EVGA

Cisco ASA configuration issue.

Author
moose517
CLASSIFIED Member
  • Total Posts : 3552
  • Reward points : 0
  • Joined: 11/29/2007
  • Location: Nothern Indiana
  • Status: offline
  • Ribbons : 33
Saturday, August 16, 2014 9:15 PM (permalink)
So its kinda funny that i'm starting a thread but man i'm out of ideas.  For those guys who deal with Cisco hopefully you can help me figure this out.  Been trying to setup some NAT for servers, got minecraft working but for some strange reason port 80 is redirecting to 443 which is totally busting it up, and i'm pretty sure its doing it on the firewall as i haven't touched SSL on my web server itself.  I'm attaching my running config and god maybe one of ya can figure out what the deal is as i'm going mad and would like to get this done so i can have public access to my web server again XD.
 
http://pastebin.com/JxFBFyP1
 
I'm thinking i might just reset it as i was in the process of setting up VPN with someone as well and they couldn't get that working even haha but i can't find a stinking console cable XD
#1

16 Replies Related Threads

    James_L
    CLASSIFIED Member
    • Total Posts : 4336
    • Reward points : 0
    • Joined: 7/29/2009
    • Status: offline
    • Ribbons : 46
    Re: Cisco ASA configuration issue. Saturday, August 16, 2014 10:25 PM (permalink)
    moose517
    So its kinda funny that i'm starting a thread but man i'm out of ideas.  For those guys who deal with Cisco hopefully you can help me figure this out.  Been trying to setup some NAT for servers, got minecraft working but for some strange reason port 80 is redirecting to 443 which is totally busting it up, and i'm pretty sure its doing it on the firewall as i haven't touched SSL on my web server itself.  I'm attaching my running config and god maybe one of ya can figure out what the deal is as i'm going mad and would like to get this done so i can have public access to my web server again XD.
     
    http://pastebin.com/JxFBFyP1
     
    I'm thinking i might just reset it as i was in the process of setting up VPN with someone as well and they couldn't get that working even haha but i can't find a stinking console cable XD


    It looks like it must be the server doing the redirects. According to your pastebin the following sections define your services you are NAT translaing
     

    nat (inside,outside) source static any any destination static NETWORK_OBJ_10.19.0.0_16 NETWORK_OBJ_10.19.0.0_16 no-proxy-arp route-lookup
    nat (inside,outside) source static NETWORK_OBJ_10.19.136.0_24 NETWORK_OBJ_10.19.136.0_24 destination static NETWORK_OBJ_10.4.18.0_24 NETWORK_OBJ_10.4.18.0_24 no-proxy-arp
    !
    object network obj_any
     nat (inside,outside) dynamic interface
    object network minecraft_server
     nat (inside,outside) static interface service tcp 25565 25565
    object network web_server
     nat (inside,outside) static interface service tcp www www

     
    The minecraft server is a NAT to the port of the object inside your network (of which you say is working just fine) and is connecting correctly. The web server object is looking at the port 80 redirection for a normal port 80 NAT inside. This would indicate that your firewall is passing the traffic correctly but the responding server is forcing a port 443 connection as a redirection. I would tend to take a look at your website and see if the default index page is setting up a redirection link to the server using https rather than just passing the index page accordingly.
     
    Your objects (and groups) appear to be properly defined as with ASDM.
     

    object network obj_any
     subnet 0.0.0.0 0.0.0.0
    object network minecraft_server
     host 10.19.136.7
    object network web_server
     host 10.19.136.7
    object network NETWORK_OBJ_10.19.0.0_16
     subnet 10.19.0.0 255.255.0.0
    object network NETWORK_OBJ_10.19.136.0_24
     subnet 10.19.136.0 255.255.255.0
    object network NETWORK_OBJ_10.4.18.0_24
     subnet 10.4.18.0 255.255.255.0
    object-group protocol TCPUDP
     protocol-object udp
     protocol-object tcp
    access-list outside_access_in extended permit tcp any object web_server eq www
    access-list outside_access_in extended permit tcp any object minecraft_server eq 25565
    access-list outside_cryptomap extended permit ip 10.19.136.0 255.255.255.0 10.4.18.0 255.255.255.0

     
    It certainly looks like you are fine with the ASA configuration but the redirection is coming from your website itself. Even if you haven't configured SSL on the server it may be trying to force a redirection to that port. You can always add this line to your configuration for the object network web_server:
     
    nat (inside,outside) static interface service tcp 443 443
     
    And add this to your ACLs:
     
    access-list outside_access_in extended permit tcp any object web_server eq 443
     
    And see where that gets you for the website redirection.

     

    #2
    moose517
    CLASSIFIED Member
    • Total Posts : 3552
    • Reward points : 0
    • Joined: 11/29/2007
    • Location: Nothern Indiana
    • Status: offline
    • Ribbons : 33
    Re: Cisco ASA configuration issue. Saturday, August 16, 2014 10:39 PM (permalink)
    Yeah I'll just have to give that a shot. When I was using comcraps modem/firewall it was working just fine. I don't think it was redirecting then so that's why I'm leaning toward sthe asa but IPP give that a shot and see.
    #3
    James_L
    CLASSIFIED Member
    • Total Posts : 4336
    • Reward points : 0
    • Joined: 7/29/2009
    • Status: offline
    • Ribbons : 46
    Re: Cisco ASA configuration issue. Saturday, August 16, 2014 10:49 PM (permalink)
    moose517
    Yeah I'll just have to give that a shot. When I was using comcraps modem/firewall it was working just fine. I don't think it was redirecting then so that's why I'm leaning toward sthe asa but IPP give that a shot and see.

    It is entirely possible the comcast modem/firewall was also allowing for UPnP ports for the inbound/outbound connections as that is usually enabled on the more modern cable router/firewalls these days. Since the connection initiation is inspected inbound and then a static SSL type port being generated outbound by inspect rules for the statfull firewall might have allowed for that. I'd still take a look internally at your website. Perhaps just connect to the system from your local machine and see if it redirects.
     
    Also you can take a look at the netflow on the ASA and trace the connections on the ASDM to see where the redirection is being seen. Just use the packet tracer command from the 'tools' option to see where the translations for your rules are being done and how they are being manipulated by them.
     
    [edit]
    It would look something like this for the tool:
     

    [/edit]
    post edited by James_L - Saturday, August 16, 2014 10:56 PM

     

    #4
    Bruno747
    CLASSIFIED Member
    • Total Posts : 3773
    • Reward points : 0
    • Joined: 1/13/2010
    • Location: Looking on google to see what Nvidia is going to o
    • Status: offline
    • Ribbons : 5
    Re: Cisco ASA configuration issue. Saturday, August 16, 2014 11:02 PM (permalink)
    I just gave this a fast glance over before I run out the door, but I see a few things that look kinda odd to me. 
     
    I'll address those to you when I get back.
     
    First thing I would do is look at the server logs and if you have java setup to work with the asa log into asdm and watch the live log as you try to access to web server.
     
    EDIT: Lol by the time I posted it the guy above me suggested it. Great minds think alike.

    X399 Designare EX, Threadripper 1950x, Overkill Water 560mm dual pass radiator. Heatkiller IV Block Dual 960 EVO 500gb Raid 0 bootable, Quad Channel 64gb DDR4 @ 2933/15-16-16-31, RTX 3090 FTW3 Ultra, Corsair RM850x, Tower 900
    #5
    James_L
    CLASSIFIED Member
    • Total Posts : 4336
    • Reward points : 0
    • Joined: 7/29/2009
    • Status: offline
    • Ribbons : 46
    Re: Cisco ASA configuration issue. Saturday, August 16, 2014 11:10 PM (permalink)
    Here's a quick thought on the website redirection: Are they using the HTTPS everywhere addon for their browser and it is causing the port redirection? Was just thinking about more of the simpler things that may cause this issue outside your ASA.
     
    Just as a word of note: The ASA firewall, while having some statefull inspection aspects for inside to outside state tables, really is very specific as to inbound accept ACLs. That is: it doesn't allow anything inbound you don't already allow for. Anything inside from a NAT standpoint that is being inspected for dynamic PAT will be allowed back inside but when you are looking at an outside IP address source into your network the ACL's will default drop anything that isn't already stated to be allowed in by an accept rule. This includes any port 80 or 443 redirections.

     

    #6
    moose517
    CLASSIFIED Member
    • Total Posts : 3552
    • Reward points : 0
    • Joined: 11/29/2007
    • Location: Nothern Indiana
    • Status: offline
    • Ribbons : 33
    Re: Cisco ASA configuration issue. Sunday, August 17, 2014 0:53 PM (permalink)
    I have run packet tracer on ASDM and it shows the all clear on port 80 thats what i don't get.  I have double checked that the web server isn't listening on port 443 or redirecting to it either so i just don't know XD, heck i ran a nodejs web server on port 80 just to be sure and it was the same story, even just shutting down the web server still resulted in redirect to 443.
     
    EDIT as for the https everywhere addon deal, nope, every device i've tried fails, phones, other people XD.
    #7
    James_L
    CLASSIFIED Member
    • Total Posts : 4336
    • Reward points : 0
    • Joined: 7/29/2009
    • Status: offline
    • Ribbons : 46
    Re: Cisco ASA configuration issue. Sunday, August 17, 2014 0:56 PM (permalink)
    moose517
    I have run packet tracer on ASDM and it shows the all clear on port 80 thats what i don't get.  I have double checked that the web server isn't listening on port 443 or redirecting to it either so i just don't know XD, heck i ran a nodejs web server on port 80 just to be sure and it was the same story, even just shutting down the web server still resulted in redirect to 443.
     
    EDIT as for the https everywhere addon deal, nope, every device i've tried fails, phones, other people XD.


    PM me the address or site you are looking at and I'll take an external look see if I can figure something out.
     
    [edit]
    The only other strange thing is that you are defining the same IP address for two different objects. It's not really all that much of a problem but it would lend to confusion when trying to troubleshoot things inside the configuration.

    object network minecraft_server
     host 10.19.136.7
    object network web_server
     host 10.19.136.7

     
    Why not just define the one object and apply the ACLs to that particular address? I could understand if, like mine here at my place, it was different servers (mine are virtual CentOS severs) of which each particular NAT redirects to different addresses for minecraft/website but truly since you are only redirecting to one particular object you can consolidate your rules by only referencing the one object and then changing the inbound,outbound rules accordingly, like so:
     
    <snip>
    object network minecraft_server
     host 10.19.136.7
    .
    .
    .
    access-list outside_access_in extended permit tcp any object minecraft_server eq www
    access-list outside_access_in extended permit tcp any object minecraft_server eq 25565
    .
    .
    .
    object network minecraft_server
     nat (inside,outside) static interface service tcp 25565 25565
     nat (inside,outside) static interface service tcp www www
    access-group outside_access_in in interface outside

    </snip>
     
    [/edit]
    post edited by James_L - Sunday, August 17, 2014 1:06 AM

     

    #8
    moose517
    CLASSIFIED Member
    • Total Posts : 3552
    • Reward points : 0
    • Joined: 11/29/2007
    • Location: Nothern Indiana
    • Status: offline
    • Ribbons : 33
    Re: Cisco ASA configuration issue. Sunday, August 17, 2014 1:45 AM (permalink)
    haha i should have mentioned that as well, right now they are both on my desktop while i try and get a new hard drive for my ESXi server at which point everything does get its own VM.  I figured rather than split crap out later i'd just create the objects now.
    #9
    James_L
    CLASSIFIED Member
    • Total Posts : 4336
    • Reward points : 0
    • Joined: 7/29/2009
    • Status: offline
    • Ribbons : 46
    Re: Cisco ASA configuration issue. Sunday, August 17, 2014 1:52 AM (permalink)
    moose517
    haha i should have mentioned that as well, right now they are both on my desktop while i try and get a new hard drive for my ESXi server at which point everything does get its own VM.  I figured rather than split crap out later i'd just create the objects now.


    Makes sense. I'll have to place a pastebin of my PIX configuration where I have all this split up for separate VMs on my ESXi box here. Essentially I have a similar setup for website services and minecraft on different internal IP addresses. Perhaps something inside there will help you along in getting this resolved. It's rather straight forward and generally the ASA is just packet inspecting and forwarding. If you're getting a redirect somewhere it's usually on the backend after the packets are inspected and forwarded along. Since you've looked at the packet tracer (and I figure you also looked into getting netflow running on the console for captures) and didn't find the ASA preventing or port redirecting on it's own I would suspect something funny on the receiving end for your system itself.

     

    #10
    moose517
    CLASSIFIED Member
    • Total Posts : 3552
    • Reward points : 0
    • Joined: 11/29/2007
    • Location: Nothern Indiana
    • Status: offline
    • Ribbons : 33
    Re: Cisco ASA configuration issue. Sunday, August 17, 2014 1:57 AM (permalink)
    LOL yeah i kick msyelf in the butt now because before i moved back home i had my firewall all setup with many services and it worked great and i just wiped it clean without thinking about making a backup config juuuust in case LOL XD
    #11
    James_L
    CLASSIFIED Member
    • Total Posts : 4336
    • Reward points : 0
    • Joined: 7/29/2009
    • Status: offline
    • Ribbons : 46
    Re: Cisco ASA configuration issue. Sunday, August 17, 2014 2:01 AM (permalink)
    moose517
    LOL yeah i kick msyelf in the butt now because before i moved back home i had my firewall all setup with many services and it worked great and i just wiped it clean without thinking about making a backup config juuuust in case LOL XD


    Oh I can't tell you how many times I've done that without thinking of at least TFTPing down a copy of the running configurations.

     

    #12
    srtie4k
    FTW Member
    • Total Posts : 1589
    • Reward points : 0
    • Joined: 11/5/2010
    • Location: New Hampster
    • Status: offline
    • Ribbons : 2
    Re: Cisco ASA configuration issue. Monday, August 18, 2014 12:10 AM (permalink)
    What are you using for a web server?

    Gaming Rig:
    Corsair Vegeance C70, Swiftech H220, Intel i7-3770K @ 4.5GHz (1.24V), Asus Sabertooth Z77, Corsair AX860, 16GB Corsair Vegeance DDR3-1600 CL9 1.35V, EVGA GTX 670 FTW, SanDisk Extreme 240GB SSD, Dell 2408WFP, Corsair K70 Cherry Red, Corsair M65, Logitech Z-5500 5.1
    Steambox/HTPC:
    Lian Li PC-Q01A, AMD A10-7800, ASRock FM2A88X-ITX, Seasonic ST30SF, 8GB Samsung DDR3-1600 @ 1866, Samsung 840 Evo 250GB MSATA SSD
     
    Affiliate Code: KKDMX98FNV
    #13
    moose517
    CLASSIFIED Member
    • Total Posts : 3552
    • Reward points : 0
    • Joined: 11/29/2007
    • Location: Nothern Indiana
    • Status: offline
    • Ribbons : 33
    Re: Cisco ASA configuration issue. Monday, August 18, 2014 10:46 PM (permalink)
    i've tried my normal apache instance, an nginx test server that explicity only is on 80, and a nodejs server listening on port 80 doing nothing more than saying sup.  Same result everytime, 80 redirects to 443 :(
    #14
    James_L
    CLASSIFIED Member
    • Total Posts : 4336
    • Reward points : 0
    • Joined: 7/29/2009
    • Status: offline
    • Ribbons : 46
    Re: Cisco ASA configuration issue. Monday, August 18, 2014 11:37 PM (permalink)
    I think I may take your config from the pastebin and emulate it on my GNS3 ASA5520 that I have here for evaluations to see what I can do about rectifying this problem. I'll try to get to that tonight or tomorrow sometime. I'll let you know what I find out moose.

     

    #15
    moose517
    CLASSIFIED Member
    • Total Posts : 3552
    • Reward points : 0
    • Joined: 11/29/2007
    • Location: Nothern Indiana
    • Status: offline
    • Ribbons : 33
    Re: Cisco ASA configuration issue. Wednesday, August 20, 2014 0:46 PM (permalink)
    LOL i would appreciate it!  I shoudl throw it on GNS3 myself and see if it behaves the same way then.  I'm going to go to my storage place tomorrow and dig up a console cable and i think i'm just going to do a factory reset and get the latest ASDM versions and such on it, go from there.  Might just hold off a bit and just get a new hard drive for my servers so i can get crap setup again so that i can have DNS and such all done from it as well for proper resolving in my network.
    #16
    James_L
    CLASSIFIED Member
    • Total Posts : 4336
    • Reward points : 0
    • Joined: 7/29/2009
    • Status: offline
    • Ribbons : 46
    Re: Cisco ASA configuration issue. Wednesday, August 20, 2014 2:36 AM (permalink)
    moose517
    LOL i would appreciate it!  I shoudl throw it on GNS3 myself and see if it behaves the same way then.  I'm going to go to my storage place tomorrow and dig up a console cable and i think i'm just going to do a factory reset and get the latest ASDM versions and such on it, go from there.  Might just hold off a bit and just get a new hard drive for my servers so i can get crap setup again so that i can have DNS and such all done from it as well for proper resolving in my network.


    Sounds good. I'll be looking to get at this tomorrow sometime after my gym workout in the morning or there abouts.

     

    #17
    Jump to: