asa 5510 won't pass web traffic

bmarlin · ‎12-04-2007

I have a problem with my firewall, I've followed all the information on the cisco site about how to allow a certain set of ports. But I still can not get to my web server on my dmz, I have even created a acl that allows all. But I can't get by the implicit deny acl.I have the correct static nat and access-group according to cisco site. So i'm not sure anymore. I didn't original build this box, and I'm not security person so I've become quite frustrated.

Jon Marshall · ‎12-04-2007

Hi

Could you possibly post the config.

Assuming access is from outside as an example

Web server on DMZ = 192.168.5.10

Outside interface of ASA = 195.166.71.10

static (DMZ,outside) tcp interface 80 192.168.5.10 80

access-list from_outside permit tcp any host 195.166.71.10 eq http

access-group from_outside in interface outside

The above example assumes you are Natting the private address of the web server on the DMZ to the IP address of the pix outside interface.

HTH

Jon

bmarlin · ‎12-04-2007

Thank you Jon

Here is static nat I used

(DMZ,outside) 69.11.97.143 192.168.2.249 netmask 255.255.255.255 .the only difference from u but like cisco config on cisco web site

I will send you my latest config

thank again!

srue · ‎12-04-2007

clear configure access-list DMZ_access_in

access-list outside_in permit tcp any host 69.11.97.143 eq 80

access-group outside_in in interface outside

bmarlin · ‎12-04-2007

thanks 4 your help srue

I now am getting syn timeouts and Dney tcp from Dmz to outside

then asa is tearing down tcp connections here is up dated config

srue · ‎12-04-2007

nat (DMZ) 101 0 0

in your current setup, you cannot initiate traffic from your dmz to the inside, just fyi.

bmarlin · ‎12-04-2007

unfortunately changing the nat statement didn't work. I thank you for your help.

I had made the change from my static nat to nat (dmz 101 0 0. But it got worse,No I'm back to getting reject by implicit deny. before I replace nat of dmz at the very least I was seeing tcp syn timeouts .

I just wanted to get the outside interface to allow web.

mdhaka · ‎12-04-2007

Inspite of using interface ip address,can we try to use another public ip?

If not,try commands-

access-list DMZ_access_in extended permit tcp any interface outside eq www

static (DMZ,outside) tcp interface 80 192.168.2.249 80

mdhaka · ‎12-04-2007

Inspite of using interface ip address,can we try to use another public ip?

If not,try commands-

access-list DMZ_access_in extended permit tcp any interface outside eq www

static (DMZ,outside) tcp interface 80 192.168.2.249 80

bmarlin · ‎12-05-2007

Hello and thanks for suggestions,

Unfortunately nothing suggested has worked properly.I have reached a point where I may just try a rebuilt of the system. I will keep you all informed.

bmarlin · ‎12-05-2007

Hello

I have attempted a rebuilt ?fw and here is the log I now get when trying to get to DMZ SERVER,

connection denied from 142.165.31.5/1248 to 69.11.97.143/80 flags SYN on interface Outside.

Thanks again for the help

Jon Marshall · ‎12-05-2007

Hi

Can you post your updated config

Jon

bmarlin · ‎12-05-2007

Hi

here are my 2 latest syslog events when trying to connect to dmz server

302013 142.165.31.5 69.11.97.143 Built inbound TCP connection 6059 for Outside:142.165.31.5/1541 (142.165.31.5/1541) to DMZ:69.11.97.143/80 (69.11.97.143/80)

6 Dec 05 2007 10:25:26 110003 Routing failed to locate next hop for TCP from Outside:142.165.31.5/1541 to DMZ:69.11.97.143/80.

bmarlin · ‎12-05-2007

Here is updated config

thanks

Jon Marshall · ‎12-05-2007

Hi

Change

"static (DMZ,Outside) interface 69.11.97.143 netmask 255.255.255.255"

to

static (DMZ,Outside) interface 192.168.2.x netmask 255.255.255.255

where 192.168.2.x is the address of the web server.

Jon