02-17-2014 08:10 AM - edited 03-11-2019 08:46 PM
I am new to the Cisco firewall world (coming from Netscreen/Juniper) and am working on getting my 5525-X with the IPS setup and functioning. I am just about there but unable to get FTP through the firewall to work as a test of my NAT/ACL configuration. Any help to point me in the right direction would be greatly appreciated!
ASA Version 9.1(4)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
!
interface GigabitEthernet0/0
nameif Inside
security-level 100
ip address 172.16.16.20 255.255.255.0
!
interface GigabitEthernet0/7
nameif Outside
security-level 0
ip address 1.2.3.4 255.255.255.224
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside_LAN
subnet 172.16.16.0 255.255.248.0
object network FTP-Server-External
host 1.2.3.4
object network FTP-Server-Internal
host 172.16.16.22
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp traceroute
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
!
access-list Inside remark Permit users access to http(s), FTP
access-list Inside extended permit object-group DM_INLINE_SERVICE_1 any any
access-list Inside remark Block all other traffic leaving the local network
access-list Inside extended deny ip any any
access-list Outside extended permit tcp object FTP-Server-Internal object FTP-Server-External eq ftp
access-list global_access extended permit ip any any
access-list global_access remark Allow IPS management out through to the internet.
access-list global_access extended permit object-group HTTP object IPS-management any
access-list Local_Segment extended permit ip 172.16.16.0 255.255.255.0 any
nat (Inside,Outside) source dynamic Inside_LAN interface
nat (Inside,Outside) source dynamic IPS-management IPS-management interface
nat (Inside,Outside) source static IPS-management Outside-network
!
object network Inside_LAN
subnet 172.16.16.0 255.255.255.0
object network FTP-Server-External
nat (any,any) static FTP-Server-Internal
object network FTP-Server-Internal
nat (Inside,Outside) static FTP-Server-External
access-group Inside in interface Inside
access-group Outside in interface Outside
Solved! Go to Solution.
02-17-2014 08:19 AM
Hi,
I would suggest the following changes
Move this configurations to lower priority
no nat (Inside,Outside) source dynamic Inside_LAN interface
no nat (Inside,Outside) source dynamic IPS-management IPS-management interface
no nat (Inside,Outside) source static IPS-management Outside-network
nat (Inside,Outside) after-auto source dynamic Inside_LAN interface
nat (Inside,Outside) after-auto source dynamic IPS-management IPS-management interface
nat (Inside,Outside) after-auto source static IPS-management Outside-network
The purpose is to avoid them causing any problems in the future and possibly with the FTP setup. Naturally take into consideration that this might cause outage for the time you do the changes but I imagine this is not in use at the moment?
Your ACL for the FTP server is wrong at the moment. In the new ASA software you allow the traffic towards the real/local IP address and never the NAT IP address. Also your source address should be "any" or some specific source network/host if the purpose is to allow access only to some external sites.
Add
access-list Outside permit tcp any object FTP-Server-Internal eq 21
Also I dont think you need this configuration
object network FTP-Server-External
nat (any,any) static FTP-Server-Internal
- Jouni
02-17-2014 08:19 AM
Hi,
I would suggest the following changes
Move this configurations to lower priority
no nat (Inside,Outside) source dynamic Inside_LAN interface
no nat (Inside,Outside) source dynamic IPS-management IPS-management interface
no nat (Inside,Outside) source static IPS-management Outside-network
nat (Inside,Outside) after-auto source dynamic Inside_LAN interface
nat (Inside,Outside) after-auto source dynamic IPS-management IPS-management interface
nat (Inside,Outside) after-auto source static IPS-management Outside-network
The purpose is to avoid them causing any problems in the future and possibly with the FTP setup. Naturally take into consideration that this might cause outage for the time you do the changes but I imagine this is not in use at the moment?
Your ACL for the FTP server is wrong at the moment. In the new ASA software you allow the traffic towards the real/local IP address and never the NAT IP address. Also your source address should be "any" or some specific source network/host if the purpose is to allow access only to some external sites.
Add
access-list Outside permit tcp any object FTP-Server-Internal eq 21
Also I dont think you need this configuration
object network FTP-Server-External
nat (any,any) static FTP-Server-Internal
- Jouni
02-17-2014 08:54 AM
I just changed the settings to move the config to the lower priorty, deleted the previous ACL and added the "Any" and removed the object network config but still not able to traverse the firewall. The external FTP client just gets a connection timed out. I am able to connect from inside the network. I am seeing that the hits on the access rule is increasing now.
02-17-2014 09:06 AM
Hi,
You can check the ASA configurations with the "packet-tracer" command. This command lets you simulate a specific packet coming from some interface towards certain IP/port and it will tell you what configurations are applied to it and whether its dropped because of access rules or perhaps a configurations mistake.
You could for example try
packet-tracer input Outside tcp 8.8.8.8 12345
Then share the output with us. Remember to remove the public IP address from the output
- Jouni
02-17-2014 09:42 AM
ASA5525# packet-tracer input Outside tcp 8.8.8.8 12345 1.2.3.4 21
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network FTP-Server-Internal
nat (Inside_LAN,Outside) static FTP-Server-External
Additional Information:
NAT divert to egress interface Inside_LAN
Untranslate 1.2.3.4/21 to 172.16.16.22/21
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside in interface Outside
access-list Outside extended permit tcp any object FTP-Server-Internal eq ftp
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside_LAN,Outside) after-auto source static IPS-management Outside-network
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:
Phase: 8
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
ips inline fail-open
service-policy global_policy global
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network FTP-Server-Internal
nat (Inside_LAN,Outside) static FTP-Server-External
Additional Information:
Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 22886, packet dispatched to next module
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside_LAN
output-status: up
output-line-status: up
Action: allow
02-17-2014 09:48 AM
Hi,
Seems that the test goes through just fine.
Matches correct NAT rule and its allowed and forwarded to the connect internal host.
I would suggest enabling some other service on the same internal device and allowing traffic to its used TCP port and attempt that connection to see if the problem is perhaps on the actual service on the internal host (FTP) incase this other service works from external network.
I wouldnt be surprised if it was some local software firewall issue either.
- Jouni
02-17-2014 10:57 AM
Thanks. I spun up a web server and all looks good. There was something in the FTP server configuration that wasn't happy with the NAT. Looks like we are in business. Thanks so much.
02-17-2014 11:02 AM
Hi,
Great to hear its working now
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide