02-08-2012 02:56 PM - edited 03-11-2019 03:26 PM
Hello Everyone,
I want to first say that this is my first time ever working on an ASA, so I appologize for the elementary questions. My task today is allow incoming HTTP, and HTTPS traffic to my internal IP Address.
Currently this firewall is up, and working great. There are several internal servers, and every service they are presenting to the internet are working fine. Im using the graphic interface. I added my server under the "Public Servers" like all of the other objects. I can see it created the appropriate NAT statement, and access rule. I applied my change, and saved the settings to flash.
The problem I'm having is the internal server is now essentially cut off from the internet. I obviously cant access HTTP or HTTPS from the internet, but that server cant get from the lan to the internet either. Every other server is working fine though. I checked the order of how the nat rule and access rule are being applied, and I think they're fine.
The only thing I can think of is I need to restart the ASA, but that really surprises me. I would think that adding a statement in an ASA would just work without a reboot.
Any thoughts? I can provide screen shots of my Access Rules, NAT rules, and Public Servers list if it helps.
Thank you in advance. I need to get this fixed asap.
Solved! Go to Solution.
02-08-2012 04:23 PM
Hello,
Just reviewed both captures...
On the captures we can see that the ASA is doing the right nat translatio, the packets are being seeing on the outside interface so the packets are not being dropped.
Please contact your ISP ASAP and let them know that you are not getting any traffic to 65.208.141.68, as soon as they start sending the traffic to you. All will be working.
Please keep me posted!
Julio
Do rate helpful posts!!
02-08-2012 05:08 PM
Hello John,
Sure, It was a pleasure to work on this with you.
Please mark the question as answered so future users can learn from this.
Regards,
Julio!!
02-08-2012 03:09 PM
To add to my confusion, I just ran a ping from the ASA. It can ping both the internal and external ip of the device I added.
If I try the same with a working server, I can ping the internal address, but not the external address.
02-08-2012 03:26 PM
Hello John,
I think the problem is that you have just port-forwarding enabled for that server, and thats works only for inbound connections not for outbound connections.
Please share the following:
-sh run nat
-sh run global
-sh run static
-sh run access-group
Regards,
Julio
02-08-2012 03:31 PM
I guess I dont know the enable password, so I cant run the above commands. I do get what your saying though. From what I can see, side by side with other working services, I dont see any discrepancies. Can I send you the screen shots for your analysis?
02-08-2012 03:34 PM
Hello John,
Sure, but lets try this first.
On the ASDM go to tools and then to command line interface.
Once you are there try to get the following outputs:
-sh run nat
-sh run global
-sh run static
-sh run access-group
If that does not work please attach the screenshots.
Julio
Do rate all the helpful posts!!
02-08-2012 03:39 PM
Got it. I can do it from the graphic interface. The server Im trying to get to work is 10.130.1.68 (internal), and 65.208.141.68 (external)
Result of the command: "sh run nat"
nat (outside) 3 192.168.60.0 255.255.255.0
nat (outside) 3 192.168.70.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 10 172.31.10.0 255.255.255.0
nat (inside) 10 10.10.0.0 255.255.0.0
nat (inside) 10 10.130.0.0 255.255.0.0
nat (inside) 10 10.0.0.0 255.0.0.0
Result of the command: "sh run global"
global (outside) 10 65.208.141.66
global (outside) 3 interface
Result of the command: "sh run static"
static (inside,dmz96) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (dmz96,outside) 65.208.141.85 192.168.96.165 netmask 255.255.255.255
static (dmz96,outside) 65.208.141.83 192.168.96.161 netmask 255.255.255.255
static (dmz96,outside) 65.208.141.80 192.168.96.150 netmask 255.255.255.255
static (dmz96,outside) 65.208.141.81 192.168.96.151 netmask 255.255.255.255
static (dmz96,outside) 65.208.141.82 192.168.96.152 netmask 255.255.255.255
static (inside,dmz96) 10.160.10.0 10.160.10.0 netmask 255.255.255.0
static (dmz96,outside) 65.208.141.84 192.168.96.84 netmask 255.255.255.255
static (dmz96,outside) 65.208.141.87 192.168.96.87 netmask 255.255.255.255
static (inside,outside) 65.208.141.120 10.133.1.20 netmask 255.255.255.255
static (inside,outside) 65.208.141.121 10.134.1.21 netmask 255.255.255.255
static (inside,outside) 65.208.141.68 10.130.1.68 netmask 255.255.255.255
Result of the command: "sh run access-group"
access-group outside in interface outside
access-group inside in interface inside
access-group DMZ96 in interface dmz96
access-group management in interface management
02-08-2012 03:47 PM
Hello John,
The configuration seems to be fine, only thing we are missing is the output of the acl
Can you provide the output of :
-show run access-list inside
-packet-tracer input inside tcp 10.130.1.68 1025 4.2.2.2 80
Regards,
Julio
02-08-2012 03:54 PM
Here is what I get from those two commands:
Result of the command: "show run access-list inside"
access-list inside extended permit ip any 192.168.96.0 255.255.255.0
access-list inside extended permit icmp any any
access-list inside extended permit ip any 192.168.60.0 255.255.255.0
access-list inside extended permit ip any 192.168.70.0 255.255.255.0
access-list inside extended deny ip any object-group RFC1918
access-list inside extended permit ip any any
Result of the command: "packet-tracer input inside tcp 10.130.1.68 1025 4.2.2.2 80"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside in interface inside
access-list inside extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FILTER
Subtype: filter-url
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) 65.208.141.68 10.130.1.68 netmask 255.255.255.255
match ip inside host 10.130.1.68 outside any
static translation to 65.208.141.68
translate_hits = 130, untranslate_hits = 0
Additional Information:
Static translate 10.130.1.68/0 to 65.208.141.68/0 using netmask 255.255.255.255
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,dmz96) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
match ip inside 10.0.0.0 255.0.0.0 dmz96 any
static translation to 10.0.0.0
translate_hits = 2706448, untranslate_hits = 17797187
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 202578141, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
02-08-2012 04:03 PM
Hello John,
As we could see on the last output, the configuration on the ASA is the one required.
Now, seems like something else is blocking it.
So I want you to create a capture and then we will be 100 % sure of what is going on ( I think I already know what is happening)
access-list capin permit tcp host 10.130.1.68 any eq 80
access-list capin permit tcp any eq 80 host 10.130.1.68
access-list capout permit tcp host 65.208.141.68 any eq 80
access-list capout permit tcp any eq 80 host 65.208.141.68
capture capin access-list capin interface inside
capture capout access-list capout interface outside
http 0 0 inside
Then try to access a web-site like google from that inside host.
Afterwards go to a browser on one of your computers on your network and do the following:
https:x.x.x.x(inside_ip_of_asa)/capture/capin/pcap
https:x.x.x.x(inside_ip_of_asa)/capture/capout/pcap
Then you can upload the captures to this discussion and I will analize them using wireshark.
Regards,
Julio
Hope I was clear enough with the captures
02-08-2012 04:06 PM
Forgive my ignorance. How do I run the above capture? I'm assuming I need to turn it on, then turn it off? Once its ran, how do I retrieve it?
Thank you so much Julio. You've been extremley helpful.
02-08-2012 04:08 PM
02-08-2012 04:11 PM
Hello John,
You do not need to turn it off.
We can erase it afterwards we use it.
So you already download them, you can attach them to this discussion or if you want you can send them to me via email.
Its all up to you.
Regards,
Julio
02-08-2012 04:14 PM
Files are attached in the above posted. I had edited it. I'll email them to you too though.
02-08-2012 04:17 PM
Actually I cant find your email. This is my first time using this forum.
02-08-2012 04:23 PM
Hello,
Just reviewed both captures...
On the captures we can see that the ASA is doing the right nat translatio, the packets are being seeing on the outside interface so the packets are not being dropped.
Please contact your ISP ASAP and let them know that you are not getting any traffic to 65.208.141.68, as soon as they start sending the traffic to you. All will be working.
Please keep me posted!
Julio
Do rate helpful posts!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide