08-23-2013 05:48 AM - edited 03-11-2019 07:30 PM
I am working on a Cisco ASA 5510 for a customer. I need to allow inbound traffic on port 443 from a specific vendor IP address to a specific server on the customers internal network. I opened the ASDM 6.0 software, went to the firewall section and created the highlighted rule in the screenshot. Still, the vendor is telling me they can not connect to the customer server. I have defined both of those objects with the IP address necessary. Can someone help me find otu what I have done wrong please?
-Mike
08-23-2013 10:03 AM
I am able to ping the server from my computer, but 443 traffic is not working. Do I need two separate rules? One allowing traffic from the vendor IP to the internal IP, then one from the internal IP to the vendor IP, then a rule translating my internal IP to the public IP the vendor is looking for?
-Mike
08-23-2013 10:11 AM
What version og ASA are you running?
If you are running a version prior to 8.3 then the access list needs to read like this
remote public IP to Local server public IP port 443
If the version is 8.3 or higher it needs to read like this:
remote public IP to Local server private IP port 443
Hope this post helps.
08-23-2013 10:20 AM
Hello Marius,
When I do a help and then about, it says ASA: 8.0(3).
Where would I enter that info from the ASDM?
-Mike
08-23-2013 10:18 AM
I ran the packet trace, and it showd me a rule that is dropping the traffic in to my server from the outside. When I go to the rules that makes it drop, I am unable to edit it. Can someone help me make that edit, or let me know why I can not edit this implicit rule to allow the traffic? Going to the vendor server is fine, they just can't come in to me.
-Mike
08-23-2013 10:20 AM
So the implicit deny is being matched? This is a default which is placed at the end of all ACLs and can not be edited. You would need to create another ACL above it allowing the traffic you wish to pass through the ASA.
08-23-2013 10:23 AM
The interface ACL configuration is located under the Configuration tab and then select Firewall on the left, and I think it is the top option...Access-lists or something like that. don't quite remember and I don't have ASDM open right now to check.
08-23-2013 10:24 AM
Here is a screenshot of the Access Rules. In the Network Objects section, I have the McKesson-Gateway defined with their public IP address. I have the WebViewServer defined as the private IP on my internal network. Is that my problem perhaps?
08-23-2013 10:26 AM
your web server would need to be defined with its public IP (if this is coming from the internet and the ASA is doing the NATing)
08-23-2013 10:30 AM
I have this setup under NAT rules. Maybe this is wrong?
08-23-2013 10:33 AM
Yes, If you want it to be accessed from the internet you should not be exempting it from NAT. There should be a static NAT translating the private IP to a public IP. Very often the public IP will be the interface IP, depending on how many public IPs you have and can allocate.
The Exempt NAT is mostly used when wanting to send traffic over a VPN or in some special circumstances where the inside IPs are public IPs.
08-23-2013 10:45 AM
I made an inside rule and an outside rule. 192.168.2.220 is my internal server. The vendor is looking for that server on public IP address 108.162.209.37 port 443.
08-23-2013 10:54 AM
When I run the Packet Trace on the "outside" rule from 108.162.209.37:443 to 192.168.2.220:443, it fails and drops the packet then refers me to that implicit deny rule that I have a screen shot of above. I created a new any/any and permit, ut it still drops.
08-23-2013 11:05 AM
You have added the nat to the outside interface which is incorrect. Add it to the inside interface with a source of 192.168.2.220 and a translated address of 108.162.209.37. Even though this is applied to the outside interface it does translate both directions.
Then when running the packet tracer run it from a source outside interface IP 4.2.2.2 port 4444 with a destination 108.162.209.37 port 443.
08-23-2013 11:58 AM
I deleted the rule. Now I have this below. Is it correct?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide