asa 5510 won't pass web traffic

Unanswered Question
Dec 4th, 2007
User Badges:

I have a problem with my firewall, I've followed all the information on the cisco site about how to allow a certain set of ports. But I still can not get to my web server on my dmz, I have even created a acl that allows all. But I can't get by the implicit deny acl.I have the correct static nat and access-group according to cisco site. So i'm not sure anymore. I didn't original build this box, and I'm not security person so I've become quite frustrated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 12/04/2007 - 10:28
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Could you possibly post the config.


Assuming access is from outside as an example


Web server on DMZ = 192.168.5.10

Outside interface of ASA = 195.166.71.10


static (DMZ,outside) tcp interface 80 192.168.5.10 80


access-list from_outside permit tcp any host 195.166.71.10 eq http


access-group from_outside in interface outside


The above example assumes you are Natting the private address of the web server on the DMZ to the IP address of the pix outside interface.



HTH


Jon

bmarlin Tue, 12/04/2007 - 10:43
User Badges:

Thank you Jon

Here is static nat I used

(DMZ,outside) 69.11.97.143 192.168.2.249 netmask 255.255.255.255 .the only difference from u but like cisco config on cisco web site

I will send you my latest config

thank again!



Attachment: 
srue Tue, 12/04/2007 - 11:19
User Badges:
  • Blue, 1500 points or more

clear configure access-list DMZ_access_in

access-list outside_in permit tcp any host 69.11.97.143 eq 80

access-group outside_in in interface outside

bmarlin Tue, 12/04/2007 - 11:23
User Badges:

thanks 4 your help srue

I now am getting syn timeouts and Dney tcp from Dmz to outside

then asa is tearing down tcp connections here is up dated config




Attachment: 
srue Tue, 12/04/2007 - 11:33
User Badges:
  • Blue, 1500 points or more


nat (DMZ) 101 0 0


in your current setup, you cannot initiate traffic from your dmz to the inside, just fyi.

bmarlin Tue, 12/04/2007 - 12:48
User Badges:


unfortunately changing the nat statement didn't work. I thank you for your help.

I had made the change from my static nat to nat (dmz 101 0 0. But it got worse,No I'm back to getting reject by implicit deny. before I replace nat of dmz at the very least I was seeing tcp syn timeouts .

I just wanted to get the outside interface to allow web.

mdhaka Tue, 12/04/2007 - 16:41
User Badges:

Inspite of using interface ip address,can we try to use another public ip?

If not,try commands-

access-list DMZ_access_in extended permit tcp any interface outside eq www

static (DMZ,outside) tcp interface 80 192.168.2.249 80

mdhaka Tue, 12/04/2007 - 16:43
User Badges:

Inspite of using interface ip address,can we try to use another public ip?

If not,try commands-

access-list DMZ_access_in extended permit tcp any interface outside eq www

static (DMZ,outside) tcp interface 80 192.168.2.249 80

bmarlin Wed, 12/05/2007 - 07:22
User Badges:

Hello and thanks for suggestions,

Unfortunately nothing suggested has worked properly.I have reached a point where I may just try a rebuilt of the system. I will keep you all informed.

bmarlin Wed, 12/05/2007 - 09:16
User Badges:

Hello

I have attempted a rebuilt ?fw and here is the log I now get when trying to get to DMZ SERVER,

connection denied from 142.165.31.5/1248 to 69.11.97.143/80 flags SYN on interface Outside.

Thanks again for the help

Jon Marshall Wed, 12/05/2007 - 09:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Can you post your updated config


Jon

bmarlin Wed, 12/05/2007 - 10:04
User Badges:

Hi

here are my 2 latest syslog events when trying to connect to dmz server

302013 142.165.31.5 69.11.97.143 Built inbound TCP connection 6059 for Outside:142.165.31.5/1541 (142.165.31.5/1541) to DMZ:69.11.97.143/80 (69.11.97.143/80)

6 Dec 05 2007 10:25:26 110003 Routing failed to locate next hop for TCP from Outside:142.165.31.5/1541 to DMZ:69.11.97.143/80.


Jon Marshall Wed, 12/05/2007 - 10:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Change


"static (DMZ,Outside) interface 69.11.97.143 netmask 255.255.255.255"


to


static (DMZ,Outside) interface 192.168.2.x netmask 255.255.255.255


where 192.168.2.x is the address of the web server.


Jon


bmarlin Wed, 12/05/2007 - 14:19
User Badges:

Hi Jon

have made change still not working.

bmarlin Thu, 12/06/2007 - 06:59
User Badges:

Found problem, Not firewall routing is suspect

Thanks everyone for your help.

Actions

This Discussion