Solved: unable to access server located at dmz from outside

kcarjun2002 · ‎06-23-2007

I am ruuning asa5510 box with ver 7.0 which was recently migrated from pix. This week, I created a new static address mapping from ASDM interface for my new web server located at dmz. Internal ip that I am using for web server is 172.16.1.6. If I compare NAT and access-list config for other servers located at dmz, I don't see I missed anything. But this server is not accessible from outside.

The following is the relevant config that I am using. Please explain me how can I troubleshoot to resolve this problem.

static (dmz,outside) X.X.2.125 172.16.1.6 netmask 255.255.255.255

access-list acl_allow_in permit tcp any host X.X.2.125 eq www

access-list acl_allow_in in interface outside

JBDanford2002 · ‎06-25-2007

Definitely sounds like the application isnt designed correctly. Glad to see you got somewhere.

View solution in original post

JBDanford2002 · ‎06-23-2007

Well first are you getting any hits on the access-list

"sh access-list acl_allow_in"

Second, I have written a a basic troubleshooting tutorial on my website. Normally I dont try to pimp my website out but in this case I will.

Troubleshooting Connections:

http://firewalls.ath.cx/viewtopic.php?t=21

Capture Command:

http://firewalls.ath.cx/viewtopic.php?t=13

Also verify the following are correct on the server: Network Mask and gateway. If you want to post your config (scrubbed) we can look at that also.

kcarjun2002 · ‎06-23-2007

Thanks a lot for the detail info. I double checked the ip and subnet mask of the server. Yes, I get the hit count. It was showing 12.

Now I am doing other stuffs as mentioned in that troubleshooting site.

JBDanford2002 · ‎06-24-2007

What is the error you are getting when surfing to the site?

kcarjun2002 · ‎06-24-2007

I get the message "Internet Explorer can not display the webpage". My web server is mapped with public ip xx.xx.2.125 and following is the capture info in outside interface while I try to access the web server from outside.

323: 00:51:04.387904 66.231.126.110.50591 > xx.xx.2.125.80: S 3631916199:3631916199(0) win 16384

324: 00:51:04.441780 66.231.126.110.50591 > xx.xx.2.125.80: . ack 3703879884 win 17640

325: 00:51:04.451255 66.231.126.110.50591 > xx.xx.2.125.80: P 3631916200:3631916690(490) ack 3703879884 win 17640

326: 00:51:04.520496 66.231.126.110.50591 > xx.xx.2.125.80: P 3631916690:3631917190(500) ack 3703880225 win 17299

327: 00:51:04.579010 66.231.126.110.50591 > xx.xx.2.125.80: . ack 3703880438 win 17087

328: 00:51:04.580505 66.231.126.110.50591 > xx.xx.2.125.80: F 3631917190:3631917190(0) ack 3703880438 win 17087

Does it give any sense?

JBDanford2002 · ‎06-24-2007

Looks like your capture is set up for one way traffic. Try doing the capture again but set the capture on the DMZ interface and make the access-list look like this:

access-list cap_http permit ip any host 172.16.1.6

access-list cap_http permit ip host 172.16.1.6 any

capture cap_http access-list cap_http interface dmz buffer 8000 circular-buffer

No try running the traffic. You should get both directions. From the capture you posted it does look like traffic is flowing. If you got on that server can you surf your own pages? Are you running apache or IIS?

kcarjun2002 · ‎06-24-2007

Yes, I can access it both from inside network and server itself. Its running apache. I have a capture info. IP 10.100.0.76 is the sql server located at inside network. This web server has to communicate with the sql server and mail server as well which is working fine.

JBDanford2002 · ‎06-24-2007

Ok, looks like all we got was the SQL traffic. Lets try it again and get a little more definitive on the traffic flow. Assuming you are still coming from 66.231.126.110.

no access-list cap_http

no cap cap_http

access-list cap_http permit ip host 66.231.126.110 host 172.16.1.6

access-list cap_http permit ip host 172.16.1.6 host 66.231.126.110

capture cap_http access-list cap_http interface dmz buffer 8000 circular-buffer

kcarjun2002 · ‎06-24-2007

I did not see anything until I run the trafic.

11 packets captured

1: 14:41:36.383570 66.231.126.110.50584 > 172.16.1.6.80: S 208896751:208896751(0) win 16384

2: 14:41:36.383830 172.16.1.6.80 > 66.231.126.110.50584: S 1562039132:1562039132(0) ack 208896752 win 16384

3: 14:41:36.443443 66.231.126.110.50584 > 172.16.1.6.80: . ack 1562039133 win 17640

4: 14:41:36.451911 66.231.126.110.50584 > 172.16.1.6.80: P 208896752:208897187(435) ack 1562039133 win 17640

5: 14:41:36.454688 172.16.1.6.80 > 66.231.126.110.50584: P 1562039133:1562039541(408) ack 208897187 win 65100

6: 14:41:36.523822 66.231.126.110.50584 > 172.16.1.6.80: P 208897187:208897687(500) ack 1562039541 win 17232

7: 14:41:36.531268 172.16.1.6.80 > 66.231.126.110.50584: P 1562039541:1562039753(212) ack 208897687 win 65535

8: 14:41:36.531283 172.16.1.6.80 > 66.231.126.110.50584: F 1562039753:1562039753(0) ack 208897687 win 65535

9: 14:41:36.586380 66.231.126.110.50584 > 172.16.1.6.80: . ack 1562039754 win 17020

10: 14:41:36.587890 66.231.126.110.50584 > 172.16.1.6.80: F 208897687:208897687(0) ack 1562039754 win 17020

11: 14:41:36.587967 172.16.1.6.80 > 66.231.126.110.50584: . ack 208897688 win 65534

11 packets shown

JBDanford2002 · ‎06-24-2007

This shows you have successful 2 way communication to the server on port 80. I would check the server out to ensure there are no problems. You said it works from internal and locally. Do you have a http.conf file anywhere?

kcarjun2002 · ‎06-24-2007

Sorry, My web server is running in win2k3-IIS. Its accessible from inside and local and it can also accesss internet without any problem.

I am not sure what to check next.

JBDanford2002 · ‎06-24-2007

I would double check the IIS permissions/settings and possibly the file security to the site. Is this server part of your domain? Maybe you dont have the correct permissions enabled for internet users to view. Do you control this box also?

Below is a good link on permissions:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/deploy/confeat/permmaze.mspx

kcarjun2002 · ‎06-24-2007

This web server is not in any domain. As its accessible from other non-trusted machines, may be security is ok.

JBDanford2002 · ‎06-24-2007

Do you use the same URL to get to the sire from the outside that you use on the inside?

kcarjun2002 · ‎06-24-2007

I used local ip to access from inside and public ip while trying to access from outside.