ASA 5505. My ACL's are failing :(fic

Unanswered Question
Feb 1st, 2008
User Badges:

Hi guys,


I really really hope someone can help me out. I've recently purchased a ASA 5505.

I have been struggling badly with this :(


My setup is


ISP -> Modem/Router -> ASA


Inside interface

IP: 192.168.1.1

Mask: 255.255.255.0

Security level: 100


DMZ:

IP: 192.168.2.1

Mask: 255.255.255.0

Security level: 4


Outside

IP: assigned via DHCP from my ADSL modem/router. 172.16.1.1 - 172.16.1.20.

Mask: 255.255.255.0

Security level: 0


Everything is set to default settings and I can access the internet from my inside network.


Now, I'm trying to allow public access to my webserver in my DMZ.


I used the ADSM to add an ACL to allow traffic from anywhere to 172.16.1.1 incoming on my outside interface. Although if I right click on the rule and test the ACL with pacdket tracer the rule fails. How can it be failing at the ACL test if packet tracer is filling in the details based on the ACL i just created!?!?!??!?.


So when i try to access my www server from the internet I get an error reporting my outside_access_in acl dropped the packets coming from a public address to 172.16.1.1/80.


I have attached my running-config... if anyone could PLEASE help that would be VERY much appreciated :(.


Marc.





Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Fri, 02/01/2008 - 05:56
User Badges:
  • Blue, 1500 points or more

change the following:

static (DMZ,outside) tcp 172.16.1.1 www 192.168.2.2 www netmask 255.255.255.255


to the following:

static (DMZ,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255


although this will only get you so far. the modem/router in front of your ASA needs to be configured for NAT also. that is where most of your problem lies.

marcosgeorge Fri, 02/01/2008 - 16:11
User Badges:

Thank you very much for that. It fixed my problem and I can now access my DMZ webserver from outside :). My router was already configured to port forward to my outside interface. Can I ask why I need to use "interface" rather than 172.16.1.1? Is it similar to static routes where u specify either the exit interface or the next hop?


Would it be ok if I asked another quick question?


I am trying to get Authentication up and running now. once again I'm using the ADSM. I have added the an AAA authentication rule for www but it doesn't seem to be prompting me for username and password when I access my website.


I've attached my updated config. many thanks!



Attachment: 
srue Fri, 02/01/2008 - 17:58
User Badges:
  • Blue, 1500 points or more

When you use port redirection/static PAT/port forwarding (or any of the other names it goes by), using the outside interface IP, you have to use the 'interface' keyword, instead of the IP address. This is actually a good thing, especially for SOHO users whose outside interface IP is dynamically assigned. You also need to use the 'interface outside' keywords with access-lists.


Are you wanting to authenticate in order for people to access your webserver in the DMZ? if so, that has to be done on the web server, not the firewall. ASDM is just the web gui to manage the firewall, it has nothing to do with web server behind the firewall itself.

marcosgeorge Fri, 02/01/2008 - 21:09
User Badges:

Thank you for you explanation of setting Nat for the outside interface, it makes sense and yes its a good idea when dhcp is being used ;).


"Are you wanting to authenticate in order for people to access your webserver in the DMZ? if so, that has to be done on the web server, not the firewall. ASDM is just the web gui to manage the firewall, it has nothing to do with web server behind the firewall itself."


Yes I am trying to authenticate my users first before they reach the webserver behind the DMZ.... I thought it could be done. What I am trying to do is the same as the following:

http://safari.oreilly.com/1587052091/ch07lev1sec4


also from "Greg Abelar's" book - Securing Your business with Cisco ASA and PIX firewalls".


Page 151 - Authentication for Inbound and OuBound Services.


It states:


"For example, if you have a website on your DMZ thats is to be accessed only by a few choice users, the ASA/PIX can prompt anyone trying to access that site for a username and password before allowing access."


So from what I've read it can be done... I just can't get it to work :(


thanks again!




srue Sat, 02/02/2008 - 05:19
User Badges:
  • Blue, 1500 points or more

A better solution might actually be WebVPN...that will be easier to set up and is probably a bit better suited for what you're trying to do. Not to mention the number of WebVPN deployments at this point greatly out numbers the number of authentication proxy deployments.

marcosgeorge Sat, 02/02/2008 - 15:43
User Badges:

Thanks for the suggestion.


I managed to get the authentication proxy up in running in two commands in the end so it was rather simple.


I am in the process of trying to learn about the ASA so I'm just experimenting with it. So I will more than likely test out the Web VPN setup as well.


Thank you very much for you help. Very much appreciated.

mlenco Sat, 02/02/2008 - 19:16
User Badges:

No offense but thats no true...Page 345 of 1154 of the Cisco Security Appliance Command Line Configuration Guide Version 8.0 you can enter either {mapped ip | interface}.


To configure static PAT, enter one of the following commands. •For policy static PAT, enter the following command:

hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq] [udp udp_max_conns]


Identify the real addresses and destination/source addresses using an extended access list. Create the extended access list using the access-list extended command (see the “Adding an Extended Access List” section on page 16-5). The protocol in the access list must match the protocol you set in this command. For example, if you specify tcp in the static command, then you must specify tcp in the access list. Specify the port using the eq operator.


The first address in the access list is the real address; the second address is either the source or destiniation address, depending on where the traffic originates. For example, to translate the real address 10.1.1.1/Telnet to the mapped address 192.168.1.1/Telnet when 10.1.1.1 sends traffic to the 209.165.200.224 network, the access-list and static commands are:

hostname(config)# access-list TEST extended tcp host 10.1.1.1 eq telnet 209.165.200.224 255.255.255.224

hostname(config)# static (inside,outside) tcp 192.168.1.1 telnet access-list TEST





marcosgeorge Sat, 02/02/2008 - 21:05
User Badges:

Sorry is you reply in regards to this comment?


"When you use port redirection/static PAT/port forwarding (or any of the other names it goes by), using the outside interface IP, you have to use the 'interface' keyword, instead of the IP address. This is actually a good thing, especially for SOHO users whose outside interface IP is dynamically assigned. You also need to use the 'interface outside' keywords with access-lists. "


I understand what you saying based on the documentation, but the fact is when I used the mapped ip rather than the"interface" command it didn't work. I'd like to know why myself....




mlenco Sun, 02/03/2008 - 05:19
User Badges:

Thats good insight. I'll keep it in the back of my mind. Perhaps you stumbled across a bug Cisco documentation needs to caveat in its documentation or at least developers need to address. Perhaps, both. It was a constructive discussion, you and I.

Later,

Matt

marcosgeorge Sun, 02/03/2008 - 15:04
User Badges:

Thanks, But I never really stumbled across it. Infact there could be some other reasoning behind is. srue, is the person who pointed it out. They may be able to explain how they came to that answer.

srue Mon, 02/04/2008 - 08:29
User Badges:
  • Blue, 1500 points or more

mlenco,

When you are using any sort of NAT/PAT/ACLs using the IP address of the outside interface, you need to use the interface keyword. If you are using an IP address not associated with an interface, then you use the mapped IP.

In a home environment, or any place where the IP is dynamically assigned, you *want* to use the interface keyword incase the IP address changes.

PIX/ASA will let you enter the command with the interface IP, but as the OP pointed out, it will not work. You will probably need to ask Cisco why this is.

Actions

This Discussion