cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1140
Views
20
Helpful
20
Replies

Issue with ASA 5510

John Huthmaker
Level 4
Level 4

Hello Everyone,

I want to first say that this is my first time ever working on an ASA, so I appologize for the elementary questions.  My task today is allow incoming HTTP, and HTTPS traffic to my internal IP Address.

Currently this firewall is up, and working great.  There are several internal servers, and every service they are presenting to the internet are working fine.  Im using the graphic interface.  I added my server under the "Public Servers" like all of the other objects.  I can see it created the appropriate NAT statement, and access rule.  I applied my change, and saved the settings to flash.

The problem I'm having is the internal server is now essentially cut off from the internet.  I obviously cant access HTTP or HTTPS from the internet, but that server cant get from the lan to the internet either.  Every other server is working fine though.  I checked the order of how the nat rule and access rule are being applied, and I think they're fine.

The only thing I can think of is I need to restart the ASA, but that really surprises me.  I would think that adding a statement in an ASA would just work without a reboot.

Any thoughts?  I can provide screen shots of my Access Rules, NAT rules, and Public Servers list if it helps.

Thank you in advance.  I need to get this fixed asap.

2 Accepted Solutions

Accepted Solutions

Hello,

Just reviewed both captures...

On the captures we can see that the ASA is doing the right nat translatio, the packets are being seeing on the outside interface so the packets are not being dropped.

Please contact your ISP ASAP and let them know that you are not getting any traffic to 65.208.141.68, as soon as they start sending the traffic to you. All will be working.

Please keep me posted!

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello John,

Sure, It was a pleasure to work on this with you.

Please mark the question as answered so future users can learn from this.

Regards,

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

20 Replies 20

John Huthmaker
Level 4
Level 4

To add to my confusion, I just ran a ping from the ASA.  It can ping both the internal and external ip of the device I added.

If I try the same with a working server, I can ping the internal address, but not the external address.

Hello John,

I think the problem is that you have just port-forwarding enabled for that server, and thats works only for inbound connections not for outbound connections.

Please share the following:

-sh run nat

-sh run global

-sh run static

-sh run access-group

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I guess I dont know the enable password, so I cant run the above commands.  I do get what your saying though.  From what I can see, side by side with other working services, I dont see any discrepancies.  Can I send you the screen shots for your analysis?

Hello John,

Sure, but lets try this first.

On the ASDM go to tools and then to command line interface.

Once you are there try to get the following outputs:

-sh run nat

-sh run global

-sh run static

-sh run access-group

If that does not work please attach the screenshots.

Julio

Do rate all the helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Got it.  I can do it from the graphic interface.  The server Im trying to get to work is 10.130.1.68 (internal), and 65.208.141.68 (external)

Result of the command: "sh run nat"

nat (outside) 3 192.168.60.0 255.255.255.0

nat (outside) 3 192.168.70.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 10 172.31.10.0 255.255.255.0

nat (inside) 10 10.10.0.0 255.255.0.0

nat (inside) 10 10.130.0.0 255.255.0.0

nat (inside) 10 10.0.0.0 255.0.0.0

Result of the command: "sh run global"

global (outside) 10 65.208.141.66

global (outside) 3 interface

Result of the command: "sh run static"

static (inside,dmz96) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (dmz96,outside) 65.208.141.85 192.168.96.165 netmask 255.255.255.255

static (dmz96,outside) 65.208.141.83 192.168.96.161 netmask 255.255.255.255

static (dmz96,outside) 65.208.141.80 192.168.96.150 netmask 255.255.255.255

static (dmz96,outside) 65.208.141.81 192.168.96.151 netmask 255.255.255.255

static (dmz96,outside) 65.208.141.82 192.168.96.152 netmask 255.255.255.255

static (inside,dmz96) 10.160.10.0 10.160.10.0 netmask 255.255.255.0

static (dmz96,outside) 65.208.141.84 192.168.96.84 netmask 255.255.255.255

static (dmz96,outside) 65.208.141.87 192.168.96.87 netmask 255.255.255.255

static (inside,outside) 65.208.141.120 10.133.1.20 netmask 255.255.255.255

static (inside,outside) 65.208.141.121 10.134.1.21 netmask 255.255.255.255

static (inside,outside) 65.208.141.68 10.130.1.68 netmask 255.255.255.255

Result of the command: "sh run access-group"

access-group outside in interface outside

access-group inside in interface inside

access-group DMZ96 in interface dmz96

access-group management in interface management

Hello John,

The configuration seems to be fine, only thing we are missing is the output of the acl

Can you provide the output of :

-show run access-list inside

-packet-tracer input inside tcp 10.130.1.68 1025 4.2.2.2 80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Here is what I get from those two commands:

Result of the command: "show run access-list inside"

access-list inside extended permit ip any 192.168.96.0 255.255.255.0

access-list inside extended permit icmp any any

access-list inside extended permit ip any 192.168.60.0 255.255.255.0

access-list inside extended permit ip any 192.168.70.0 255.255.255.0

access-list inside extended deny ip any object-group RFC1918

access-list inside extended permit ip any any

Result of the command: "packet-tracer input inside tcp 10.130.1.68 1025 4.2.2.2 80"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside in interface inside

access-list inside extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FILTER

Subtype: filter-url

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) 65.208.141.68 10.130.1.68 netmask 255.255.255.255

  match ip inside host 10.130.1.68 outside any

    static translation to 65.208.141.68

    translate_hits = 130, untranslate_hits = 0

Additional Information:

Static translate 10.130.1.68/0 to 65.208.141.68/0 using netmask 255.255.255.255

Phase: 10

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,dmz96) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

  match ip inside 10.0.0.0 255.0.0.0 dmz96 any

    static translation to 10.0.0.0

    translate_hits = 2706448, untranslate_hits = 17797187

Additional Information:

Phase: 11

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 202578141, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Hello John,

As we could see on the last output, the configuration on the ASA is the one required.

Now, seems like something else is blocking it.

So I want you to create a capture and then we will be 100 % sure of what is going on ( I think I already know what is happening)

access-list capin permit tcp  host 10.130.1.68 any eq 80

access-list capin permit tcp any eq 80 host 10.130.1.68

access-list capout permit tcp host 65.208.141.68 any eq 80

access-list capout permit tcp any eq 80 host 65.208.141.68

capture capin access-list capin interface inside

capture capout access-list capout interface outside

http 0 0 inside

Then try to access a web-site like google from that inside host.

Afterwards go to a browser on one of your computers on your network and do the following:

https:x.x.x.x(inside_ip_of_asa)/capture/capin/pcap

https:x.x.x.x(inside_ip_of_asa)/capture/capout/pcap

Then you can upload the captures to this discussion and I will analize them using wireshark.

Regards,

Julio

Hope I was clear enough with the captures

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Forgive my ignorance.  How do I run the above capture?  I'm assuming I need to turn it on, then turn it off?  Once its ran, how do I retrieve it?

Thank you so much Julio.  You've been extremley helpful.

Nevermind I figured it out.  Although I assume I do need to turn it off.

Captures are below

Hello John,

You do not need to turn it off.

We can erase it afterwards we use it.

So you already download them, you can attach them to this discussion or if you want you can send them to me via email.

Its all up to you.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Files are attached in the above posted.  I had edited it.  I'll email them to you too though.

Actually I cant find your email.  This is my first time using this forum.

Hello,

Just reviewed both captures...

On the captures we can see that the ASA is doing the right nat translatio, the packets are being seeing on the outside interface so the packets are not being dropped.

Please contact your ISP ASAP and let them know that you are not getting any traffic to 65.208.141.68, as soon as they start sending the traffic to you. All will be working.

Please keep me posted!

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: