08-21-2013 08:29 AM - edited 03-11-2019 07:29 PM
Hi all,
Please help as this one server not able to surf internet (80) although it able to establish a site to site vpn with other office. I seem that all config is right but I might miss out something...I post the config below ( i delete most of the object and vpn config)
: Saved
:
ASA Version 8.0(4)
!
hostname asalot10
enable password aY encrypted
passwd 2K encrypted
names
name 172.17.100.22 NAVNew
name 172.27.17.215 NECUser
name 172.47.1.10 NarayaServer
name 62.x.x.172 NarayaTelco1
name 62.x.x.178 NarayaTelco2
name 172.57.1.10 IPVSSvr description IPVSSvr
name 122.152.181.147 Japan01
name 122.152.181.0 Japan02
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 60.x.x.50 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.27.17.100 255.255.0.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
management-only
!
regex domainlist1 "\.youtube\.com"
regex domainlist2 "\.facebook\.com"
ftp mode passive
clock timezone SGT 8
access-list inside_access_in extended deny ip any Japan02 255.255.255.0
access-list inside_access_in extended deny tcp object-group PermitInternet any object-group torrent1
access-list inside_access_in extended permit ip object-group PermitInternet any
access-list inside_access_in extended permit ip host NarayaServer any
access-list inside_access_in extended permit ip host IPVSSvr any
access-list inside_access_in extended permit ip host NAVNew any
access-list inside_access_in extended permit ip host 172.17.100.30 any
access-list outside_access_in extended permit object-group NECareService object-group NECare any
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 host NarayaServer
access-list outside_1_cryptomap extended permit ip host NarayaServer object-group Nry_Png
access-list outside_1_cryptomap extended permit ip host NAVNew host 192.168.1.2
access-list outsidein extended permit tcp any host 60.x.x.50 eq https
access-list outsidein extended permit tcp object-group DM_INLINE_NETWORK_2 host 60..x.50 eq 8080
access-list outsidein extended permit ip object-group DM_INLINE_NETWORK_3 host IPVSSvr
access-list outsidein extended permit object-group rdp any host 60.x.x.50
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list inside_mpc extended permit tcp any any eq www
access-list inside_nat0_outbound extended permit ip host NarayaServer any
access-list inside_nat0_outbound extended permit ip any 172.27.17.240 255.255.255.248
pager lines 24
logging enable
logging list a1 level debugging
logging asdm informational
logging host inside NAVNew
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool lot10ippool 172.27.17.240-172.27.17.245 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8080 NarayaServer 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 NAVNew 3389 netmask 255.255.255.255
access-group outsidein in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 60.x.x.49 1
route inside 172.17.100.20 255.255.255.255 172.27.17.100 1
route inside NAVNew 255.255.255.255 172.27.17.100 1
route inside 172.17.100.30 255.255.255.255 172.27.17.100 1
route inside NarayaServer 255.255.255.255 172.27.17.100 1
route inside 172.47.1.11 255.255.255.255 172.27.17.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.5.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http NAVNew 255.255.255.255 inside
http 172.17.100.30 255.255.255.255 inside
Solved! Go to Solution.
08-21-2013 09:48 AM
Doh, still errors, sorry about that
access-list inside_nat0_outbound extended permit ip host NarayaServer object-group Nry_Png
no access-list inside_nat0_outbound extended permit ip host NarayaServer any
Was missing the "host" part this time.
- Jouni
08-21-2013 08:42 AM
Hi,
What is the IP address of the server that isnt able to access Internet? You didnt mention the IP address.
If everything else works at the moment then it would seem that either the server has network settings configured incorrectly or an ACL is blocking the connections on the firewall.
- Jouni
08-21-2013 08:44 AM
opps..
the server is NarayaServer 172.47.1.10
the server itself have site to site vpn establish but locally can't http
08-21-2013 08:48 AM
Hi,
I guess we could try using the "packet-tracer" command to show what configuration the server matches on the ASA.
packet-tracer input inside tcp 172.47.1.10 12345 8.8.8.8 80
Do you mean that the ASA has an L2L VPN established which the server 172.47.1.10 uses?
- Jouni
08-21-2013 08:54 AM
hi,
yup, correct, the Server (172.47.1.10) has L2L VPN establish.
below is the result of packet tracer
----
asalot10# packet-tracer input inside tcp 172.47.1.10 12345 8.8.8.8 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip host NarayaServer any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: inspect-http
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside host NarayaServer outside any
NAT exempt
translate_hits = 13760, untranslate_hits = 240
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface 8080 NarayaServer 8080 netmask 255.255.255.255
match tcp inside host NarayaServer eq 8080 outside any
static translation to 60.54.140.50/8080
translate_hits = 0, untranslate_hits = 68
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 10 (60.54.140.50 [Interface PAT])
translate_hits = 1965839, untranslate_hits = 571759
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2074376, packet dispatched to next module
Phase: 11
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 60.54.140.49 using egress ifc outside
adjacency Active
next-hop mac address 0004.ed1d.f265 hits 939
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
08-21-2013 09:02 AM
Ah,
I was a bit blind.
The reason the Server cant access Internet is this NAT0 ACL line
access-list inside_nat0_outbound extended permit ip host NarayaServer any
You should remove this line and specify the exact destination network behind the VPN in the ACL.
Since you have the destination set to "any" this will mean that even traffic to Internet will go through the firewall WITHOUT NAT. This naturally means the connections fails.
Since I cant see your exact L2L VPN configuration I can only guess, so here is my guess what you probably need
You seem to have some Crypto Map related ACL
access-list outside_1_cryptomap extended permit ip host NarayaServer object-group Nry_Png
access-list outside_1_cryptomap extended permit ip host NAVNew host 192.168.1.2
According to the above the ONLY destination network/hosts NAT0 should apply for this local server is the networks/hosts configured under "object-group Nry_Png".
So you might need the following change to the NAT0 ACL
access-list inside_nat0_outbound extended permit NarayaServer object-group Nry_Png
no access-list inside_nat0_outbound extended permit ip host NarayaServer any
Hope this helps
- Jouni
08-21-2013 09:11 AM
08-21-2013 09:20 AM
Hi,
Since you have only a single L2L VPN and VPN Client configuration then it would seem to me you could do the following changes as I suggested
access-list inside_nat0_outbound extended permit NarayaServer object-group Nry_Png
no access-list inside_nat0_outbound extended permit ip host NarayaServer any
After this the server should be able to access Internet.
- Jouni
08-21-2013 09:36 AM
Hi JouniForss,
Seem like the command couldnt be enter..? pls advise
access-list inside_nat0_outbound extended permit NarayaServer object-group Nry_Png
08-21-2013 09:38 AM
Hi,
Sorry, missing 1 from there
So the whole configuration
access-list inside_nat0_outbound extended permit ip NarayaServer object-group Nry_Png
no access-list inside_nat0_outbound extended permit ip host NarayaServer any
Marked the previously missing part with RED.
- Jouni
08-21-2013 09:45 AM
Thanks but after object group NarayaServer then error? it ask for netmask.. i should put 255.255.255.255 right?
asalot10(config)# $bound extended permit ip NarayaServer ?
configure mode commands/options:
A.B.C.D Netmask for source IP address
asalot10(config)# $bound extended permit ip NarayaServer
08-21-2013 09:48 AM
Doh, still errors, sorry about that
access-list inside_nat0_outbound extended permit ip host NarayaServer object-group Nry_Png
no access-list inside_nat0_outbound extended permit ip host NarayaServer any
Was missing the "host" part this time.
- Jouni
08-21-2013 10:00 AM
thanks a lot. ur help is much appreciate. all works
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide