web access from inside

Unanswered Question
Jan 26th, 2008
User Badges:

I'm trying to get www, https, svn(3690), and ssh from one of my inside networks to get outside access, but this isn't working for me yet. Can anyone provide some insight as to what I've got wrong on my 5510 configuration? I'm sure it's probably my static's, but I'm having trouble with those.


---


name 192.168.3.0 DEV_NET

name 199.199.xxx.14 MY_WAN_IP


interface Ethernet0/0

nameif outside

security-level 0

ip address MY_WAN_IP 255.255.255.0


interface Ethernet0/3

nameif development

security-level 80

ip address 192.168.3.1 255.255.255.0


object-group service ALL_SERVICES tcp

port-object eq www

port-object eq https

port-object eq 3690

port-object eq ssh


access-list ALL_ACCESS extended permit tcp any any object-group ALL_SERVICES


global (outside) 1 interface

nat (development) 1 DEV_NET 255.255.255.0


static (development,dmz) DEV_NET DEV_NET netmask 255.255.255.0


access-group ALL_ACCESS in interface outside

access-group ALL_ACCESS out interface outside

access-group ALL_ACCESS in interface development

access-group ALL_ACCESS out interface development


route outside 0.0.0.0 0.0.0.0 199.199.xxx.1 1



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lisajoseph1970 Sat, 01/26/2008 - 14:58
User Badges:

What is the IP Address that you are trying to access through the ASA. I see that you have PATTing to the outside interface for DEV_NET when going to the outside interface and also have access-group applied in/out on both the interfaces. Can you remove the access-group and see if you are able to access the web, ssh, etc.


Since, you have Access-Group in/out, look at the traffic flow and define different ACL's accordingly. For example, when you initiate a TCP Connection from inside, the source port would be a randomly generated port while the detination is 80 and the return traffic will have source port 80 and destination of the port that you used. So, I would remove the ACL and give it a shot.


Regards,

Lisa


a.e.wiggin Mon, 01/28/2008 - 09:37
User Badges:


I guess I'm not following here. I want to have the traffic of ALL_SERVICES accessable from the outside as well as use them from the inside, so that's why I put it on both interfaces in both directions.


I made a small change so the following is what I'm working with ...



name 192.168.3.0 DEV_NET

name 199.199.xxx.14 MY_WAN_IP


interface Ethernet0/0

nameif outside

security-level 0

ip address MY_WAN_IP 255.255.255.0


interface Ethernet0/3

nameif development

security-level 80

ip address 192.168.3.1 255.255.255.0


object-group service ALL_SERVICES tcp

port-object eq www

port-object eq https

port-object eq 3690

port-object eq ssh


access-list ALL_ACCESS extended permit tcp any any object-group ALL_SERVICES


nat-control

global (outside) 1 interface

nat (development) 1 DEV_NET 255.255.255.0


static (development,outside) DEV_NET DEV_NET netmask 255.255.255.0


access-group ALL_ACCESS in interface outside

access-group ALL_ACCESS out interface outside

access-group ALL_ACCESS in interface development

access-group ALL_ACCESS out interface development


route outside 0.0.0.0 0.0.0.0 199.199.xxx.1 1

Actions

This Discussion