12-20-2008 05:28 AM - edited 03-11-2019 07:28 AM
have to configure a cisco ASA 5510 for my web server, i did all the config by the manual, but typeing my outside ip i get page could not be found,
i enabled and configured a DMZ interface where i connected my web server, (interface ip 10.0.10.1)
1. I added a NAT rule between DMZ and inside interface ex.: (10.0.10.30 ->78.52.39.51) with enabled PAT port 80
2. A NAT rule betwen the inside and DMZ interfaces (10.0.10.0 -> 10.0.10.0)
3. Address translation rule betwen the outside and DMZ interfaces that translates its public ip of the DMZ to its privat ip, ex.: (75.52.39.51 -> 10.10.10.30)
DMZ interface IP:10.0.10.1
Web_Server IP:10.0.10.5
Local network IP:198.162.0.1 ->
Static outside ip: ex.: 75.52.39.51
Help please
Solved! Go to Solution.
12-21-2008 03:44 PM
Adem, could specify whether the solution worked or not to assist you fruther, if worked PLS rate post as resolved.
Regards
12-20-2008 02:14 PM
Adem,
Review DMZ implementation, visit this link
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/dmz.html
it could be something simple to correct, make sure your webserver is indeed listening on port 80, also look at ASDM real time log while trying to access webserver from outside, log can provide information usefull for troubleshooting the problem.
If still issues PLS post the firewall configuration .
Regards
12-21-2008 04:13 AM
I configured the asa according to:
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/dmz.html
but no success.
Running config:
ASA Version 8.0(3)6
!
hostname ciscoasa
names
name 10.1.1.0 adrespul
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1
shutdown
nameif DMZ
security-level 10
ip address 10.30.30.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 100
ip address 212.xxx.xxx.xxx 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list nadvor_access_in extended permit icmp any any
access-list nadvor_access_in extended permit tcp any eq www host 212.xxx.xxx.xxx
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
global (outside) 1 10.1.1.15-10.1.1.253 netmask 255.0.0.0
global (outside) 101 interface
global (DMZ) 200 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp interface www 10.30.30.30 www netmask 255.255.255.255
static (DMZ,inside) 10.30.30.30 xxx.xxx.xxx.xxx netmask 255.255.255.255
static (inside,DMZ) interface 10.30.30.1 netmask 255.255.255.255
access-group nadvor_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
SYSLOG MESSAGE:
conn from inside:
3 Feb 24 2008 23:38:50 710003 192.168.0.8 212.xxx.xxx.xxx TCP access denied by ACL from 192.168.0.8/3764 to inside:212.xxx.xxx.xxx/80
Conn from outside:
4 Feb 24 2008 23:41:12 106023 Deny tcp src outside:77.xxx.xxx.xxx/64589 dst DMZ:212.xxx.xxx.xxx/80 by access-group "nadvor_access_in" [0x0, 0x0]
12-21-2008 07:43 AM
Conn from outside:
4 Feb 24 2008 23:41:12 106023 Deny tcp src outside:77.xxx.xxx.xxx/64589 dst DMZ:212.xxx.xxx.xxx/80 by access-group "nadvor_access_in" [0x0, 0x0]
remove
no access-list nadvor_access_in extended permit tcp any eq www host 212.xxx.xxx.xxx
add
access-list nadvor_access_in extended permit tcp any interface outside eq www log
conn from inside:
3 Feb 24 2008 23:38:50 710003 192.168.0.8 212.xxx.xxx.xxx TCP access denied by ACL from 192.168.0.8/3764 to inside:212.xxx.xxx.xxx/80
This one is trikie as you are tryng U-turn or better said hairpining using outside interface IP address, not a spared public IP per say.
You can try if your web server is 10.30.30.30 in DMZ.
static (DMZ,DMZ) 212.xxx.xxx.xxx 10.30.30.30 netmask 255.255.255.255
PLS try and post results
Regards
12-21-2008 09:10 AM
Thanks for your reply it works from outside after i did as u suggested, but not from inside
Thanks again
12-21-2008 10:44 AM
Can you post the logs from when you try connecting from inside to 212.xxx.xxx.xxx, is the log same as before?
12-21-2008 01:08 PM
I Have tested your configuration .
PLS remove this static - but you can leave as is if any host from DMZ tries accessing 10.30.30.30 through public IP
static (DMZ,DMZ) 212.xxx.xxx.xxx 10.30.30.30 netmask 255.255.255.255
From inside to DMZ to access 10.30.30.30 via public IP you need this nat entry.
static (DMZ,inside) 212.xxx.xxx.xxx 10.30.30.30 netmask 255.255.255.255
Regards
PLS rate post if it helps
12-21-2008 03:44 PM
Adem, could specify whether the solution worked or not to assist you fruther, if worked PLS rate post as resolved.
Regards
12-21-2008 11:40 PM
Yes it did work thanks for your time and klonedge.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide