ASA 5505 has me stuch in the mud

Answered Question
Jul 10th, 2008
User Badges:

I have an asa 5505 and nearly everything works great. my only problem is I have a webserver in the DMZ and I can't get access to the internet from it. Now if it was just that i wanted to be able to get updates for the box it wouldn't matter but i have an app on the server that has to communicate via ssl with a service outside my network and no traffic goes out that is destined for the internet. The server also accesses a database on the inside network and this works fine. I need a hand, badly.



Correct Answer by srue about 8 years 9 months ago

no access-list outside_access_in extended permit tcp any host 64.181.65.243 eq www

access-list outside_access_in extended permit tcp any interface outside eq www

Correct Answer by a.alekseev about 8 years 9 months ago

access-list dmz_access_in extended permit tcp host 192.168.3.2 host 192.168.2.3 eq 1433

access-list dmz_access_in extended deny ip any 10.0.0.0 255.0.0.0

access-list dmz_access_in extended deny ip any 172.16.0.0 255.240.0.0

access-list dmz_access_in extended deny ip any 192.168.0.0 255.255.0.0

access-list dmz_access_in extended permit ip 192.168.3.2 any

access-group dmz_access_in in interface dmz

nat (dmz) 1 192.168.3.2

Correct Answer by kwillacey about 8 years 9 months ago

You need to change the

nat (inside) 1 192.168.3.0 255.255.255.0 TO

nat (dmz) 1 192.168.3.0 255.255.255.0


That should fix your problem.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (6 ratings)
Loading.
Correct Answer
kwillacey Thu, 07/10/2008 - 09:32
User Badges:
  • Bronze, 100 points or more

You need to change the

nat (inside) 1 192.168.3.0 255.255.255.0 TO

nat (dmz) 1 192.168.3.0 255.255.255.0


That should fix your problem.

Correct Answer
a.alekseev Thu, 07/10/2008 - 09:48
User Badges:
  • Gold, 750 points or more

access-list dmz_access_in extended permit tcp host 192.168.3.2 host 192.168.2.3 eq 1433

access-list dmz_access_in extended deny ip any 10.0.0.0 255.0.0.0

access-list dmz_access_in extended deny ip any 172.16.0.0 255.240.0.0

access-list dmz_access_in extended deny ip any 192.168.0.0 255.255.0.0

access-list dmz_access_in extended permit ip 192.168.3.2 any

access-group dmz_access_in in interface dmz

nat (dmz) 1 192.168.3.2

bhoskisnon Thu, 07/10/2008 - 11:13
User Badges:

I hate to say it but that didn't do it. I can see in the syslog the connections being built and then the teardown nearly 2 minutes later. the connections seem to be good, here are the teardowns.

6 Jul 10 2008 18:53:53 302014 64.181.65.242 192.168.3.2 Teardown TCP connection 318 for outside:64.181.65.242/4404 to dmz:192.168.3.2/80 duration 0:01:17 bytes 38852 TCP Reset-O


6 Jul 10 2008 18:54:48 302016 63.90.97.10 192.168.3.2 Teardown UDP connection 320 for outside:63.90.97.10/53 to dmz:192.168.3.2/1026 duration 0:02:08 bytes 180


6 Jul 10 2008 18:55:10 305012 192.168.3.2 64.181.65.243 Teardown dynamic UDP translation from dmz:192.168.3.2/1026 to outside:64.181.65.243/1025 duration 0:02:30


the webserver just times out on the connections internet pages are un accessable and name resolution doesn't happen when i use ping to see if it will resolve the name. I dont know what the issue is, it's making me nuts!

srue Thu, 07/10/2008 - 11:15
User Badges:
  • Blue, 1500 points or more

do you have a base license installed?

show version

if it's a base license, try:

int vlan 12

no forward interface vlan 1

a.alekseev Thu, 07/10/2008 - 11:23
User Badges:
  • Gold, 750 points or more

What actual configuration do you have?

could you post it?

bhoskisnon Thu, 07/10/2008 - 11:32
User Badges:

I am running the security plus license and my version is 8.0(3). The config I attached is the config i was running below is the new config with the changes suggested above.


: Saved

:

ASA Version 8.0(3)

!

hostname ciscoasa

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.4 255.255.255.0

!

interface Vlan2

description Fibernet

nameif outside

security-level 0

ip address 64.x.x.243 255.255.255.248

!

interface Vlan12

description DMZ

nameif dmz

security-level 50

ip address 192.168.3.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 12

!

interface Ethernet0/3

switchport access vlan 12

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

access-list chasjfg_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 192.168.0.176 255.255.255.240

access-list dmz_access_in extended permit tcp host 192.168.3.2 host 192.168.2.3 eq 1433

access-list dmz_access_in extended deny ip any 10.0.0.0 255.0.0.0

access-list dmz_access_in extended deny ip any 172.16.0.0 255.240.0.0

access-list dmz_access_in extended deny ip any 192.168.0.0 255.255.0.0

access-list dmz_access_in extended permit ip host 192.168.3.2 any

access-list outside_access_in extended permit tcp any host 64.181.65.243 eq www

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool vpn 192.168.0.180-192.168.0.189 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.0.0 255.255.255.0

nat (dmz) 1 192.168.3.0 255.255.255.0

static (dmz,outside) tcp interface www 192.168.3.2 www netmask 255.255.255.255

static (inside,dmz) 192.168.2.3 192.168.0.3 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 64.181.65.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart



more in next post

bhoskisnon Thu, 07/10/2008 - 11:32
User Badges:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!


threat-detection basic-threat

threat-detection statistics

group-policy chasjfg internal

group-policy chasjfg attributes

dns-server value 192.168.0.51

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value chasjfg_splitTunnelAcl

default-domain value jacobsandco.local

username bhoskinson password XXX

username bhoskinson attributes

vpn-group-policy chasjfg

tunnel-group chasjfg type remote-access

tunnel-group chasjfg general-attributes

address-pool vpn

default-group-policy chasjfg

tunnel-group chasjfg ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Correct Answer
srue Thu, 07/10/2008 - 11:35
User Badges:
  • Blue, 1500 points or more

no access-list outside_access_in extended permit tcp any host 64.181.65.243 eq www

access-list outside_access_in extended permit tcp any interface outside eq www

bhoskisnon Thu, 07/10/2008 - 12:00
User Badges:

still the same with the same statements in the syslog

bhoskisnon Thu, 07/10/2008 - 12:08
User Badges:

I wouldn't think this would be all that out of the ordenary. all I want to do is have a webserver in the dmz i want to get to it from the internet over http and https (if i can get the stupid thing to talk to the internet) I want to be able to access the internet from my webserver on my dmz (dns, http, https, and what ever openssl uses and I want my webserver to be able to access my sql server from my web application on the dmz.


I know this should be fairly commen I just can't make it work.

a.alekseev Thu, 07/10/2008 - 12:31
User Badges:
  • Gold, 750 points or more

you webserver can be accessed from the internet.


do you have internet acces from the server?

could you ping from the server 64.181.65.241?

bhoskisnon Thu, 07/10/2008 - 12:47
User Badges:

Thank you all for your help. but some times it takes a fresh set of eyes. while there where some problems with my config that where causing things not to work, a secound issueon the webserver it's self was also contributing to the road block. A buddy looking over my shoulder as i watched the syslog go by when i tried to access the internet said "hey your dns server address is wrong!" I had mistyped the 3rd number in the dns server address on the web server. It is always the small things that get you when you get too close to the problem. Thanks again for the help.

Actions

This Discussion