06-10-2014 06:45 AM - edited 03-11-2019 09:18 PM
Hi,
Referring to the topic, we have an ASA5505 (Unlimited-Base License) which was working fine for more than a year now. For WAN, we have a static IP configured on the ASA with default route pointing to the ISP router. For LAN portion, we have servers which are published to the Internet.
For this, we've configured static NAT with port forwarding to the server. Policies are also in place, allowing any source from the Internet to access to the server.
Network setup:
ISP Router <> ASA5505 WAN <> ASA5505 LAN <> Server
1.1.1.1 1.1.1.2 10.10.10.1 10.10.10.10
## NATed 1.1.1.2 port 2048 to 10.10.10.10 port 2048
## On WAN incoming policy, allowed 'any' source to 'Server NATed' destination with service '2048'
During initial setup/testing, it was working fine or so it was claimed by the user, but if not mistaken we did perform simple testing and the server is reachable via that port. However, just today, we got a complaint from the user that the server is not reachable now. Checked on the configuration, nothing was changed. Perform test from our end, can't reach the server and no hit counts on the policy.
Then, we added an implicit permit rule for the WAN incoming policy and when we test again, server is still not reachable. But this time, there's a hit count on that implicit permit rule. Hence, thought of getting some advise on how to go about for this issue or if anyone had faced such issue before?
Thank you.
=====================================================================================
## Configuration ##
object network my-DB
nat (inside,public) static interface service tcp 2048 2048
object network my-DB-FTP
nat (inside,public) static interface service tcp ftp ftp
object network my-DB-8080
nat (inside,public) static interface service tcp 8080 8080
access-list public_access_in extended permit tcp any object my-DB object-group TCP_2048
access-list public_access_in extended permit tcp any object my-DB-8080 object-group TCP_8080
access-list public_access_in extended permit tcp any object my-DB-FTP eq ftp
access-list public_access_in extended permit tcp any any
access-group inside_access_in in interface inside
access-group public_access_in in interface public
=====================================================================================
-----
Regards,
Danny
06-11-2014 07:34 AM
First thing when we enable access from outside to inside, we permit actual IP of the server not the NATed IP, not sure how it was working in past. Second thing since you have ASA 5505 you can use packet-tracer tool of ASA to check as where the traffic is being blocked. Also try to check with reverse NAT configuration on the firewall. (nat (public,inside) NATed IP Actual IP
06-11-2014 06:25 PM
06-12-2014 01:24 AM
I mean private IP of server.
06-12-2014 03:18 AM
Yes, I'm using the private IP object, with NAT... And it's working on other site
06-17-2014 06:36 PM
Anyone got any ideas?
06-18-2014 12:27 AM
can you share object-group network configuration?
06-18-2014 12:30 AM
Here you go.
object network my-inside-net
subnet 10.252.22.0 255.255.255.0
object network my-DB
host 10.252.22.10
object network my-CCTV
host 10.252.22.20
object network my-CCTV-3100
host 10.252.22.20
object network my-DB-FTP
host 10.252.22.10
object-group service TCP_2048 tcp
port-object eq 2048
object-group service TCP_3100 tcp
port-object eq 3100
object-group service DM_INLINE_TCP_1 tcp
group-object TCP_3100
port-object eq www
06-18-2014 12:47 AM
Could you do a packet tracer on the ASA
packet-tracer input outside tcp 4.2.2.2 1234 1.1.1.2 2048 detail
also this one for comparison
packet-tracer input outside tcp 4.2.2.2 2048 1.1.1.2 2048 detail
--
Please remember to select a correct answer and rate helpful posts
06-18-2014 01:11 AM
Marius,
I can't login to the ASA now, maybe the end users bypass it now. Anyway, I did try the packet tracer via ASDM and it showed packet drop due to implicit deny.
06-18-2014 01:16 AM
For which packet tracer did the packet drop? Did you use the public IP of the server or the private IP?
Was it denied at a ACL rule, NAT rule...etc.?
If possible take a screenshot of the ASDM packet tracer
--
Please remember to select a correct answer and rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: