06-23-2007 03:54 PM - edited 03-11-2019 03:34 AM
I am ruuning asa5510 box with ver 7.0 which was recently migrated from pix. This week, I created a new static address mapping from ASDM interface for my new web server located at dmz. Internal ip that I am using for web server is 172.16.1.6. If I compare NAT and access-list config for other servers located at dmz, I don't see I missed anything. But this server is not accessible from outside.
The following is the relevant config that I am using. Please explain me how can I troubleshoot to resolve this problem.
static (dmz,outside) X.X.2.125 172.16.1.6 netmask 255.255.255.255
access-list acl_allow_in permit tcp any host X.X.2.125 eq www
access-list acl_allow_in in interface outside
Solved! Go to Solution.
06-25-2007 01:44 AM
Definitely sounds like the application isnt designed correctly. Glad to see you got somewhere.
06-23-2007 04:39 PM
Well first are you getting any hits on the access-list
"sh access-list acl_allow_in"
Second, I have written a a basic troubleshooting tutorial on my website. Normally I dont try to pimp my website out but in this case I will.
Troubleshooting Connections:
http://firewalls.ath.cx/viewtopic.php?t=21
Capture Command:
http://firewalls.ath.cx/viewtopic.php?t=13
Also verify the following are correct on the server: Network Mask and gateway. If you want to post your config (scrubbed) we can look at that also.
06-23-2007 06:12 PM
Thanks a lot for the detail info. I double checked the ip and subnet mask of the server. Yes, I get the hit count. It was showing 12.
Now I am doing other stuffs as mentioned in that troubleshooting site.
06-24-2007 04:18 AM
What is the error you are getting when surfing to the site?
06-24-2007 07:32 AM
I get the message "Internet Explorer can not display the webpage". My web server is mapped with public ip xx.xx.2.125 and following is the capture info in outside interface while I try to access the web server from outside.
323: 00:51:04.387904 66.231.126.110.50591 > xx.xx.2.125.80: S 3631916199:3631916199(0) win 16384
324: 00:51:04.441780 66.231.126.110.50591 > xx.xx.2.125.80: . ack 3703879884 win 17640
325: 00:51:04.451255 66.231.126.110.50591 > xx.xx.2.125.80: P 3631916200:3631916690(490) ack 3703879884 win 17640
326: 00:51:04.520496 66.231.126.110.50591 > xx.xx.2.125.80: P 3631916690:3631917190(500) ack 3703880225 win 17299
327: 00:51:04.579010 66.231.126.110.50591 > xx.xx.2.125.80: . ack 3703880438 win 17087
328: 00:51:04.580505 66.231.126.110.50591 > xx.xx.2.125.80: F 3631917190:3631917190(0) ack 3703880438 win 17087
Does it give any sense?
06-24-2007 09:03 AM
Looks like your capture is set up for one way traffic. Try doing the capture again but set the capture on the DMZ interface and make the access-list look like this:
access-list cap_http permit ip any host 172.16.1.6
access-list cap_http permit ip host 172.16.1.6 any
capture cap_http access-list cap_http interface dmz buffer 8000 circular-buffer
No try running the traffic. You should get both directions. From the capture you posted it does look like traffic is flowing. If you got on that server can you surf your own pages? Are you running apache or IIS?
06-24-2007 10:01 AM
06-24-2007 10:08 AM
Ok, looks like all we got was the SQL traffic. Lets try it again and get a little more definitive on the traffic flow. Assuming you are still coming from 66.231.126.110.
no access-list cap_http
no cap cap_http
access-list cap_http permit ip host 66.231.126.110 host 172.16.1.6
access-list cap_http permit ip host 172.16.1.6 host 66.231.126.110
capture cap_http access-list cap_http interface dmz buffer 8000 circular-buffer
06-24-2007 10:44 AM
I did not see anything until I run the trafic.
11 packets captured
1: 14:41:36.383570 66.231.126.110.50584 > 172.16.1.6.80: S 208896751:208896751(0) win 16384
2: 14:41:36.383830 172.16.1.6.80 > 66.231.126.110.50584: S 1562039132:1562039132(0) ack 208896752 win 16384
3: 14:41:36.443443 66.231.126.110.50584 > 172.16.1.6.80: . ack 1562039133 win 17640
4: 14:41:36.451911 66.231.126.110.50584 > 172.16.1.6.80: P 208896752:208897187(435) ack 1562039133 win 17640
5: 14:41:36.454688 172.16.1.6.80 > 66.231.126.110.50584: P 1562039133:1562039541(408) ack 208897187 win 65100
6: 14:41:36.523822 66.231.126.110.50584 > 172.16.1.6.80: P 208897187:208897687(500) ack 1562039541 win 17232
7: 14:41:36.531268 172.16.1.6.80 > 66.231.126.110.50584: P 1562039541:1562039753(212) ack 208897687 win 65535
8: 14:41:36.531283 172.16.1.6.80 > 66.231.126.110.50584: F 1562039753:1562039753(0) ack 208897687 win 65535
9: 14:41:36.586380 66.231.126.110.50584 > 172.16.1.6.80: . ack 1562039754 win 17020
10: 14:41:36.587890 66.231.126.110.50584 > 172.16.1.6.80: F 208897687:208897687(0) ack 1562039754 win 17020
11: 14:41:36.587967 172.16.1.6.80 > 66.231.126.110.50584: . ack 208897688 win 65534
11 packets shown
06-24-2007 10:59 AM
This shows you have successful 2 way communication to the server on port 80. I would check the server out to ensure there are no problems. You said it works from internal and locally. Do you have a http.conf file anywhere?
06-24-2007 11:39 AM
Sorry, My web server is running in win2k3-IIS. Its accessible from inside and local and it can also accesss internet without any problem.
I am not sure what to check next.
06-24-2007 11:47 AM
I would double check the IIS permissions/settings and possibly the file security to the site. Is this server part of your domain? Maybe you dont have the correct permissions enabled for internet users to view. Do you control this box also?
Below is a good link on permissions:
06-24-2007 12:37 PM
This web server is not in any domain. As its accessible from other non-trusted machines, may be security is ok.
06-24-2007 02:02 PM
Do you use the same URL to get to the sire from the outside that you use on the inside?
06-24-2007 03:24 PM
I used local ip to access from inside and public ip while trying to access from outside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide