asa 5510 - web server access from outside

Unanswered Question
Jul 22nd, 2008
User Badges:

Hi all,

I am a fresh cisco user, i am trying to configure a cisco asa 5510 with the ASDM GUI. Actually, Eth0 is set as Outside interface (DHCP, fixed ISP Public IP) and Eth1 as DMZ interface with a Web server (ip behind.

And i don't find how to solve error message "TCP access denied by ACL from xxx.yyy.245.171/3277 to outside:aaa.bbb.50.144/80" and gain access to web server from outside.

Regarding ACL, Outside interface can receive anything from anywhere if it is tcp "http(s),ftp,smtp,8080".

I also NAT fixed ISP Public IP to, which is my webserver address in order to access through http://aaa.bbb.50.144.

Please, let me know what i have done wrong because i am having grey hairs... Here is in att the running conf.

Thank you,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
srue Tue, 07/22/2008 - 01:58
User Badges:
  • Blue, 1500 points or more

your static nat statement should read:

static (dmz,outside) tcp interface 80 80

your acl entry for this should look like:

access-list outside_access_in permit tcp any interface outside eq 80

this assumes you're using the outside IP as the nat'ed public IP of the webserver.

scalacisco Tue, 07/22/2008 - 03:36
User Badges:

Thanks srue for your quick answer.

It solved the error message. Now i am facing another thing, when i try to reach the Web server from outside, the connection to DMZ is established, i can see it using tcpview, i can see the remote address xxx.yyy.245.171 > aaa.bbb.50.144 >

But i have a message like "TCP request discarded from xxx.yyy.245.171/4817 to outside:aaa.bbb.50.144/8080, This message appears when the security applicance does not have a UDP server that services the UDP request".

Can it be solved with an ASA conf, do i have to add a rule let UDP traffic pass through (access-list outside_access_in line 1 extended permit udp interface outside) ?

Thank you,

dhananjoy chowdhury Tue, 07/22/2008 - 04:59
User Badges:
  • Silver, 250 points or more

"TCP request discarded from xx.yyy.245.171/4817 to outside:aaa.bbb.50.144/8080,

>> TCP traffic getting discarded on port tcp 8080 the outside interface. Add this,

static (dmz,outside) tcp interface 8080 8080

access-list outside_access_in permit tcp any interface outside eq 8080

But, before that please check whether the server is listening on port tcp 8080 and you really need to allow connections on port tcp 8080 from outside.

scalacisco Tue, 07/22/2008 - 05:29
User Badges:

I added the line "static (dmz,outside) tcp interface 8080 8080", the second line was already in place :

"object-group service ContentManager tcp

port-object eq 8080


access-list outside_access_in extended permit tcp any interface outside object-group ContentManager"

The Web server is listening on the port 8080, i can be sure because of two thing :

- i can connect to it with another local PC (my tomcat gets the connection),

- i use a windows tool that shows me active connection (tcpview.exe, state SYN_RCVD).

The only message on the ASA is "

Built inbound TCP connection 1118 for outside:xxx.yyy.245.171/2542 (xxx.yyy.245.171/2542) to dmz: (aaa.bbb.50.144/8080)"

The connection arrive but is not transmitted to outside ... The web browser stay in status SYN_SENT, and the remote Web browser in SYN_RCVD. No connection between. I think the ASA don't let the answer go out. Any idea ?

scalacisco Wed, 07/23/2008 - 06:38
User Badges:

Well, not better. And the strangest thing is that it worked one time (but only one), so i made a backup and restarted the ASA, but it is out again.

A. Outside HTTP client connect to http://aaa.bbb.50.144 from xxx.yyy.245.171

SYNC is send and wait for the ACK.

B. ASA5510 accept connection and translate address/port "xxx.yyy.245.171 Built inbound TCP connection 101 for outside:xxx.yyy.245.171/2738 (xxx.yyy.245.171/2738) to dmz: (aaa.bbb.50.144/80)"

C. The Web server in the DMZ receive the connection

SYNC is received and send back the ACK

D. The ACK go i don't know where and the connection end by a Time Out

"xxx.yyy.245.171 Teardown TCP connection 103 for outside:xxx.yyy.245.171/2798 to dmz: duration 0:00:30 bytes 0 SYN Timeout"

But the web client is still waiting for the ACK.

Does the ASA don't allow incoming and outgoing traffic from the same interface or something like that ?

Do you have an idea where i can find any track to solve that ?

a.alekseev Wed, 07/23/2008 - 08:00
User Badges:
  • Gold, 750 points or more

could you show the actual configuration?

a.alekseev Wed, 07/23/2008 - 23:20
User Badges:
  • Gold, 750 points or more

no static (dmz,outside) aaa.bbb.50.144 netmask

static (dmz,outside) tcp interface 80 80 netmask


access-list outside_access_in extended permit tcp any any eq 80

no access-list outside_access_in extended permit tcp any any object-group ContentManager log debugging

scalacisco Thu, 07/24/2008 - 00:51
User Badges:

Solved !!

Let me make some more test and i will post the solution and the running config in case of some one need it.

scalacisco Thu, 07/24/2008 - 23:49
User Badges:

It seems that i had a route problem.

The only thing i have changed is :

no route outside aaa.bbb.50.144 1

and since i am in DHCP, i added setroute to eht0

ip address dhcp setroute

This way, everything is working well.

Case closed.

Thanks for your help.


This Discussion