cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
442
Views
0
Helpful
8
Replies

Asa 5505 outside cant access server in the inside

andresfmg
Level 1
Level 1

hi, i have an Asa 5505, a pc in the outside with the ip 10.1.1.6 cant access to a server in the inside 192.168.1.4, pls help...

this is my conf:

ASA Version 8.0(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 0

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.1.1.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa804-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list 100 extended permit tcp any host 10.1.1.3 eq www

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

<--- More --->

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.1.1.3 192.168.1.4 netmask 255.255.255.255

access-group 100 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

<--- More --->

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

<--- More --->

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:14e7b74fabc386613ae646b915f60e9e

: end

ciscoasa#

1 Accepted Solution

Accepted Solutions

got it , but is anything showing up in the logs when you try to access 10.1.1.3 over http

View solution in original post

8 Replies 8

change the security-level of Vlan1 to 100.

Hi

yes is an error the security-level actually is on 100 right now. but still not work.

any other idea ?

don't you need to exempt .4 from DHCP range. logging might be helpful here.

from the outside i try to access 10.1.1.3, then the nat translate to 192.168.1.4 thats the idea becouse from outside cant access directly to 192.168.1.4

got it , but is anything showing up in the logs when you try to access 10.1.1.3 over http

what was the issue ???

wrong configuration in the server.

wrong ip on gateway,

thanks for letting us know.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: