ASA5505 trouble opening port 443 for remote users Groupwise WebAccess

Answered Question
Jun 7th, 2007
User Badges:

We have a GroupWise server running WebAccess sitting behind ASA5505. I have opened port 25 and can send and recieve emails but can't get access to WebAccess. I can internally at https://192.168.1.50/servlet/webacc and everything is running fine. But when I try it externally via https://66.64.x.x/servlet/webacc I have no luck.


Below is the relevant setup information.


interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address 66.64.x.x 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2


access-list out2in extended permit tcp any any eq smtp

access-list out2in extended permit tcp any any eq https

access-list out2in extended permit tcp any any eq 9850

access-list out2in extended permit tcp any any eq 1677

access-list out2in extended permit tcp any any eq 7205

access-list out2in extended permit udp any any eq 443

access-list out2in extended permit udp any any eq 9850

access-list out2in extended permit udp any any eq 1677

access-list out2in extended permit udp any any eq 7205


static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

static (inside,outside) udp interface 443 192.168.1.50 443 netmask 255.255.255.255

static (inside,outside) udp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) udp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) udp interface 7205 192.168.1.50 7205 netmask 255.255.255.255


access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 66.64.x.x 1

Correct Answer by acomiskey about 10 years 1 month ago

It works...


https://66.64.170.18


Are you trying this from the inside or outside?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
acomiskey Thu, 06/07/2007 - 07:45
User Badges:
  • Green, 3000 points or more

It's tcp, not udp


static (inside,outside) udp interface 443 192.168.1.50 443 netmask 255.255.255.255


access-list out2in extended permit udp any any eq 443


should be...


static (inside,outside) tcp interface 443 192.168.1.50 443 netmask 255.255.255.255


access-list out2in extended permit tcp any any eq 443


also you can limit your destination in your acl to the outside interface address which is much more secure.


access-list out2in extended permit tcp any host 66.64.x.x eq 443



please rate if it helps.

thomas.estes Thu, 06/07/2007 - 08:15
User Badges:

Ok, I deleted the UDP record, and I changed the ACL rule. Still no luck.


I did some digging around around and looked at how the last router was set up and came up with an issue.


We are on a T1 line with a static IP. I have assigned that IP to the outside interface. The ISP has a default gateway which I have routed "outside" to via:


route outside 0.0.0.0 0.0.0.0 66.64.170.y 1


but when I check the IP of the outside interface it is not the static IP that I assigned but is now 66.64.170.z


I see that the old router had a routing rule, but I can't seem to emulate this as there is no default gateway.



acomiskey Thu, 06/07/2007 - 08:26
User Badges:
  • Green, 3000 points or more

That table shows...


66.64.170.16/29 connected WAN

66.64.170.17 default gateway

192.168.1.0/24 connected LAN


What is the outside ip of the old router? I'm not sure what you mean by, "it is not the static ip that I assigned".

thomas.estes Thu, 06/07/2007 - 08:51
User Badges:

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address 66.64.170.18 255.255.255.248


x.x.x.18 is the static IP that I assigned to "outside"


I then do:

route outside 0.0.0.0 0.0.0.0 66.64.170.17 1


to point to the wan gateway.


But it appears that the outside interface is being mapped to 66.64.170.16.


I am confused as I need to translate 66.64.170.18 which is our mx record and points to our internal hosted server. But I have no NAT or routes for the 66.64.170.16 address that appears to be assigned to the outside interface when all along I thought it was 66.64.170.18.


The old router did this but I am not able to duplicate it on the asa5505, do mostly to my ignorance. Thanks for you time and patients.

acomiskey Thu, 06/07/2007 - 09:03
User Badges:
  • Green, 3000 points or more

"But it appears that the outside interface is being mapped to 66.64.170.16."


.16 is the network address, it is not a host address. It will not be an address on your asa.


66.64.170.16/29

.16 = network address

.17

.18

.19

.20

.21

.22

.23 = broadcast address


All that route table is telling you is that the 66.64.170.16/29 network is attached to the WAN interface, NOT that .16 is the external address.

thomas.estes Thu, 06/07/2007 - 09:16
User Badges:

Ok.


I have to route:

route outside 0.0.0.0 0.0.0.0 66.64.170.17 1


or I have no internet access. Do I need the other route to .16 that was set up on the previous router?

acomiskey Thu, 06/07/2007 - 09:21
User Badges:
  • Green, 3000 points or more

No, there is no need to route to .16, for one this is not a host and two the .16/29 network is directly attached to the pix. You should be good to go then, .17 is your gateway, .18 is outside of ASA.

thomas.estes Thu, 06/07/2007 - 09:23
User Badges:

But I am still unable to connect. Follow steps above. How can I troubleshoot or log further?

acomiskey Thu, 06/07/2007 - 09:25
User Badges:
  • Green, 3000 points or more

Are you sure .17 is gateway? You can get to the internet? Post your new config with changes made.

thomas.estes Thu, 06/07/2007 - 09:32
User Badges:

Yes. .17 Is gateway confirmed with ISP. I can get to the internet (posting here from behind router).


I ran log and I do not see any translation going from .18 to 192.168.1.50


Result of the command: "show running-config"


: Saved

:

ASA Version 7.2(2)

!

hostname ASA5505

domain-name amcinc.us

enable password 8aPd93D5bXaT2fFZ encrypted

names

!

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address 66.64.170.18 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

domain-name amcinc.us

access-list out2in extended permit tcp any any eq smtp

access-list out2in extended permit tcp any any eq https

access-list out2in extended permit tcp any any eq 9850

access-list out2in extended permit tcp any any eq 1677

access-list out2in extended permit tcp any any eq 7205

access-list out2in extended permit udp any any eq 9850 inactive

access-list out2in extended permit udp any any eq 1677 inactive

access-list out2in extended permit udp any any eq 7205 inactive

pager lines 24

logging enable

logging asdm informational

logging from-address thomas.estes@amcinc.us

logging recipient-address thomas.estes@amcinc.us level errors

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

static (inside,outside) udp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) udp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) udp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 66.64.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username estest password pfaW5bAu431sHznu encrypted privilege 15

http server enable

http 192.168.1.0 255.255.255.0 inside

snmp-server host inside 192.168.1.1 community ASA5505

snmp-server location Data Room

snmp-server contact Tom Estes

snmp-server community ASA5505

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.1.114 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:3a9acacb8fa6c437b6a95c271048ffde

: end


thomas.estes Thu, 06/07/2007 - 09:47
User Badges:

well how about that?!!?!


I still can't hit it from the internal network, but when I fire up a laptop with an air card I was able to see it.


Thank very much.


PS> We were able to hit it from the internal network b4, any idea why I can't now?


acomiskey Thu, 06/07/2007 - 09:52
User Badges:
  • Green, 3000 points or more

Yes, you cannot becuase the asa does not allow it by default. You have a few options, where does your dns sit for inside clients? If it is outside you can perform dns doctoring, but this does not work when combined with port forwarding like you are doing. Second, you can create another static, enable same-security-traffic permit intra-interface and hairpin. This will allow the traffic to hit inside interface of ASA and be directed back inside to the server. Here is a good doc here..let me know if you need asssistance.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2


If you had a dmz you could do a statement like this...


static (dmz,inside) netmask 255.255.255.255

acomiskey Thu, 06/07/2007 - 10:06
User Badges:
  • Green, 3000 points or more

You should also change the way you are writing you acl's, using any as a destination is an unnecessary security risk


access-list out2in extended permit tcp any host 66.64.170.18 eq https

acomiskey Thu, 06/07/2007 - 10:42
User Badges:
  • Green, 3000 points or more

Did the hairpinning work for you?

thomas.estes Thu, 06/07/2007 - 10:45
User Badges:

It is not a requirement so I am not pursuing it. I appreciate the information though.

Actions

This Discussion