Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
7
Replies

NAT/ACL issue on 5525-X

Go to solution
JOE HARRINGTON
Level 1
Level 1

‎02-17-2014 08:10 AM - edited ‎03-11-2019 08:46 PM

I am new to the Cisco firewall world (coming from Netscreen/Juniper) and am working on getting my 5525-X with the IPS setup and functioning.  I am just about there but unable to get FTP through the firewall to work as a test of my NAT/ACL configuration.  Any help to point me in the right direction would be greatly appreciated!

ASA Version 9.1(4)

!

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

!

interface GigabitEthernet0/0

nameif Inside

security-level 100

ip address 172.16.16.20 255.255.255.0

!

interface GigabitEthernet0/7

nameif Outside

security-level 0

ip address 1.2.3.4 255.255.255.224

!

interface Management0/0

management-only

no nameif

no security-level

no ip address

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Inside_LAN

subnet 172.16.16.0 255.255.248.0

object network FTP-Server-External

host 1.2.3.4

object network FTP-Server-Internal

host 172.16.16.22

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object icmp traceroute

service-object tcp destination eq ftp

service-object tcp destination eq www

service-object tcp destination eq https

!

access-list Inside remark Permit users access to http(s), FTP

access-list Inside extended permit object-group DM_INLINE_SERVICE_1 any any

access-list Inside remark Block all other traffic leaving the local network

access-list Inside extended deny ip any any

access-list Outside extended permit tcp object FTP-Server-Internal object FTP-Server-External eq ftp

access-list global_access extended permit ip any any

access-list global_access remark Allow IPS management out through to the internet.

access-list global_access extended permit object-group HTTP object IPS-management any

access-list Local_Segment extended permit ip 172.16.16.0 255.255.255.0 any

nat (Inside,Outside) source dynamic Inside_LAN interface

nat (Inside,Outside) source dynamic IPS-management IPS-management interface

nat (Inside,Outside) source static IPS-management Outside-network

!

object network Inside_LAN

subnet 172.16.16.0 255.255.255.0

object network FTP-Server-External

nat (any,any) static FTP-Server-Internal

object network FTP-Server-Internal

nat (Inside,Outside) static FTP-Server-External

access-group Inside in interface Inside

access-group Outside in interface Outside

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-17-2014 08:19 AM

Hi,

I would suggest the following changes

Move this configurations to lower priority

no nat (Inside,Outside) source dynamic Inside_LAN interface

no nat (Inside,Outside) source dynamic IPS-management IPS-management interface

no nat (Inside,Outside) source static IPS-management Outside-network

nat (Inside,Outside) after-auto source dynamic Inside_LAN interface

nat (Inside,Outside) after-auto source dynamic IPS-management IPS-management interface

nat (Inside,Outside) after-auto source static IPS-management Outside-network

The purpose is to avoid them causing any problems in the future and possibly with the FTP setup. Naturally take into consideration that this might cause outage for the time you do the changes but I imagine this is not in use at the moment?

Your ACL for the FTP server is wrong at the moment. In the new ASA software you allow the traffic towards the real/local IP address and never the NAT IP address. Also your source address should be "any" or some specific source network/host if the purpose is to allow access only to some external sites.

Add

access-list Outside permit tcp any object FTP-Server-Internal eq 21

Also I dont think you need this configuration

object network FTP-Server-External

nat (any,any) static FTP-Server-Internal

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-17-2014 08:19 AM

Hi,

I would suggest the following changes

Move this configurations to lower priority

no nat (Inside,Outside) source dynamic Inside_LAN interface

no nat (Inside,Outside) source dynamic IPS-management IPS-management interface

no nat (Inside,Outside) source static IPS-management Outside-network

nat (Inside,Outside) after-auto source dynamic Inside_LAN interface

nat (Inside,Outside) after-auto source dynamic IPS-management IPS-management interface

nat (Inside,Outside) after-auto source static IPS-management Outside-network

The purpose is to avoid them causing any problems in the future and possibly with the FTP setup. Naturally take into consideration that this might cause outage for the time you do the changes but I imagine this is not in use at the moment?

Your ACL for the FTP server is wrong at the moment. In the new ASA software you allow the traffic towards the real/local IP address and never the NAT IP address. Also your source address should be "any" or some specific source network/host if the purpose is to allow access only to some external sites.

Add

access-list Outside permit tcp any object FTP-Server-Internal eq 21

Also I dont think you need this configuration

object network FTP-Server-External

nat (any,any) static FTP-Server-Internal

- Jouni

0 Helpful

Go to solution
JOE HARRINGTON
Level 1
Level 1
In response to Jouni Forss

‎02-17-2014 08:54 AM

I just changed the settings to move the config to the lower priorty, deleted the previous ACL and added the "Any" and removed the object network config but still not able to traverse the firewall.  The external FTP client just gets a connection timed out.  I am able to connect from inside the network.  I am seeing that the hits on the access rule is increasing now.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to JOE HARRINGTON

‎02-17-2014 09:06 AM

Hi,

You can check the ASA configurations with the "packet-tracer" command. This command lets you simulate a specific packet coming from some interface towards certain IP/port and it will tell you what configurations are applied to it and whether its dropped because of access rules or perhaps a configurations mistake.

You could for example try

packet-tracer input Outside tcp 8.8.8.8 12345 21

Then share the output with us. Remember to remove the public IP address from the output

- Jouni

0 Helpful

Go to solution
JOE HARRINGTON
Level 1
Level 1
In response to Jouni Forss

‎02-17-2014 09:42 AM

ASA5525# packet-tracer input Outside tcp 8.8.8.8 12345 1.2.3.4 21

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network FTP-Server-Internal
nat (Inside_LAN,Outside) static FTP-Server-External
Additional Information:
NAT divert to egress interface Inside_LAN
Untranslate 1.2.3.4/21 to 172.16.16.22/21

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside in interface Outside
access-list Outside extended permit tcp any object FTP-Server-Internal eq ftp
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside_LAN,Outside) after-auto source static IPS-management Outside-network
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect ftp
service-policy global_policy global
Additional Information:

Phase: 8
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
  ips inline fail-open
service-policy global_policy global
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network FTP-Server-Internal
nat (Inside_LAN,Outside) static FTP-Server-External
Additional Information:

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 22886, packet dispatched to next module

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside_LAN
output-status: up
output-line-status: up
Action: allow

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to JOE HARRINGTON

‎02-17-2014 09:48 AM

Hi,

Seems that the test goes through just fine.

Matches correct NAT rule and its allowed and forwarded to the connect internal host.

I would suggest enabling some other service on the same internal device and allowing traffic to its used TCP port and attempt that connection to see if the problem is perhaps on the actual service on the internal host (FTP) incase this other service works from external network.

I wouldnt be surprised if it was some local software firewall issue either.

- Jouni

0 Helpful

Go to solution
JOE HARRINGTON
Level 1
Level 1
In response to Jouni Forss

‎02-17-2014 10:57 AM

Thanks.  I spun up a web server and all looks good.  There was something in the FTP server configuration that wasn't happy with the NAT.  Looks like we are in business.  Thanks so much.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to JOE HARRINGTON

‎02-17-2014 11:02 AM

Hi,

Great to hear its working now

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card