I am a fresh cisco user, i am trying to configure a cisco asa 5510 with the ASDM GUI. Actually, Eth0 is set as Outside interface (DHCP, fixed ISP Public IP) and Eth1 as DMZ interface with a Web server (ip 172.16.1.80) behind.
And i don't find how to solve error message "TCP access denied by ACL from xxx.yyy.245.171/3277 to outside:aaa.bbb.50.144/80" and gain access to web server from outside.
Regarding ACL, Outside interface can receive anything from anywhere if it is tcp "http(s),ftp,smtp,8080".
I also NAT fixed ISP Public IP to 172.16.1.80, which is my webserver address in order to access through http://aaa.bbb.50.144.
Please, let me know what i have done wrong because i am having grey hairs... Here is in att the running conf.
your static nat statement should read:
static (dmz,outside) tcp interface 80 172.16.1.80 80
your acl entry for this should look like:
access-list outside_access_in permit tcp any interface outside eq 80
this assumes you're using the outside IP as the nat'ed public IP of the webserver.
Thanks srue for your quick answer.
It solved the error message. Now i am facing another thing, when i try to reach the Web server from outside, the connection to DMZ is established, i can see it using tcpview, i can see the remote address xxx.yyy.245.171 > aaa.bbb.50.144 > 172.16.1.80.
But i have a message like "TCP request discarded from xxx.yyy.245.171/4817 to outside:aaa.bbb.50.144/8080, This message appears when the security applicance does not have a UDP server that services the UDP request".
Can it be solved with an ASA conf, do i have to add a rule let UDP traffic pass through (access-list outside_access_in line 1 extended permit udp 0.0.0.0 0.0.0.0 interface outside) ?
"TCP request discarded from xx.yyy.245.171/4817 to outside:aaa.bbb.50.144/8080,
>> TCP traffic getting discarded on port tcp 8080 the outside interface. Add this,
static (dmz,outside) tcp interface 8080 172.16.1.80 8080
access-list outside_access_in permit tcp any interface outside eq 8080
But, before that please check whether the server 172.16.1.80 is listening on port tcp 8080 and you really need to allow connections on port tcp 8080 from outside.
I added the line "static (dmz,outside) tcp interface 8080 172.16.1.80 8080", the second line was already in place :
"object-group service ContentManager tcp
port-object eq 8080
access-list outside_access_in extended permit tcp any interface outside object-group ContentManager"
The Web server is listening on the port 8080, i can be sure because of two thing :
- i can connect to it with another local PC (my tomcat gets the connection),
- i use a windows tool that shows me active connection (tcpview.exe, state SYN_RCVD).
The only message on the ASA is "
Built inbound TCP connection 1118 for outside:xxx.yyy.245.171/2542 (xxx.yyy.245.171/2542) to dmz:172.16.1.80/8080 (aaa.bbb.50.144/8080)"
The connection arrive but is not transmitted to outside ... The web browser stay in status SYN_SENT, and the remote Web browser in SYN_RCVD. No connection between. I think the ASA don't let the answer go out. Any idea ?
Well, not better. And the strangest thing is that it worked one time (but only one), so i made a backup and restarted the ASA, but it is out again.
A. Outside HTTP client connect to http://aaa.bbb.50.144 from xxx.yyy.245.171
SYNC is send and wait for the ACK.
B. ASA5510 accept connection and translate address/port "xxx.yyy.245.171 172.16.1.80 Built inbound TCP connection 101 for outside:xxx.yyy.245.171/2738 (xxx.yyy.245.171/2738) to dmz:172.16.1.80/8080 (aaa.bbb.50.144/80)"
C. The Web server in the DMZ receive the connection
SYNC is received and send back the ACK
D. The ACK go i don't know where and the connection end by a Time Out
"xxx.yyy.245.171 172.16.1.80 Teardown TCP connection 103 for outside:xxx.yyy.245.171/2798 to dmz:172.16.1.80/8080 duration 0:00:30 bytes 0 SYN Timeout"
But the web client is still waiting for the ACK.
Does the ASA don't allow incoming and outgoing traffic from the same interface or something like that ?
Do you have an idea where i can find any track to solve that ?
no static (dmz,outside) aaa.bbb.50.144 172.16.1.80 netmask 255.255.255.255
static (dmz,outside) tcp interface 80 172.16.1.80 80 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any any eq 80
no access-list outside_access_in extended permit tcp any any object-group ContentManager log debugging
It seems that i had a route problem.
The only thing i have changed is :
no route outside 0.0.0.0 0.0.0.0 aaa.bbb.50.144 1
and since i am in DHCP, i added setroute to eht0
ip address dhcp setroute
This way, everything is working well.
Thanks for your help.