Re: TLS and Static NAT with Port-translation - Page 2

tham89 · ‎07-18-2023

Hi! I've been following CLI Book 2: Cisco Secure Firewall ASA Series Firewall CLI Configuration Guide, 9.18 specifically around Static NAT with Port Translation for Non-Standard Ports. I'm attempting to listen on *:4433 and rewrite it inside to a server listening on 443. The 443 policy that doesn't attempt to modify the port works fine, onto both servers, only when I try and rewrite the port does the actual application fail. I'm almost starting to feel stupid for even asking, now that I've explained it in detail, but I guess here goes nothing.

It seems like both servers are in good working order, and the access policy, conn logs, xlate, and traffic from TCPDump at both ends of the capture, but I guess we never bothered to ask if the application layer will even tolerate mangling of this sort? Will having the client and server disagree about the destination port ever be tolerated by HTTPS/TLS? ... did I miss something else in this configuration?

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static inside-server-althttps interface service tcp https 4433
translate_hits = 0, untranslate_hits = 4
Source - Origin: 192.168.1.2/32, Translated: 86.75.30.9/30
Service - Protocol: tcp Real: https Mapped: 4433
2 (inside) to (outside) source static inside-server-https interface service tcp https https
translate_hits = 0, untranslate_hits = 34
Source - Origin: 192.168.1.3/32, Translated: 86.75.30.9/30
Service - Protocol: tcp Real: https Mapped: https
3 (inside) to (outside) source dynamic lan-inside interface
translate_hits = 59830, untranslate_hits = 13770
Source - Origin: 192.168.1.0/24, Translated: 86.75.30.9/30

AHack210 · ‎07-20-2023

tcp ping inside (without specifying a source) will originate the packet from the inside interface IP and should not involved the ACL on the ASA at all.

As to your other server, can you post a packet-tracer with the keyword "detailed" at the end?

tham89 · ‎07-21-2023

Here's the detailed logs ... This all still looks right to me.

Input Session

Output Session

# packet-tracer input outside tcp 86.75.30.9 64151 55.5.12.34 4433 detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 18176 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=13, domain=capture, deny=false
hits=9000, user_data=0x7f7b, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 18176 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=1, domain=permit, deny=false
hits=9000, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 14848 ns
Config:
nat (inside,outside) source static server-althttps interface service TCP4433 TCP4433
Additional Information:
NAT divert to egress interface inside
Untranslate 86.75.30.9/4433 to 192.168.1.2/4433

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 6912 ns
Config:
access-group outside-access in interface outside
access-list outside-access extended permit tcp object-group ext host 192.168.1.2 eq 4433
object-group network ext
network object host 55.5.12.34
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=13, domain=permit, deny=false
hits=2, user_data=0x7f7b, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=55.5.12.34, mask=255.255.255.255, port=0, tag=any
dst ip/id=192.168.1.2, mask=255.255.255.255, port=4433, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 6912 ns
Config:
nat (inside,outside) source static server-althttps interface service TCP4433 TCP4433
Additional Information:
Static translate 55.5.12.34/64151 to 55.5.12.34/64151
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=6, domain=nat, deny=false
hits=53, user_data=0x7f7b, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=86.75.30.9, mask=255.255.255.255, port=4433, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=inside

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6912 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=0, domain=nat-per-session, deny=false
hits=9000, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6912 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=0, domain=inspect-ip-options, deny=true
hits=9000, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 27136 ns
Config:
nat (inside,outside) source static server-althttps interface service TCP4433 TCP4433
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f7b, priority=6, domain=nat-reverse, deny=false
hits=55, user_data=0x7f7b, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=192.168.1.2, mask=255.255.255.255, port=4433, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=inside

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 22016 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f7b, priority=0, domain=nat-per-session, deny=false
hits=9000, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 1024 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f7b, priority=0, domain=inspect-ip-options, deny=true
hits=9000, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 52736 ns
Config:
Additional Information:
New flow created with id 200001, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 12
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 13824 ns
Config:
Additional Information:
Found next-hop 192.168.1.2 using egress ifc inside

Phase: 13
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 2560 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 192.168.1.2 on interface inside
Adjacency :Active
MAC address 0040.dead.beef hits 8 reference 3

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Time Taken: 198144 ns

# packet-tracer input inside tcp 192.168.1.2 4433 55.5.12.34 65141 detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 16384 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=13, domain=capture, deny=false
hits=9000, user_data=0x7f7b, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 16384 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=1, domain=permit, deny=false
hits=9000, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 3
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 23552 ns
Config:
Additional Information:
Found next-hop 86.7.5.30.10 using egress ifc outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 6784 ns
Config:
access-group lan_inside in interface inside
access-list lan_inside extended permit ip object lan-inside any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=13, domain=permit, deny=false
hits=9000, user_data=0x7f7b, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 6784 ns
Config:
nat (inside,outside) source static server-althttps interface service TCP4433 TCP4433
Additional Information:
Static translate 192.168.1.2/4433 to 86.75.30.9/4433
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=6, domain=nat, deny=false
hits=0, user_data=0x7f7b, cs_id=0x0, flags=0x0, protocol=6
src ip/id=192.168.1.2, mask=255.255.255.255, port=4433, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside, output_ifc=outside

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6784 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=0, domain=nat-per-session, deny=false
hits=9000, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6784 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7b, priority=0, domain=inspect-ip-options, deny=true
hits=9000, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 30720 ns
Config:
nat (inside,outside) source static server-althttps interface service TCP4433 TCP4433
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f7bfc767c60, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x7f7b, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=192.168.1.2, mask=255.255.255.255, port=4433, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside, output_ifc=outside

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 43008 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f7b, priority=0, domain=nat-per-session, deny=false
hits=9000, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 1024 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f7b, priority=0, domain=inspect-ip-options, deny=true
hits=9000, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 46592 ns
Config:
Additional Information:
New flow created with id 200002, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 12
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 13824 ns
Config:
Additional Information:
Found next-hop 86.75.30.10 using egress ifc outside

Phase: 13
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 2560 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 86.75.30.10 on interface outside
Adjacency :Active
MAC address 0020.dead.beef hits 9000 reference 46

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Time Taken: 221184 ns

MHM Cisco World · ‎07-22-2023

Did you add log to acl ?

AHack210 · ‎07-22-2023

So, this makes it look like the firewall is configured properly. What does a capture on the inside and outside interface yield. Does the 3-way handshake to the server complete? This feel like the problem lies elsewhere....

MHM Cisco World · ‎07-23-2023

I think a lot about your issue I think i found solution check below

Three peices here

NAT <<- this I think it solve after you change object NAT to twice NAT

ACL <<- use log and see if any acl drop traffic

Last pieces tricky

Http with unknown port' the inspection use known port but if unknown port used does inspection pass traffic or not? I DONT think so what you need is config class for port 4433' add it under policy-map global-policy with inspection http.

Hope this solve your issue.

tham89 · ‎07-23-2023

I simply disabled the global inspection policy, and it has not resolved the issue.

MHM Cisco World · ‎07-24-2023

Add port to class inspection without disable inspection.

AHack210 · ‎07-25-2023

In another life, I spent 10 years behind the ASA CLI in a fleet of 20,000+ ASAs. I generally would lean on packet capture to tell me what is actually happening, vs what should be happening. The packet capture should be able to tell you if NAT is ok, routing is working etc (in some situations, packet-tracer isn't sufficient). Examining the 3-way handshake is generally where I would always go when the firewall configuration looked correct and then move my way up the stack from there. Often the issue is not firewall related at all and we find that issue via the packet capture.

tham89 · ‎07-28-2023

host firewall

MHM Cisco World · ‎07-28-2023

Sorry I dont get

AHack210 · ‎07-31-2023

The capture would be something like:

  capture cap1 interface inside match tcp any any eq 4433
  capture cap1 interface outside match tcp any any eq 4433

show cap1 (to verify that you have captured packets)
then to save as pcap for export and viewing in wireshark

copy /pcap capture:cap1 disk0:/cap1.pcap

Then you can SCP from your workstation by enabling SCP on the ASA

! Make sure scp is enabled
! conf t
ssh scopy enable

Then from your workstation (for me I'm on a mac so here is the string that works for me macOS Ventura)

~ scp -O cisco@172.30.4.101:cap1.pcap ./cap1.pcap
cisco@172.30.4.101's password:
cap1.pcap                                                                                                 100%  511KB   4.4MB/s   00:00
Connection to 172.30.4.101 closed by remote host.
~

Hope that helps.