Solved

Cisco ASA5505 Not able to NAT ports appear to be closed

Posted on 2011-03-20
23
816 Views
Last Modified: 2012-05-11
I am trying to NAT port 80 from my outside interface (Internet WAN) to my inside interface (local IP address 192.168.1.0)

For whatever reason when I go to grc.com and perform a port scan port 80 shows as stealth whereas it would show open if it was working.

What I do see to be open and I don't understand why is the following ports

22 - SSH
443 - Https

Is this normal should they be closed is by current config wrong???

I have created a network object as Webserver

asa5505(config)# object network Webserver
asa5505(config-network-object)# host 192.168.1.1
asa5505(config-network-object)# nat (inside,outside) static interface service tcp www www

Exit back to the root and add the access list
access-list outside_in permit tcp any interface outside eq 81

This all appears to work fine but I am not able to get access to the webpage that should work on the server behind the firewall.

I have looked at the real time log viewer to so whats happening and filtered the results by the ip address I am coming in on and see TCP access denied by ACL from xxx.xxx.xxx.xxx /1094 to outside: xxx.xxx.xxx.xxx /80

I am at a bit of a loss as what to do next

Any help would be greatly appreciated.

I will upload my running config so you will see what I am working with

0
Comment
Question by:Robert_Rayworth
  • 12
  • 10
23 Comments
 
LVL 24

Expert Comment

by:Ken Boone
ID: 35175917
So basically you have nat'd the outside interface IP address on the ASA to your server for port 80 traffic.  The problem is that your access-list which should be applied to the outside interface is allowing port 81 not 80.  So that is why you are getting the ACL blocked message.

In addition you are scanning and seeing port 22 and 443, which is ssh and https, so I am assuming you have ssh and https turned on for management purposed and that is why you are seeing that.
0
 

Author Comment

by:Robert_Rayworth
ID: 35175959
I also noticed the port 81 typo which really is port 80 I did try port 81 just incase that port had a problem but I also got the same result

This is the current config



: Saved
:
ASA Version 8.3(1)
!
hostname ASA-5505
domain-name test.com
enable password VOwq8/1m32vK4uiI encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 mac-address 0024.813b.b0eb
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 194.168.4.100
 name-server 194.168.8.100
 domain-name test.com
same-security-traffic permit inter-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network internal_lan
 subnet 192.168.1.0 255.255.255.0
object network Webserver
 host 192.168.1.101
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list global_access extended permit ip any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
access-list outside_in extended permit tcp any interface outside eq 80
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network internal_lan
 nat (inside,outside) dynamic interface
object network Webserver
 nat (inside,outside) static interface service tcp www www
access-group inside_access_in in interface inside
access-group outside_in in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd dns 194.168.4.100 interface inside
dhcpd wins 194.168.8.100 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxxxxxxxxxxxxxx encrypted privilege 15
username user1 password xxxxxxxxxxxxxxx encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:08bc2e9bf10e3acec8c47c0305575c20
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 35175980
You acl is messing you up:

access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
access-list outside_in extended permit tcp any interface outside eq 80

It is order specific top - down.  So the traffic is matching the 2nd line which is deny ip any any and is getting blocked.  Remove the deny ip any any statement and you should be good.  

There is actually an implicit deny ip any any line at the end of each ACL so you don't need to add it in this case.  Just remove it and you should be good.
0
 

Author Comment

by:Robert_Rayworth
ID: 35175992
Your a star that makes total sense I will try it in a few minutes and let you know
I have spent so long trying to see the wood for the trees I could see what was staring me in the face :-)
0
 

Author Comment

by:Robert_Rayworth
ID: 35176055
I have removed that rule or so I think and still no joy

config below

: Saved
:
ASA Version 8.3(1)
!
hostname ASA-5505
domain-name test.com
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 mac-address 0024.813b.b0eb
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 194.168.4.100
 name-server 194.168.8.100
 domain-name test.com
same-security-traffic permit inter-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network internal_lan
 subnet 192.168.1.0 255.255.255.0
object network AXIS
 host 192.168.1.101
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list global_access extended permit ip any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any interface outside eq 81
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network internal_lan
 nat (inside,outside) dynamic interface
object network AXIS
 nat (inside,outside) static interface service tcp 81 81
access-group inside_access_in in interface inside
access-group outside_in in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd dns 194.168.4.100 interface inside
dhcpd wins 194.168.8.100 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxxxxxxxxxxxxxx encrypted privilege 15
username user1 password xxxxxxxxxxxxxxx encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:54dd7650a496eeeff594036e3fc6e4fb
: end
asdm image disk0:/asdm-631.bin
no asdm history enable

0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 35176134
you still have the type on port 81.

...
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any interface outside eq 81

change it to 80
0
 

Author Comment

by:Robert_Rayworth
ID: 35176161
I understand that but I have the webserver using port 81 at the moment not using port 80 but I could change it if you like??

As it currently doesn't work
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 35176187
oh ok didn't realize that.  Let me look at it some more.. 81 is fine
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 35176193
So just to confirm .. from a device on the inside you can hit the webserver on port 81 with no problem right now?  Is that correct?
0
 

Author Comment

by:Robert_Rayworth
ID: 35176204
yes thats correct I get the internal web page how it should look on port 81
I only changed from port 80 to 81 after trying several hours and thought maybe the issue was with that port.
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 35176235
What do you see in the logs now when you try to hit it from the outside.  You should not be getting a deny due to ACl message any more.

BTW .. I hate the changes they put into 8.3 with nat!
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:Robert_Rayworth
ID: 35176255
I am getting in ASDM syslog message
TCP access denied by ACL

I agree 8.3 sucks at NAT I never had this kind of problem
0
 

Author Comment

by:Robert_Rayworth
ID: 35176265
3      Mar 20 2011      10:54:50      710003      212.183.128.xxx      2191      86.26.54.xx      80      TCP access denied by ACL from 212.183.128.xx/2191 to outside:86.26.54.xx/80
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 35176295
Dude save your config and reboot the box.  That is showing the outside device coming on on port 80 which means you acl has to show port 80 as well as the object command that shows access to service 80.  Just double check all of that.  then reboot the box.
0
 

Author Comment

by:Robert_Rayworth
ID: 35176351
checked and rebooted still getting the same problem
So does the config look ok?
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 35176398
post the config as it is now and let me look at it.
0
 

Author Comment

by:Robert_Rayworth
ID: 35176426
I  have changed the webserver to port 80 and this is working internally not port 81 if need be I could change it back

: Saved
:
ASA Version 8.3(1)
!
hostname ASA-5505
domain-name test.com
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 mac-address 0024.813b.b0eb
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 194.168.4.100
 name-server 194.168.8.100
 domain-name test.com
same-security-traffic permit inter-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network internal_lan
 subnet 192.168.1.0 255.255.255.0
object network AXIS
 host 192.168.1.101
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list global_access extended permit ip any any
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any object AXIS eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network internal_lan
 nat (inside,outside) dynamic interface
object network AXIS
 nat (inside,outside) static interface service tcp www www
access-group inside_access_in in interface inside
access-group outside_in in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd dns 194.168.4.100 interface inside
dhcpd wins 194.168.8.100 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxxxxxxxxxxxxxx encrypted privilege 15
username user1 password xxxxxxxxxxxxxxx encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1b4b27097dd85f5432645d637fe19b02
: end
asdm image disk0:/asdm-631.bin
no asdm history enable

0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 35176521
The config looks good.  For grins get rid of this line:

access-group global_access global

I never use a global ACL.  

Is the log still showing deny by ACL?  I'm not seeing it.
0
 

Author Comment

by:Robert_Rayworth
ID: 35176597
Ok I have removed the access-group global_access global line

Just checking the log for the deny ACL
0
 

Author Comment

by:Robert_Rayworth
ID: 35176680
I can't find the screen where you filter your firewall results I think I am loosing the plot
0
 

Author Comment

by:Robert_Rayworth
ID: 35176740
nope still the same still getting 3      Mar 20 2011      12:58:39      710003      212.183.128.45      45028      86.26.54.99      80      TCP access denied by ACL from 212.183.128.45/45028 to outside:86.26.54.99/80
0
 
LVL 1

Expert Comment

by:question01
ID: 35177151
It is because the object AXIS is an internal address.

The outside access list needs to permit traffic to the external prenat address which is the interface in this instance.

access-list outside_in extended permit tcp any (outside interface ip) eq www
0
 
LVL 24

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 35177658
question01.  That would be true if using 8.2 code and prior, but all of that has changed with 8.3.  


      "When using NAT or PAT, mapped addresses and ports are no longer required in an access list for several features. You should now always use the real, untranslated addresses and ports for these features. Using the real address and port means that if the NAT configuration changes, you do not need to change the access lists"

Taken from
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp40036

0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now