03-13-2012 10:59 PM - edited 03-11-2019 03:41 PM
Help GUYZ i just want an advise since I am the one responsible on configuring our new cisco asa
ASA version 8.2(5)
WEB server ip = 10.0.246.5
the scenario was that we have a web server on the inside segment then I wanted to allow only http to the outside
somehow we can call it dmz however we only need inside and outside interface
therefore since I only configure the interface on the ASA and clear my access list and nat since it doesn't work and at least someone can provide me a good access list and a nat rule
on interface giga0/1
name if inside (so it means the inside segment where the server is located)
ip add 10.0.246.12 255.255.255.240
sec 100
and
interface giga0/3
name if outside
ip add x.x.x.92 255.255.255.248
sec 0
route outside 0.0.0.0 0.0.0.0 x.x.x.89
and here is my old access-list config and nat but didn't work I don't know why
access-lsit web_http extended permit tcp host 10.0.246.5 eq www any
and nat
static (inside,outside) tcp interface www access-list web_http
can anyone help me here
tnx guys I need help as soon as possible
because were going live
Solved! Go to Solution.
03-14-2012 02:40 AM
Your default gateway is 10.0.246.5 as it shows the last line
route del default gw 10.0.246.5
route add default gw 10.0.246.12
You need the default route to .12
Dan
03-14-2012 12:25 AM
Hi,
Do you have any access-list on outside interface ? Default (without any acl ) the traffic from outside to inside is denied.
access-list acl-out permit tcp any x.x.x.92 eq 80
access-g acl-out in interface outside
Dan
03-14-2012 12:44 AM
yes before I tried that one but it also didn't work somehow and I don't know why
i think there is something missing on my nat command or maybe the access-list but don't kow
now my access-list is
access-list web_server extended permit tcp any host x.x.x.93 eq www log
access-list web_server deny ip any any log
access-group web_server in interface outside
static (inside,outside) x.x.x.93 10.0.246.5
I used one of my free public ip to nat on the public web server
via show access-list it shows that and monitoring the logs
it seems that it built a tcp connection but still I can't access the web server on my browser
via show nat it shows that it is not translated
03-14-2012 12:55 AM
Hi Earlge,
As it is - your last post - both access-list applied on outside and static nat are ok.
Does your web server has as a gateway the ASA ? Is it a Windows , a Linux , or what OS does it have ?
Later edit : can you post show xlate
Dan
03-14-2012 01:09 AM
so my last post you mean is ok enough?
it means its already ok??
my webserver os is redhat linux
hmm gateway to asa wait when i issued route
ow i see when i vi /etc/sysconfig/network
it shows that the gateway=10.0.246.13 and it must be 10.0.246.12 right?
let me try once more
show xlate
show xlate details
Nat from inside: 10.0.246.5 to outside: X.X.X.93 flags s
by the way instead i use x.x.x.92 the interface ip of outside i used one of the free ip x.x.x.93
03-14-2012 01:11 AM
Post
route -n
Yes it must be 10.0.246.12
Dan
03-14-2012 01:41 AM
now i fixed the servers gateway but still it not work
i don't know why seeing the logs it alow the tcp connection of the outside going to inside port 80
how ever still when i issued show nat
it doesn't show translate hits always untraslated wait let me post my command here running config for the moment
ASA Version 8.2(5)
!
hostname XXXXXXX
domain-name XXXXXXXXXX
enable password XXXXXXXX. encrypted
passwd XXXXXXXX. encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.0.246.12 255.255.255.240
ospf cost 10
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address X.X.X.92 255.255.255.248
ospf cost 10
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
ftp mode passive
clock timezone PHST 8
dns server-group DefaultDNS
domain-name XXXXXXXX
access-list web_http extended permit tcp any host X.X.X.93 eq www log
access-list web_http extended deny ip any any log
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging host inside 10.0.246.6
logging host inside 10.0.246.5
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu management 1500
ip verify reverse-path interface outside
failover
failover lan unit primary
failover lan interface failoverif GigabitEthernet0/2
failover key *****
failover link failoverif GigabitEthernet0/2
failover interface ip failoverif 192.168.2.1 255.255.255.252 standby 192.168.2.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no nat-control
static (inside,outside) X.X.X.93 10.0.246.5 netmask 255.255.255.255
access-group web_http in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.246.6 source inside
ntp server 10.0.246.5 source inside
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6f0b30e7b433d1812c28623d218cc552
: end
03-14-2012 01:50 AM
First when you used the interface IP as nat the problem was : http server enable. So if you want to use the interface IP you will have to disable the http server or change the ASA's http port.
Sencond add on your configuration :
policy-map global_policy
class inspection_default
inspect http
In order to see the translations active you will have to use "show xlate".
Try again, please.
Regards
Dan
03-14-2012 02:02 AM
as of now I didn't use the interface ip but instead I used one of the public ip which is free on its subnet
interface ip is x.x.x.92 but i use instead x.x.x.93 then I already added the policy but still don't work
03-14-2012 02:05 AM
Earlge ,
You policy does not inspect http. Did you add that ?
Dan
03-14-2012 02:09 AM
yes I already add the inspect http sir but still there is a problem
03-14-2012 02:08 AM
do I still need to turn of the http server? and based on the show access-list and logs
it shows that it allows the tcp connection from the outside going to the inside however
in show nat
translate_hits=0 so it means translation is not working?
03-14-2012 02:14 AM
No you do not have to turn off http server.
Also post "route -n" from the server. If you only modified the "network" file, the changes didn't commit.
The hits , in order to access the server , should be in untranslate_hits.
Dan
03-14-2012 02:21 AM
I don't get it you mean it is ok
if my show nat result
was hitting the untranslate_hits?
and yes 10.0.246.0 network gw is 10.0.246.12 already is there something wrong with my config now? or missing? I already added the inspect http
03-14-2012 02:31 AM
If you have untranslate hits on show nat , it ok one way.
Please post route -n , from your server , also netstat -nlt
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide