asa 5510 - web server access from outside

Unanswered Question
Jul 22nd, 2008

Hi all,

I am a fresh cisco user, i am trying to configure a cisco asa 5510 with the ASDM GUI. Actually, Eth0 is set as Outside interface (DHCP, fixed ISP Public IP) and Eth1 as DMZ interface with a Web server (ip 172.16.1.80) behind.

And i don't find how to solve error message "TCP access denied by ACL from xxx.yyy.245.171/3277 to outside:aaa.bbb.50.144/80" and gain access to web server from outside.

Regarding ACL, Outside interface can receive anything from anywhere if it is tcp "http(s),ftp,smtp,8080".

I also NAT fixed ISP Public IP to 172.16.1.80, which is my webserver address in order to access through http://aaa.bbb.50.144.

Please, let me know what i have done wrong because i am having grey hairs... Here is in att the running conf.

Thank you,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
srue Tue, 07/22/2008 - 01:58

your static nat statement should read:

static (dmz,outside) tcp interface 80 172.16.1.80 80

your acl entry for this should look like:

access-list outside_access_in permit tcp any interface outside eq 80

this assumes you're using the outside IP as the nat'ed public IP of the webserver.

scalacisco Tue, 07/22/2008 - 03:36

Thanks srue for your quick answer.

It solved the error message. Now i am facing another thing, when i try to reach the Web server from outside, the connection to DMZ is established, i can see it using tcpview, i can see the remote address xxx.yyy.245.171 > aaa.bbb.50.144 > 172.16.1.80.

But i have a message like "TCP request discarded from xxx.yyy.245.171/4817 to outside:aaa.bbb.50.144/8080, This message appears when the security applicance does not have a UDP server that services the UDP request".

Can it be solved with an ASA conf, do i have to add a rule let UDP traffic pass through (access-list outside_access_in line 1 extended permit udp 0.0.0.0 0.0.0.0 interface outside) ?

Thank you,

dhananjoy chowdhury Tue, 07/22/2008 - 04:59

"TCP request discarded from xx.yyy.245.171/4817 to outside:aaa.bbb.50.144/8080,

>> TCP traffic getting discarded on port tcp 8080 the outside interface. Add this,

static (dmz,outside) tcp interface 8080 172.16.1.80 8080

access-list outside_access_in permit tcp any interface outside eq 8080

But, before that please check whether the server 172.16.1.80 is listening on port tcp 8080 and you really need to allow connections on port tcp 8080 from outside.

scalacisco Tue, 07/22/2008 - 05:29

I added the line "static (dmz,outside) tcp interface 8080 172.16.1.80 8080", the second line was already in place :

"object-group service ContentManager tcp

port-object eq 8080

[...]

access-list outside_access_in extended permit tcp any interface outside object-group ContentManager"

The Web server is listening on the port 8080, i can be sure because of two thing :

- i can connect to it with another local PC (my tomcat gets the connection),

- i use a windows tool that shows me active connection (tcpview.exe, state SYN_RCVD).

The only message on the ASA is "

Built inbound TCP connection 1118 for outside:xxx.yyy.245.171/2542 (xxx.yyy.245.171/2542) to dmz:172.16.1.80/8080 (aaa.bbb.50.144/8080)"

The connection arrive but is not transmitted to outside ... The web browser stay in status SYN_SENT, and the remote Web browser in SYN_RCVD. No connection between. I think the ASA don't let the answer go out. Any idea ?

scalacisco Wed, 07/23/2008 - 06:38

Well, not better. And the strangest thing is that it worked one time (but only one), so i made a backup and restarted the ASA, but it is out again.

A. Outside HTTP client connect to http://aaa.bbb.50.144 from xxx.yyy.245.171

SYNC is send and wait for the ACK.

B. ASA5510 accept connection and translate address/port "xxx.yyy.245.171 172.16.1.80 Built inbound TCP connection 101 for outside:xxx.yyy.245.171/2738 (xxx.yyy.245.171/2738) to dmz:172.16.1.80/8080 (aaa.bbb.50.144/80)"

C. The Web server in the DMZ receive the connection

SYNC is received and send back the ACK

D. The ACK go i don't know where and the connection end by a Time Out

"xxx.yyy.245.171 172.16.1.80 Teardown TCP connection 103 for outside:xxx.yyy.245.171/2798 to dmz:172.16.1.80/8080 duration 0:00:30 bytes 0 SYN Timeout"

But the web client is still waiting for the ACK.

Does the ASA don't allow incoming and outgoing traffic from the same interface or something like that ?

Do you have an idea where i can find any track to solve that ?

a.alekseev Wed, 07/23/2008 - 23:20

no static (dmz,outside) aaa.bbb.50.144 172.16.1.80 netmask 255.255.255.255

static (dmz,outside) tcp interface 80 172.16.1.80 80 netmask 255.255.255.255

[edited]

access-list outside_access_in extended permit tcp any any eq 80

no access-list outside_access_in extended permit tcp any any object-group ContentManager log debugging

scalacisco Thu, 07/24/2008 - 00:51

Solved !!

Let me make some more test and i will post the solution and the running config in case of some one need it.

scalacisco Thu, 07/24/2008 - 23:49

It seems that i had a route problem.

The only thing i have changed is :

no route outside 0.0.0.0 0.0.0.0 aaa.bbb.50.144 1

and since i am in DHCP, i added setroute to eht0

ip address dhcp setroute

This way, everything is working well.

Case closed.

Thanks for your help.

Actions

This Discussion