07-28-2009 12:34 PM - edited 03-11-2019 09:00 AM
I am installing a ASA 5510 in transparent mode, it's behind a cisco 3745 router that has NAT translation in the configs.
After I set up the ASA 5510, I created access lists for web server access. All traffic inside passes thru fine however, when an outside user tries to access the web site, the page connection will not load.
Do I have to set a NAT rule for outside access? If not what other suggestions does anyone have.
Solved! Go to Solution.
08-03-2009 10:37 AM
You need to allow it with an extended access-list-
access-list Outside_WWW
extended permit eigrp host 1.1.1.1 host 2.2.2.2
A helpful link as well-
07-28-2009 12:40 PM
It sounds like that you do need to create a NAT translation in the router.
07-28-2009 12:48 PM
The router has a NAT translation already, when I remove the ASA everything is fine.
I just started the install with a functioning network in place already.
07-28-2009 12:51 PM
OK, are you getting hit counts on your ACL? Any messages in your log?
07-28-2009 12:54 PM
I will check later, when I work on the firewall further.
07-28-2009 01:03 PM
When I check would you have any suggestions for me to try.
07-28-2009 01:05 PM
Just check the ACL and turn on logging if it's not enabled. I would turn logging buffer to debugging (but don't debug anything).
07-29-2009 04:32 AM
Here is my logging file I captured this morning. Any outside who tries to accept our website recieves the message:
"Connection to Server was reset while the page was loading, network linkwas interupted while negotiating a connection."
Also is a copy of my ASA configs:
ASA Version 8.0(4)
!
firewall transparent
hostname ciscoasa
enable password I3KXhN9OZMFiyurw encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
interface Management0/0
shutdown
no nameif
no security-level
management-only
!
ftp mode passive
access-list outside_access_in extended permit ip any any
access-list permit extended permit eigrp any host 172.21.0.7
access-list permit extended permit eigrp any host 172.21.0.1
access-list inside extended permit eigrp any any
access-list inside_access_out extended permit ip any any
access-list 112 extended permit tcp any any eq 548
access-list 112 extended permit tcp any any eq domain
access-list 112 extended permit udp any any eq domain
access-list 101 extended permit tcp any any
access-list 120 extended permit tcp any host 172.21.0.78 eq domain
access-list 120 extended permit tcp any host 172.21.0.3 eq domain
access-list 120 extended permit tcp any host 172.21.0.2 eq domain
access-list 110 extended permit udp any any
access-list 110 extended permit udp any 172.21.4.0 255.255.252.0 range 3200 3300
access-list 110 extended permit udp any 172.21.8.0 255.255.252.0 range 3200 3300
access-list 110 extended permit udp any 172.21.12.0 255.255.252.0 range 3200 3300
access-list 111 extended permit udp any any
access-list 111 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.7
access-list 111 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.7
access-list 111 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.7
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp
access-list Outside_VPN extended permit tcp any host 172.21.0.14
access-list Outside_VPN extended permit udp any host 172.21.0.14 eq isakmp
access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 4500
access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 1701
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address 172.21.0.80 255.255.252.0
ip local pool heights 172.21.12.0 mask 255.255.252.0
ip local pool manito 172.21.4.0 mask 255.255.252.0
ip local pool dogwood 172.21.8.0 mask 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_VPN in interface outside
route outside 0.0.0.0 0.0.0.0 172.21.0.7 1
route inside 172.21.0.0 255.255.0.0 0.0.0.0 1
route inside 172.21.0.0 255.255.0.0 0.0.0.0 1
route inside 172.21.0.0 255.255.0.0 0.0.0.0 1
route inside 172.21.4.0 255.255.252.0 172.21.0.1 1
route inside 172.21.4.2 255.255.255.255 172.21.0.1 1
route inside 172.21.8.0 255.255.252.0 172.21.0.1 1
route inside 172.21.8.2 255.255.255.255 172.21.0.1 1
route inside 172.21.12.0 255.255.252.0 172.21.0.1 1
route inside 172.21.12.2 255.255.255.255 172.21.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
!
07-29-2009 05:18 AM
You don't have an ACL entry allowing HTTP traffic in. You have the following ACL applied to the outside interface-
access-group Outside_VPN in interface outside
And here are the rules that allow traffic in.
access-list Outside_VPN extended permit tcp any host 172.21.0.14
access-list Outside_VPN extended permit udp any host 172.21.0.14 eq isakmp
access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 4500
access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 1701
Nothing for HTTP.
07-29-2009 06:44 AM
I think:
access-list Outside_VPN extended permit tcp any host 172.21.0.14
will allow all TCP traffic, including HTTP. Am I wrong?
if i'm correct, it shouldn't be a good point to allow this, from a security Point of view.
07-29-2009 06:49 AM
You are correct, that would allow all TCP traffic to host 172.21.0.14. You can restrict to just HTTP with this ACL-
access-list Outside_VPN ext permit tcp any host 172.21.0.14 eq 80
You are right again about that first ACL not being very secure. The second should be fine. If you can/want you can further restict by filtering the source IP's.
access-list Outside_VPN ext permit tcp 10.0.0.0 255.0.0.0 host 172.21.0.14 eq 80
This would only allow people with a source address of 10.x.x.x to connect.
07-29-2009 06:53 AM
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp
where did you apply this ACL?
it shouldn't be applied in outside.
07-29-2009 06:55 AM
It's not applied to any interface.
07-29-2009 09:36 AM
Thanks for your suggestion, also
Is there a global command to allow all subnets behind the router to communicate with each other regardless of protocols?
I want unrestricted traffic in the network,
however the gateway is on the WAN side of the ASA. Remember the ASA is in transparent mode.
Thanks.
07-29-2009 10:57 AM
You will have to create an entry in the ACL. You can do it with an object group which will make it cleaner. Let's say you have 3 internal subnets; 192.168.5.0 /24, 192.168.6.0 /24, and 10.10.0.0 /16.
Create an object-group-
object-group network INTERNAL_NETWORKS
network-object 192.168.5.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 10.10.0.0 255.255.0.0
The use the object-group in the ACL.
access-list Outside_VPN extended permit ip object-group INTERNAL_NETWORKS object-group INTERNAL_NETWORKS
This will allow internal network to communicate.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: