Problems with Cisco ASA allowing web traffic through

Unanswered Question
Mar 30th, 2010
User Badges:

Hi All,

I just had a Cisco ASA 5505 and I am trying to configure it with a inside and outside interface. The inside network will just have one web server but I am having problems getting http connections out/in from the web server as the implicit deny all rule keep dropping the packets even though i wrote a permit rule for http on top of it.


I simply need the server to be accessible by all from the internet.

My running config
==========================
: Saved
:
ASA Version 7.2(4)
!
hostname host1
domain-name default.domain.invalid
enable password /Nv4NUBk670tHXkl encrypted
passwd 2KFQnbxxxIdI.2KAbYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2xx.xx.xx.xx 255.255.255.0
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host 2xx.xxx.xx.xx eq www
access-list inside_access_in extended permit tcp host 192.168.2.2 any eq www
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) interface 192.168.2.2 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 03/30/2010 - 20:29
User Badges:
  • Cisco Employee,

You might want to change the static statement:

FROM:

static (inside,outside) interface 192.168.2.2 netmask 255.255.255.255


TO:

static (inside,outside) tcp interface 80 192.168.2.2 80 netmask 255.255.255.255


Please also "clear xlate" after you make the changes.

just4while Tue, 03/30/2010 - 20:52
User Badges:

Hi Hal,


I tried that but it still is not working. I try to browse the internet from the web server but it got blocked and when i try to do a packet trace from the ADSM GUI from 192.168.2.2 (my web server internal IP) to an external IP (202.x.x.x), it give me an error saying "No route to host" ??


I must have missed out something fundamentally wrong as I seem to have done all the correct things ?  **frustrated**


Thanks for any advice provided.

Jennifer Halim Tue, 03/30/2010 - 21:00
User Badges:
  • Cisco Employee,

You might also want to try to disable "http server enable" as it also uses port 80 for ASDM access to the ASA. OR/ Alternatively, change the ASDM port to something but 80 (maybe try 8080).


Then "clear xlate" and try your web server connection again.

just4while Wed, 03/31/2010 - 01:24
User Badges:

Hmm .... i did that but doesnt seem to have any effect.As i do not have console access, does anyone know how do i clear the xlate in the ASDM (GUI)? I noticed the xlate TTL is around 3 hours, how do I bring it down?


I did some troubleshooting and wrote a permit rule any any ip on top of the implicit deny rule for both inside and outside but again, my packet is dropped by the implicit deny rule. That is really weird..

Jennifer Halim Wed, 03/31/2010 - 01:29
User Badges:
  • Cisco Employee,

From ASDM, you can do "clear xlate" from the following:

Tools --> Command Line Interface --> clear xlate on the text box --> "Send" button

Actions

This Discussion