04-24-2007 01:57 PM - edited 03-11-2019 03:03 AM
HI All, we have just bought two Cisco ASA's that I have setup in a failover pair, Having some issues with the Access Lists however.
I have created an access-list that permits any source to access a web server on the DMZ (Using NAT) However when I browse the the "real" natted address I am getting errors on the ASA saying that the request has been blocked by the implicit deny any statement, I totally understand that however why if I have created an access list that allows http traffic to the Internet address of the webserver should I be getting it, I can post config if required.
Any Idea?
04-24-2007 02:29 PM
post config...
04-24-2007 02:49 PM
Probably missing the static command from your config.
Try the static command:
syntax:
static (inside, DMZ) 'inside_subnet' 'inside_subnet' netmask 'subnet_mask'
example:
static (inside, DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
04-24-2007 11:32 PM
domain-name default.domain.invalid
enable password xxxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
description Live Internet Interface
nameif Live_Internet
security-level 0
ip address 195.167.187.230 255.255.255.224
!
interface Ethernet0/1
description Customer Network
nameif Customer_Net
security-level 10
ip address 172.17.4.2 255.255.252.0
!
interface Ethernet0/2
description Protected Network
nameif Protected_Net
security-level 100
ip address 192.9.224.2 255.255.255.0
!
interface Management0/0
description Live Network Interface
nameif Live_Net
security-level 100
ip address 192.9.230.2 255.255.255.0
!
passwd xxxxxxxxxx encrypted
banner exec Welcome to the ASA
banner login Welcome to the ASA
boot system disk0:/asa722-19-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service ISAKMP udp
port-object eq isakmp
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 195.167.187.224 255.255.255.224
access-list Live_Net_access_in extended permit icmp any 192.9.230.0 255.255.255.0
access-list outside_acl extended permit tcp any host 192.9.224.4 eq www
access-list Live_Internet_access_in extended permit tcp any host 195.167.187.230 eq www
pager lines 24
no asdm history enable
arp timeout 14400
global (Protected_Net) 1 192.9.224.4
static (Live_Internet,Protected_Net) 192.9.224.4 195.167.187.230 netmask 255.255.255.255
access-group Live_Internet_access_in in interface Live_Internet
timeout uauth 0:05:00 absolute
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
default-domain value cognito.co.uk
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
http server enable
http 0.0.0.0 0.0.0.0 Live_Internet
http 192.9.200.0 255.255.255.0 Live_Net
snmp-server host Live_Net 192.9.200.185 community cognito
snmp-server location Park Royal CAB1
snmp-server contact Cognito Network Operations
snmp-server community cognito
snmp-server enable traps snmp authentication linkup linkdown coldstart
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
04-25-2007 04:37 AM
Issue has been resolved, had issue with the natting function which I have resolved and it all working a treat
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: