Solved: Re: Web Application Server - Page 3

dissai · ‎04-25-2024

Dear Community,

I'm asking for you guidance. I have come across a challenge on Cisco ASA version 9.8. Need to allow a web server to be access outside(Public) from DMZ Zone to Ouside Zone. Per below configuration template. Nat is transilating but access-list no hits which result that I can ping transilated IP from outside but I am not able to open application (to load a page). Kindly assist to receive the configuration and the packet tracer out form outside and DMZ leg shared.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 200.100.1.2 255.255.255.248
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 80
ip address 172.16.10.253 255.255.255.0
!

!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LAN
subnet 192.168.50.0 255.255.255.0
object network ASDM
host 155.12.32.90
object network vpn_subnet
subnet 10.6.7.0 255.255.255.0
object network dmz_subnet
subnet 172.16.10.0 255.255.255.0
object network webserver-external-ip
host 200.100.1.2
object network web_server
host 172.16.10.50
object network MONITOR_SRV
host 192.168.50.114
object network SWITCH_HOST
host 192.168.50.2
object network OUTSIDE_INTERFACE
host 200.100.1.2
object network Water_Gateway_NAT
host 200.100.1.70
object network Water_Gateway
host 172.16.10.70
object-group network OBJ-SITE-ASA
network-object host 172.16.10.50

object-group network DMZ_SERVERS
network-object host 172.16.10.51
object-group network DMZ-Network
network-object 172.16.10.0 255.255.255.0
object-group network Outside-Network
network-object 200.100.1.0 255.255.255.0
object-group network NETWORK_Devices
network-object host 192.168.50.1
network-object host 192.168.50.2
network-object host 192.168.50.114
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list management_access_in extended permit ip any any
access-list management_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any4 object Water_Gateway object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_access_in extended permit tcp any interface outside eq 32007
access-list outside_access_in extended permit tcp any host 41.188.165.190 eq https
access-list outside_access_in extended permit icmp any4 any4
access-list outside_access_in extended permit tcp any object Water_Gateway eq www
access-list outside_access_in extended permit tcp any object Water_Gateway eq https
access-list dmz_access_in extended permit tcp object Water_Gateway any eq https
access-list dmz_access_in extended permit tcp object Water_Gateway any eq www
access-list dmz_access_in extended deny ip any object LAN_network
access-list dmz_access_in extended permit ip any any
access-list ACL_MACOS standard permit host 192.168.50.114
access-list ACL_MACOS standard permit host 192.168.50.2
access-list ACL_MACOS standard permit host 192.168.50.1
access-list ACL_MACOS standard permit 172.16.10.0 255.255.255.0
access-list dmz_access_out extended permit icmp any any
access-list inside_access_in extended permit ip host 200.100.1.1 10.6.7.0 255.255.255.0

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu MGMT 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7202.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (INSIDE,outside) source dynamic LAN_network interface
nat (outside,any) source static ASDM ASDM destination static interface any
nat (outside,DMZ) source static vpn_subnet vpn_subnet destination static dmz_subnet dmz_subnet
nat (INSIDE,outside) source static NETWORK_Devices NETWORK_Devices destination static vpn_subnet vpn_subnet
nat (DMZ,outside) source static dmz_subnet dmz_subnet destination static LAN_network LAN_network
!
object network LAN_network
nat (INSIDE,outside) dynamic interface
object network dmz_subnet
nat (DMZ,outside) dynamic interface
object network web_server
nat (DMZ,outside) static 200.100.1.51
object network Water_Gateway
nat (DMZ,outside) static Water_Gateway_NAT
access-group outside_access_in in interface outside
access-group dmz_access_in in interface DMZ
access-group dmz_access_out out interface DMZ
access-group management_access_in in interface MGMT
route MGMT 0.0.0.0 0.0.0.0 172.16.5.2 1
route outside 0.0.0.0 0.0.0.0 200.100.1.1 1
route outside 10.6.7.0 255.255.255.0 200.100.1.1 1
route outside 200.100.1.51 255.255.255.255 200.100.1.1 1

crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint REMOTE_VPN
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ikev2 enable outside
telnet timeout 5

!
t
webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-macos-4.10.04065-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.10.04065-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-linux64-4.10.08029-webdeploy-k9.pkg 3
anyconnect profiles profile_macos disk0:/anyconnect_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
group-policy ASA-TO-FTD internal
group-policy ASA-TO-FTD attributes
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-client
group-policy REMOTE_L2L_VPN internal
group-policy REMOTE_L2L_VPN attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_MACOS
default-domain value LAN.co.tz
webvpn
anyconnect profiles value profile_macos type user
dynamic-access-policy-record DfltAccessPolicy

tunnel-group REMOTE_VPN type remote-access
tunnel-group REMOTE_VPN general-attributes
address-pool VPN_POOL_MACOS
default-group-policy REMOTE_L2L_VPN
tunnel-group REMOTE_VPN webvpn-attributes
group-alias LAN_ONENET enable
tunnel-group LAN_DEVOPS type remote-access
tunnel-group LAN_DEVOPS webvpn-attributes
group-alias LAN_DEVOPS enable
!
——————————————————————————————————————————————

# packet-tracer input outside tcp 5.5.5.5 1234 200.100.1.70 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,outside) source static Water_Gateway Water_Gateway_NAT
Additional Information:
NAT divert to egress interface DMZ
Untranslate 200.100.1.70/80 to 172.16.10.70/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object Water_Gateway eq www
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ,outside) source static Water_Gateway Water_Gateway_NAT
Additional Information:
Static translate 5.5.5.5/1234 to 5.5.5.5/1234

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

———————————————————————————————————————————————————————————

# packet-tracer input DMZ tcp 5.5.5.5 1234 200.100.1.70 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 200.100.1.1 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface DMZ
access-list dmz_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3476841, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

#

Marius Gunnerud · ‎04-29-2024

Did @MHM Cisco World 's comment really help you? Please select the actual comment that assisted you so that others that are having similar issues can easily find the solution that helped you and not just a request for your current configuration.

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎04-29-2024

Then you need the following access-list entry

access-list dmz_access_in extended permit ip 172.16.10.0 255.255.255.0 192.168.50.0 255.255.255.0

access-group dmz_access_in in interface DMZ

--
Please remember to select a correct answer and rate helpful posts

dissai · ‎04-29-2024

Hello Marius,

No hits on the access list, as per below.
access-list dmz_access_in line 3 extended permit ip 172.16.10.0
255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=3) 0x6918cac1

Marius Gunnerud · ‎04-29-2024

You have 3 hits there...how are you testing? just ping? or something else also?

Do you have inspect icmp configured under the default policy-map? (show run policy-map)

also, do a packet-tracer to verify what if traffic is allowed through the firewall.

packet-tracer input interface DMZ tcp 172.16.10.5 443 192.168.50.10 443

--
Please remember to select a correct answer and rate helpful posts

dissai · ‎04-29-2024

I think my issue is that ACL prefers the outside instead of the
inside interface, DMZ.

packet-tracer input DMZ tcp 172.16.10.70 443 192.168.50.11$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,outside) source static dmz_subnet dmz_subnet destination static
INSIDE_network INSIDE_network
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.50.114/443 to 192.168.50.114/443

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_access_in in interface DMZ
access-list dmz_access_in extended permit ip object Water_Gateway object
INSIDE_network
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (DMZ, outside) source static dmz_subnet dmz_subnet destination static
INSIDE_network INSIDE_network
Additional Information:
Static translate 172.16.10.70/443 to 172.16.10.70/443

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,outside) source static dmz_subnet dmz_subnet destination static
INSIDE_network INSIDE_network
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4891534, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

(config)# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!

Marius Gunnerud · ‎04-29-2024

No, your ACL will never change the destination of a packet...however your NAT statement will. It looks like you have an incorrect NAT statement.

nat (DMZ, outside) source static dmz_subnet dmz_subnet destination static
INSIDE_network INSIDE_network

the INSIDE_network object is not included in your running config that you posted so I am not sure what subnets are included here. But you will either need to exclude the INSIDE network (192.168.50.0/24) from this NAT statement, or if the INSIDE_network only contains that subnet, remove or disable that NAT statement.

Once this is done, test again with connectivity and packet-tracer

--
Please remember to select a correct answer and rate helpful posts