Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1190
Views
0
Helpful
8
Replies

ASA 5505 Outside -> DMZ web access

markedavis
Level 1
Level 1

‎02-01-2012 09:59 AM - edited ‎03-11-2019 03:22 PM

I have a server in the dmz and I cannot access it via port 80 from the web.  I can ping the public ip without any problem but for some reason web and rdp cannot be accessed.  The web server on the inside interface is working fine.

Anyone have any ideas?

ASA Version 7.2(3)

!

hostname ARLASA01

enable password 1fek2L2MjEGCSJe1 encrypted

names

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address 2.2.2.17 255.255.255.248

!

interface Vlan10

nameif inside

security-level 100

ip address 172.29.60.220 255.255.255.0

!

interface Vlan198

nameif guest

security-level 50

ip address 192.168.60.220 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 10,198

switchport mode trunk

speed 100

duplex full

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!            

passwd C688xmE.agblrBe. encrypted

ftp mode passive

access-list acl_out extended permit icmp any any

access-list acl_out extended permit tcp any host 2.2.2.18 eq www

access-list acl_out extended permit tcp any host 2.2.2.18 eq https

access-list acl_out extended permit tcp any host 2.2.2.18 eq lotusnotes

access-list acl_out extended permit tcp any host 2.2.2.19 eq www

access-list acl_out extended permit tcp any host 2.2.2.19 eq 3389

access-list acl_out extended permit tcp any host 2.2.2.19 range 5500 5505

pager lines 24

logging monitor debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu guest 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.29.60.0 255.255.255.0

nat (guest) 1 192.168.60.0 255.255.255.0

static (inside,outside) 2.2.2.18 172.29.60.232 netmask 255.255.255.255

static (guest,outside) 2.2.2.19 192.168.60.250 netmask 255.255.255.255

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 2.2.2.22 1

route inside 172.27.0.0 255.255.0.0 172.29.60.222 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

dhcpd dns 4.2.2.2

!

dhcpd address 192.168.60.20-192.168.60.100 guest

dhcpd enable guest

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

username comms password eiE0IOA.TSSAU935 encrypted

prompt hostname context ASA Version 7.2(3)
!
hostname ARLASA01
enable password 1fek2L2MjEGCSJe1 encrypted
names
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.17 255.255.255.248
!
interface Vlan10
nameif inside
security-level 100
ip address 172.29.60.220 255.255.255.0
!
interface Vlan198
nameif guest
security-level 50
ip address 192.168.60.220 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 10,198
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!            
passwd C688xmE.agblrBe. encrypted
ftp mode passive
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any host 2.2.2.18 eq www
access-list acl_out extended permit tcp any host 2.2.2.18 eq https
access-list acl_out extended permit tcp any host 2.2.2.18 eq lotusnotes
access-list acl_out extended permit tcp any host 2.2.2.19 eq www
access-list acl_out extended permit tcp any host 2.2.2.19 eq 3389
access-list acl_out extended permit tcp any host 2.2.2.19 range 5500 5505
pager lines 24
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.29.60.0 255.255.255.0
nat (guest) 1 192.168.60.0 255.255.255.0
static (inside,outside) 2.2.2.18 172.29.60.232 netmask 255.255.255.255
static (guest,outside) 2.2.2.19 192.168.60.250 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.22 1
route inside 172.27.0.0 255.255.0.0 172.29.60.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 4.2.2.2
!
dhcpd address 192.168.60.20-192.168.60.100 guest
dhcpd enable guest
!
             
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
username comms password eiE0IOA.TSSAU935 encrypted
prompt hostname context

Labels:
121719-capout.zip
121720-capin.zip
0 Helpful
8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-01-2012 10:08 AM

Hello,

Are you able to ping 192.168.60.250 from the ASA?

Can you ping 192.168.60.220 from the server?

Please provide the following;

packet-tracer input outside tcp 4.2.2.2 1025 2.2.2.19 80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ajay chauhan
Level 7
Level 7

‎02-01-2012 10:23 AM

Please post output of -

packet-tracer input outside tcp 1.2.3.4 1024 2.2.2.18 80 detailed.

Does not look like any issue with config still want to confirm.

Thanks

Ajay

0 Helpful

markedavis
Level 1
Level 1
In response to ajay chauhan

‎02-01-2012 10:27 AM

Thanks. I will have to get that when I get back in the office.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to markedavis

‎02-01-2012 10:30 AM

Hello,

Ok, just let us know!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

markedavis
Level 1
Level 1
In response to Julio Carvajal

‎02-02-2012 05:16 AM

Here are two traces I did this morning. The capin is pre-nat on the guest

interface and the capout is post-nat on the outside. I attempted to reach

the server on port 80 from 66.54.184.254.

ARLASA01(config)# sh capture capin

12 packets captured

1: 02:27:21.032331 802.1Q vlan#198 P0 66.54.184.254.51336 >

192.168.60.250.80: S 3243178106:3243178106(0) win 8192

Date: 02/01/2012 12:30 PM

Subject: - Re: ASA 5505 Outside -> DMZ web access

0 Helpful

rizwanr74
Level 7
Level 7

‎02-02-2012 06:16 AM

what gateway address you have on the DMZ web server sitting on the network "guest" ?

0 Helpful

markedavis
Level 1
Level 1
In response to rizwanr74

‎02-02-2012 06:29 AM

192.168.60.220

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to markedavis

‎02-02-2012 10:57 AM

capture asp type asp-drop all

then try the connection and provide us the following:

sh cap asp | include 2.2.2.18

sh cap asp | include 2.2.2.19

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card