not reboot it right now as they are up and working.
11-11-2013 02:36 PM
Hi,
It wont require an ACL for the other direction. If the ASA has allowed the connection to form through it initially then the traffic related to that connection is allowed throuhgh the firewall as long as the connection doesnt timeout or is not terminated by either side.
If you want to configure a capture on the ASA to confirm if the server is replying at all then you could try the following configuration
access-list SERVER-CAP permit ip host
access-list SERVER-CAP permit ip host 192.168.0.1 host
capture SERVER-CAP type raw-data access-list SERVER-CAP interface inside buffer 5000000 circular-buffer
Then you can use the following command to confirm if anything has hit the capture after tests from the external network
show capture
You can view the capture on the CLI with the command
show capture SERVER-CAP
You can also copy the capture to your computer with TFTP with the command
copy /pcap capture:SERVER-CAP tftp://x.x.x.x/SERVER-CAP.pcap
You can remove the capture with
no capture SERVER-CAP
This should tell us if the server send any traffic back to a connection attempt
- Jouni
11-11-2013 02:56 PM
Is this my public host as in from my current location?
11-11-2013 03:02 PM
Hi,
The
- Jouni
11-11-2013 03:21 PM
This is what I see:
3 packets captured
1: 08:15:33.824191 802.1Q vlan#1 P2 69.64.226.1.59286 > 192.168.0.1.39124: S 189790974:189790974(0) win 8192
2: 08:15:36.532809 802.1Q vlan#1 P2 69.64.226.1.59286 > 192.168.0.1.39124: S 189790974:189790974(0) win 8192
3: 08:15:42.536669 802.1Q vlan#1 P2 69.64.226.1.59286 > 192.168.0.1.39124: S 189790974:189790974(0) win 8192
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: