unable to access server located at dmz from outside

Answered Question
Jun 23rd, 2007
User Badges:

I am ruuning asa5510 box with ver 7.0 which was recently migrated from pix. This week, I created a new static address mapping from ASDM interface for my new web server located at dmz. Internal ip that I am using for web server is 172.16.1.6. If I compare NAT and access-list config for other servers located at dmz, I don't see I missed anything. But this server is not accessible from outside.


The following is the relevant config that I am using. Please explain me how can I troubleshoot to resolve this problem.


static (dmz,outside) X.X.2.125 172.16.1.6 netmask 255.255.255.255

access-list acl_allow_in permit tcp any host X.X.2.125 eq www

access-list acl_allow_in in interface outside


Correct Answer by JBDanford2002 about 10 years 6 days ago

Definitely sounds like the application isnt designed correctly. Glad to see you got somewhere.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JBDanford2002 Sat, 06/23/2007 - 16:39
User Badges:

Well first are you getting any hits on the access-list


"sh access-list acl_allow_in"


Second, I have written a a basic troubleshooting tutorial on my website. Normally I dont try to pimp my website out but in this case I will.


Troubleshooting Connections:


http://firewalls.ath.cx/viewtopic.php?t=21


Capture Command:

http://firewalls.ath.cx/viewtopic.php?t=13


Also verify the following are correct on the server: Network Mask and gateway. If you want to post your config (scrubbed) we can look at that also.

kcarjun2002 Sat, 06/23/2007 - 18:12
User Badges:

Thanks a lot for the detail info. I double checked the ip and subnet mask of the server. Yes, I get the hit count. It was showing 12.


Now I am doing other stuffs as mentioned in that troubleshooting site.

kcarjun2002 Sun, 06/24/2007 - 07:32
User Badges:

I get the message "Internet Explorer can not display the webpage". My web server is mapped with public ip xx.xx.2.125 and following is the capture info in outside interface while I try to access the web server from outside.


323: 00:51:04.387904 66.231.126.110.50591 > xx.xx.2.125.80: S 3631916199:3631916199(0) win 16384

324: 00:51:04.441780 66.231.126.110.50591 > xx.xx.2.125.80: . ack 3703879884 win 17640

325: 00:51:04.451255 66.231.126.110.50591 > xx.xx.2.125.80: P 3631916200:3631916690(490) ack 3703879884 win 17640

326: 00:51:04.520496 66.231.126.110.50591 > xx.xx.2.125.80: P 3631916690:3631917190(500) ack 3703880225 win 17299

327: 00:51:04.579010 66.231.126.110.50591 > xx.xx.2.125.80: . ack 3703880438 win 17087

328: 00:51:04.580505 66.231.126.110.50591 > xx.xx.2.125.80: F 3631917190:3631917190(0) ack 3703880438 win 17087


Does it give any sense?


JBDanford2002 Sun, 06/24/2007 - 09:03
User Badges:

Looks like your capture is set up for one way traffic. Try doing the capture again but set the capture on the DMZ interface and make the access-list look like this:


access-list cap_http permit ip any host 172.16.1.6

access-list cap_http permit ip host 172.16.1.6 any

capture cap_http access-list cap_http interface dmz buffer 8000 circular-buffer



No try running the traffic. You should get both directions. From the capture you posted it does look like traffic is flowing. If you got on that server can you surf your own pages? Are you running apache or IIS?

kcarjun2002 Sun, 06/24/2007 - 10:01
User Badges:

Yes, I can access it both from inside network and server itself. Its running apache. I have a capture info. IP 10.100.0.76 is the sql server located at inside network. This web server has to communicate with the sql server and mail server as well which is working fine.





Attachment: 
JBDanford2002 Sun, 06/24/2007 - 10:08
User Badges:

Ok, looks like all we got was the SQL traffic. Lets try it again and get a little more definitive on the traffic flow. Assuming you are still coming from 66.231.126.110.


no access-list cap_http

no cap cap_http

access-list cap_http permit ip host 66.231.126.110 host 172.16.1.6

access-list cap_http permit ip host 172.16.1.6 host 66.231.126.110

capture cap_http access-list cap_http interface dmz buffer 8000 circular-buffer

kcarjun2002 Sun, 06/24/2007 - 10:44
User Badges:

I did not see anything until I run the trafic.


11 packets captured

1: 14:41:36.383570 66.231.126.110.50584 > 172.16.1.6.80: S 208896751:208896751(0) win 16384

2: 14:41:36.383830 172.16.1.6.80 > 66.231.126.110.50584: S 1562039132:1562039132(0) ack 208896752 win 16384

3: 14:41:36.443443 66.231.126.110.50584 > 172.16.1.6.80: . ack 1562039133 win 17640

4: 14:41:36.451911 66.231.126.110.50584 > 172.16.1.6.80: P 208896752:208897187(435) ack 1562039133 win 17640

5: 14:41:36.454688 172.16.1.6.80 > 66.231.126.110.50584: P 1562039133:1562039541(408) ack 208897187 win 65100

6: 14:41:36.523822 66.231.126.110.50584 > 172.16.1.6.80: P 208897187:208897687(500) ack 1562039541 win 17232

7: 14:41:36.531268 172.16.1.6.80 > 66.231.126.110.50584: P 1562039541:1562039753(212) ack 208897687 win 65535

8: 14:41:36.531283 172.16.1.6.80 > 66.231.126.110.50584: F 1562039753:1562039753(0) ack 208897687 win 65535

9: 14:41:36.586380 66.231.126.110.50584 > 172.16.1.6.80: . ack 1562039754 win 17020

10: 14:41:36.587890 66.231.126.110.50584 > 172.16.1.6.80: F 208897687:208897687(0) ack 1562039754 win 17020

11: 14:41:36.587967 172.16.1.6.80 > 66.231.126.110.50584: . ack 208897688 win 65534

11 packets shown


JBDanford2002 Sun, 06/24/2007 - 10:59
User Badges:

This shows you have successful 2 way communication to the server on port 80. I would check the server out to ensure there are no problems. You said it works from internal and locally. Do you have a http.conf file anywhere?

kcarjun2002 Sun, 06/24/2007 - 11:39
User Badges:

Sorry, My web server is running in win2k3-IIS. Its accessible from inside and local and it can also accesss internet without any problem.


I am not sure what to check next.

JBDanford2002 Sun, 06/24/2007 - 11:47
User Badges:

I would double check the IIS permissions/settings and possibly the file security to the site. Is this server part of your domain? Maybe you dont have the correct permissions enabled for internet users to view. Do you control this box also?


Below is a good link on permissions:


http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/confeat/permmaze.mspx




kcarjun2002 Sun, 06/24/2007 - 12:37
User Badges:

This web server is not in any domain. As its accessible from other non-trusted machines, may be security is ok.

JBDanford2002 Sun, 06/24/2007 - 14:02
User Badges:

Do you use the same URL to get to the sire from the outside that you use on the inside?

kcarjun2002 Sun, 06/24/2007 - 15:24
User Badges:

I used local ip to access from inside and public ip while trying to access from outside.

JBDanford2002 Sun, 06/24/2007 - 15:36
User Badges:

Are there any redirects on the page? I would say at this point its not a firewall issue.

Correct Answer
JBDanford2002 Mon, 06/25/2007 - 01:44
User Badges:

Definitely sounds like the application isnt designed correctly. Glad to see you got somewhere.

satish_zanjurne Sat, 06/23/2007 - 22:59
User Badges:
  • Silver, 250 points or more

Hi,

The static & access-list config is fine..if possible attach the complete config..

Actions

This Discussion