cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2155
Views
0
Helpful
38
Replies

Transparent mode and web server

opsmaster
Level 1
Level 1

I am installing a ASA 5510 in transparent mode, it's behind a cisco 3745 router that has NAT translation in the configs.

After I set up the ASA 5510, I created access lists for web server access. All traffic inside passes thru fine however, when an outside user tries to access the web site, the page connection will not load.

Do I have to set a NAT rule for outside access? If not what other suggestions does anyone have.

1 Accepted Solution

Accepted Solutions

You need to allow it with an extended access-list-

access-list Outside_WWW

extended permit eigrp host 1.1.1.1 host 2.2.2.2

A helpful link as well-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

View solution in original post

38 Replies 38

Collin Clark
VIP Alumni
VIP Alumni

It sounds like that you do need to create a NAT translation in the router.

The router has a NAT translation already, when I remove the ASA everything is fine.

I just started the install with a functioning network in place already.

OK, are you getting hit counts on your ACL? Any messages in your log?

I will check later, when I work on the firewall further.

When I check would you have any suggestions for me to try.

Just check the ACL and turn on logging if it's not enabled. I would turn logging buffer to debugging (but don't debug anything).

Here is my logging file I captured this morning. Any outside who tries to accept our website recieves the message:

"Connection to Server was reset while the page was loading, network linkwas interupted while negotiating a connection."

Also is a copy of my ASA configs:

ASA Version 8.0(4)

!

firewall transparent

hostname ciscoasa

enable password I3KXhN9OZMFiyurw encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

!

interface Ethernet0/1

nameif inside

security-level 100

!

interface Management0/0

shutdown

no nameif

no security-level

management-only

!

ftp mode passive

access-list outside_access_in extended permit ip any any

access-list permit extended permit eigrp any host 172.21.0.7

access-list permit extended permit eigrp any host 172.21.0.1

access-list inside extended permit eigrp any any

access-list inside_access_out extended permit ip any any

access-list 112 extended permit tcp any any eq 548

access-list 112 extended permit tcp any any eq domain

access-list 112 extended permit udp any any eq domain

access-list 101 extended permit tcp any any

access-list 120 extended permit tcp any host 172.21.0.78 eq domain

access-list 120 extended permit tcp any host 172.21.0.3 eq domain

access-list 120 extended permit tcp any host 172.21.0.2 eq domain

access-list 110 extended permit udp any any

access-list 110 extended permit udp any 172.21.4.0 255.255.252.0 range 3200 3300

access-list 110 extended permit udp any 172.21.8.0 255.255.252.0 range 3200 3300

access-list 110 extended permit udp any 172.21.12.0 255.255.252.0 range 3200 3300

access-list 111 extended permit udp any any

access-list 111 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.7

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp

access-list Outside_VPN extended permit tcp any host 172.21.0.14

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq isakmp

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 4500

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 1701

pager lines 24

logging enable

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address 172.21.0.80 255.255.252.0

ip local pool heights 172.21.12.0 mask 255.255.252.0

ip local pool manito 172.21.4.0 mask 255.255.252.0

ip local pool dogwood 172.21.8.0 mask 255.255.252.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group Outside_VPN in interface outside

route outside 0.0.0.0 0.0.0.0 172.21.0.7 1

route inside 172.21.0.0 255.255.0.0 0.0.0.0 1

route inside 172.21.0.0 255.255.0.0 0.0.0.0 1

route inside 172.21.0.0 255.255.0.0 0.0.0.0 1

route inside 172.21.4.0 255.255.252.0 172.21.0.1 1

route inside 172.21.4.2 255.255.255.255 172.21.0.1 1

route inside 172.21.8.0 255.255.252.0 172.21.0.1 1

route inside 172.21.8.2 255.255.255.255 172.21.0.1 1

route inside 172.21.12.0 255.255.252.0 172.21.0.1 1

route inside 172.21.12.2 255.255.255.255 172.21.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

!

You don't have an ACL entry allowing HTTP traffic in. You have the following ACL applied to the outside interface-

access-group Outside_VPN in interface outside

And here are the rules that allow traffic in.

access-list Outside_VPN extended permit tcp any host 172.21.0.14

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq isakmp

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 4500

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 1701

Nothing for HTTP.

I think:

access-list Outside_VPN extended permit tcp any host 172.21.0.14

will allow all TCP traffic, including HTTP. Am I wrong?

if i'm correct, it shouldn't be a good point to allow this, from a security Point of view.

You are correct, that would allow all TCP traffic to host 172.21.0.14. You can restrict to just HTTP with this ACL-

access-list Outside_VPN ext permit tcp any host 172.21.0.14 eq 80

You are right again about that first ACL not being very secure. The second should be fine. If you can/want you can further restict by filtering the source IP's.

access-list Outside_VPN ext permit tcp 10.0.0.0 255.0.0.0 host 172.21.0.14 eq 80

This would only allow people with a source address of 10.x.x.x to connect.

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp

where did you apply this ACL?

it shouldn't be applied in outside.

It's not applied to any interface.

Thanks for your suggestion, also

Is there a global command to allow all subnets behind the router to communicate with each other regardless of protocols?

I want unrestricted traffic in the network,

however the gateway is on the WAN side of the ASA. Remember the ASA is in transparent mode.

Thanks.

You will have to create an entry in the ACL. You can do it with an object group which will make it cleaner. Let's say you have 3 internal subnets; 192.168.5.0 /24, 192.168.6.0 /24, and 10.10.0.0 /16.

Create an object-group-

object-group network INTERNAL_NETWORKS

network-object 192.168.5.0 255.255.255.0

network-object 192.168.6.0 255.255.255.0

network-object 10.10.0.0 255.255.0.0

The use the object-group in the ACL.

access-list Outside_VPN extended permit ip object-group INTERNAL_NETWORKS object-group INTERNAL_NETWORKS

This will allow internal network to communicate.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: