06-22-2007 08:19 AM - edited 03-11-2019 03:34 AM
In my ASA 5510 config (posted below), I have an inside interface, two DMZ's, and an outside interface. I have a web server on the 1st DMZ at local address 10.1.2.2. I want this web server to be accessible from the Internet at global address xx.xx.150.80, which is the same address as the outside interface.
The relevant lines from the config are:
static (dmz1,outside) xx.xx.150.80 10.1.2.2 netmask 255.255.255.255
access-list outside_in extended permit tcp any host xx.xx.150.80 eq www
access-group outside_in in interface outside
This doesn't work. When I try to access the web server from the Internet, I get a message in the log saying "TCP connection blocked by ACL". When I change the static statement to:
static (dmz1,outside) interface 10.1.2.2 netmask 255.255.255.255
everything works. My question is: why does this work when I use "interface" in place of the actual IP address of the outside interface in the static statement?
asdm image disk0:/asdm506.bin
no asdm history enable
: Saved
:
ASA Version 7.0(6)
!
hostname asa
domain-name example.com
enable password xxxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xx.xx.150.80 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz1
security-level 50
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/3
nameif dmz2
security-level 10
ip address 10.1.3.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxxxxx.xxxxxxxxx encrypted
ftp mode passive
access-list inside_dmz1 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list dmz1_in extended permit tcp 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0 eq ssh
access-list dmz1_in extended deny ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list dmz1_in extended permit ip any any
access-list outside_in extended permit tcp any host xx.xx.150.80 eq www
pager lines 77
logging enable
logging monitor informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu management 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz1
monitor-interface dmz2
monitor-interface management
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_dmz1
nat (inside) 1 10.1.1.0 255.255.255.0
nat (dmz1) 1 10.1.2.0 255.255.255.0
static (dmz1,outside) xx.xx.150.80 10.1.2.2 netmask 255.255.255.255
access-group outside_in in interface outside
access-group dmz1_in in interface dmz1
route outside 0.0.0.0 0.0.0.0 xx.xx.150.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.1.1.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
Cryptochecksum:xxx
: end
06-22-2007 04:27 PM
Thats the way static command works in 7.x code.
Read through the note in command reference, syntax description (interface):
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/s.htm#wp1540284
Regards,
Guru.
06-22-2007 06:22 PM
I got the exact sam eproblem as yours after I migrated to asa5510. I see all the NAT and access-list fine but the web server located at dmz is not accessible form outside. But I have not issued that command that you mentioned.
When you run the command this way which public ip gets mapped with your internal ip
10.1.2.2?
static (dmz1,outside) interface 10.1.2.2 netmask 255.255.255.255
06-22-2007 11:49 PM
The outside interface IP address will get mapped to the 10.1.2.2 address in your case.
Regards,
Guru.
06-23-2007 07:48 AM
Thanks Guru
I already have different public ip mapped with my new web server,located at dmz. When I compare the nat and access-list with the other web servers at the same location, I don't see anything different. Why is it not still accessible from outside? Can you explain me in little details how can I troubleshoot this.
Thanks in advance.
Thanks
06-23-2007 08:16 AM
The problem is that you were trying use the IP address assigned to the interface. When using the interface IP you must use the "interface" keyword.
"
INTERFACE:
Specifies the interface IP address for the global address. Use this keyword if you want to use the interface address, but the address is dynamically assigned using DHCP.
Note You must use the interface keyword instead of specifying the actual IP address when you want to include the IP address of a PIX Firewall interface in a static PAT entry. "
06-23-2007 12:58 PM
Actually, I am using the static NAT address not the one from the outside interface.
My outside interface is x.x.2.147
and the internal ip that I am using for web server is 172.16.1.6.
The following is the relevant config that I am using. But its still not accesible from outside. DO I have to do anything special for version 7.x
static (dmz,outside) X.X.2.125 172.16.1.6 netmask 255.255.255.255
access-list acl_allow_in permit tcp any host X.X.2.125 eq www
access-list acl_allow_in in interface outside
06-23-2007 02:54 PM
Kind of confused. Your config above shows the following for your DMZs and I didnt see any additional route so I am figuring you have conflicting subnets. Below you DMZ shows
10.1.3.1 but your server IP is 172.16.1.6. Has something changed? Post a full scrubbed config.
interface Ethernet0/2
nameif dmz1
security-level 50
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/3
nameif dmz2
security-level 10
ip address 10.1.3.1 255.255.255.0
06-23-2007 03:42 PM
Sorry for confusion. May be I should have posted my problem separately.
06-23-2007 04:34 PM
My apologies. I didnt realize you werent the original poster.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: