Set NAT and ACL but not reachable

maurizio · May 6, 2021, 8:02am

Dear Everyone
I have here any trouble. please why this setup will not work?
me goal are that WAN need to access to LAN (OpenVPN) Server.

the port that will use
UDP1143, TCP443, TCP943

i dont see my mistake and will ask frendly for possible any help please
ISP ----- (DHCP)5506(BVI DHCP inside_1->6) ------ OpenVPN Server

i have configured NAT and ACL but also with this i dont come to any conclusion.

    ASA# sh run object
    object network dns-server
     host 192.168.1.9
    object service VPN943
     service tcp source eq 943 destination eq 943
    object service VPN1194
     service udp source eq 1194 destination eq 1194
    object service HTTPS
     service udp source eq 443 destination eq 443
    object network LAN_INSIDE
     subnet 192.168.1.0 255.255.255.0
    object network OBJ_192.168.1.9
     host 192.168.1.9

access-list outside_access_in extended permit tcp any object OBJ_192.168.1.9 eq HTTPS
access-list outside_access_in extended permit tcp any object OBJ_192.168.1.9 eq 943
access-list outside_access_in extended permit udp any object OBJ_192.168.1.9 eq 1194
access-list inside_access_in extended permit ip any any

    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    ASA#

i think but iam not shure, the problem are why i will route this true BVI? yes I use this FW like a switch.

interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

dhcpd auto_config outside
dhcpd address 192.168.1.20-192.168.x.x inside

also the statement from Packettracer confuses me a bit, in the last point of analysis, I have a drop.

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fc8897f98b0, priority=11, domain=permit, deny=true
        hits=0, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000559130f8794d flow (NA)/NA

Have already written in the Cisco forum, but I have not reached a goal, thanks meny time for any possible help,
Mauri

lagapidis · May 10, 2021, 4:29am

Hello Maurizio

I believe that the issue here is the three objects that reference the UDP and TCP ports. In all three you are stating that both the source and the destination ports must be 943, 1194 or 443. But when a communication comes from the WAN, the source port will not match, and thus will be dropped. Your objects should match only the destination ports desired. The source port should be anything.

Try that out and let us know your results!

I hope this has been helpful!

Laz

maurizio · May 17, 2021, 5:12am

Thanks Laz
I need to give try this week, i put in the meentime other brand Firewall. But i’am realy curious to see this running with ASA.
Regards
Mauri