cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
669
Views
0
Helpful
9
Replies

publishing web server

support.edm
Level 1
Level 1

Test environment. Trying to publish a web server on the LAN to the internet (not testing DMZ yet..but I'm assuming it'll be the same). I can browse the web server on the LAN internally using http://172.17.193.101. I tried this on my ASA 5510:

static (inside,outside) publicip 172.17.193.101 netmask 255.255.255.255 dns

access-list outside_access_in permit tcp any host publicip eq www

access-group outside_access_in in interface outside

I'm getting:

TCP access denied by ACL from internetip/29453 to Outside:publicip/80.

This is my config:

ciscoasa(config)# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password xxx

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address publicip 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.17.193.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0

access-list outside_access_in extended permit tcp any host publicip eq www

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu inside 1500

mtu management 1500

ip local pool Addr_Pool_1 192.168.10.101-192.168.10.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.17.193.0 255.255.255.0

static (inside,Outside) publicip 172.17.193.101 netmask 255.255.255.255 dns

access-group outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 gatewayip 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 172.17.193.101-172.17.193.254 inside

dhcpd dns dnsserver1 dnsserver2 interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

webvpn

enable Outside

svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

address-pools value Addr_Pool_1

username user1 password tJsDL6po9m1UFs.h encrypted

prompt hostname context

Cryptochecksum:xxx

: end

9 Replies 9

Collin Clark
VIP Alumni
VIP Alumni

Change the static to point to an address other than one assigned to the interface and change the ACL to use the new IP

OR

change the ACL to (off the top of my head, it might be slightly different)

access-list outside_access_in extended permit tcp any interface Outside eq www

Hope that helps

Or, if you are using the same address as the interface you can do this...

static (inside,Outside) interface 172.17.193.101 netmask 255.255.255.255

support.edm
Level 1
Level 1

I did the following:

static (inside,outside) publicip 172.17.193.101 netmask 255.255.255.255 dns

access-list outside_access_in extended permit tcp any interface outside eq www

access-group outside_access_in in interface outside

Website doesn't work from Internet. I get:

TCP access denied by ACL from someinternetip/22353 to Outside:publicip/80

I also did this:

static (inside,Outside) interface 172.17.193.101 netmask 255.255.255.255

access-list outside_access_in permit tcp any host publicip eq www

access-group outside_access_in in interface outside

The website is now accessible from the Internet BUT ASDM/SSH management stopped working. I get:

Deny tcp src Outside:someinternetip/19721 dst inside:publicip/443 by access-group "outside_access_in" [0x0, 0x0]

Any ideas?

My config:

ciscoasa# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password xxx

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address publicip 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.17.193.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu inside 1500

mtu management 1500

ip local pool Addr_Pool_1 192.168.10.101-192.168.10.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.17.193.0 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 gatewayip 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http someinternetip 255.255.255.255 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh scopy enable

ssh someinternetip 255.255.255.255 Outside

ssh timeout 60

console timeout 0

dhcpd address 172.17.193.101-172.17.193.254 inside

dhcpd dns publicdns1 publicdns2 interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

webvpn

enable Outside

svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

address-pools value Addr_Pool_1

username admin password xxx encrypted privilege 15

username user1 password xxx encrypted

prompt hostname context

Cryptochecksum:xxx

: end

ciscoasa#

It stopped working because your translating the whole IP. Try this (NATs a port only)

static (inside,Outside) tcp interface 80 172.17.193.101 80 netmask 255.255.255.255

Now 80 should go to your web server, 443 to ASDM and SSH to the ASA.

The first static has a typo.

static (inside,outside) publicip 172.17.193.101 netmask 255.255.255.255 dns

should be

static (inside,Outside) publicip 172.17.193.101 netmask 255.255.255.255 dns

and do you want dns? Do you have the name set correctly?

I did what you told me to do:

static (inside,Outside) tcp interface 80 172.17.193.101 80 netmask 255.255.255.255

access-list outside_access_in permit tcp any host publicip eq www

access-group outside_access_in in interface outside

Works now...for both asdm/http and the website.

If you're asking about dns name for the publicip address of the website, no, we haven't register one yet. I know in ISA, for a web server publishing rule, I have to specify the public dns name (ie www.webserver.com) of our internal web server. How would you go about specifying that on ASA?

And also, I didn't realize case-senstivity counts. I tried to change "Outside" to "outside" but it still reverts back to "Outside". Is there a work-around?

Thanks for your help so far.

Here's the info on DNS and NAT, I just wanted to make sure that is what you wanted to do.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042753

The interface names (nameif) are case sensitive! There is no work around, just make sure you put the right one in. We usually make all interface names lower case so we don't make any typos.

static (inside,outside) tcp publicip 80 172.17.193.100 80 netmask 255.255.255.255

access-list outside_access_in permit tcp any host publicip eq 80

access-group outside_access_in in interface outside

static (inside,outside) tcp interface 80 172.17.193.100 80 netmask 255.255.255.255

access-list outside_access_in permit tcp any host publicip eq 80

access-group outside_access_in in interface outside

Why would putting in "interface" work but putting in the real publicip doesn't work?

if your "publicip" is equal to outside interface ip address.

So it's by design you must use "interface" instead of "publicip"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: