06-07-2007 07:21 AM - edited 03-11-2019 03:26 AM
We have a GroupWise server running WebAccess sitting behind ASA5505. I have opened port 25 and can send and recieve emails but can't get access to WebAccess. I can internally at https://192.168.1.50/servlet/webacc and everything is running fine. But when I try it externally via https://66.64.x.x/servlet/webacc I have no luck.
Below is the relevant setup information.
interface Vlan1
mac-address 0012.3f7f.9876
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description NuVox T1
nameif outside
security-level 0
ip address 66.64.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
access-list out2in extended permit tcp any any eq smtp
access-list out2in extended permit tcp any any eq https
access-list out2in extended permit tcp any any eq 9850
access-list out2in extended permit tcp any any eq 1677
access-list out2in extended permit tcp any any eq 7205
access-list out2in extended permit udp any any eq 443
access-list out2in extended permit udp any any eq 9850
access-list out2in extended permit udp any any eq 1677
access-list out2in extended permit udp any any eq 7205
static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255
static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255
static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255
static (inside,outside) udp interface 443 192.168.1.50 443 netmask 255.255.255.255
static (inside,outside) udp interface 9850 192.168.1.50 9850 netmask 255.255.255.255
static (inside,outside) udp interface 1677 192.168.1.50 1677 netmask 255.255.255.255
static (inside,outside) udp interface 7205 192.168.1.50 7205 netmask 255.255.255.255
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 66.64.x.x 1
Solved! Go to Solution.
06-07-2007 09:34 AM
It works...
Are you trying this from the inside or outside?
06-07-2007 07:45 AM
It's tcp, not udp
static (inside,outside) udp interface 443 192.168.1.50 443 netmask 255.255.255.255
access-list out2in extended permit udp any any eq 443
should be...
static (inside,outside) tcp interface 443 192.168.1.50 443 netmask 255.255.255.255
access-list out2in extended permit tcp any any eq 443
also you can limit your destination in your acl to the outside interface address which is much more secure.
access-list out2in extended permit tcp any host 66.64.x.x eq 443
please rate if it helps.
06-07-2007 08:15 AM
Ok, I deleted the UDP record, and I changed the ACL rule. Still no luck.
I did some digging around around and looked at how the last router was set up and came up with an issue.
We are on a T1 line with a static IP. I have assigned that IP to the outside interface. The ISP has a default gateway which I have routed "outside" to via:
route outside 0.0.0.0 0.0.0.0 66.64.170.y 1
but when I check the IP of the outside interface it is not the static IP that I assigned but is now 66.64.170.z
I see that the old router had a routing rule, but I can't seem to emulate this as there is no default gateway.
06-07-2007 08:26 AM
That table shows...
66.64.170.16/29 connected WAN
66.64.170.17 default gateway
192.168.1.0/24 connected LAN
What is the outside ip of the old router? I'm not sure what you mean by, "it is not the static ip that I assigned".
06-07-2007 08:51 AM
interface Vlan2
description NuVox T1
nameif outside
security-level 0
ip address 66.64.170.18 255.255.255.248
x.x.x.18 is the static IP that I assigned to "outside"
I then do:
route outside 0.0.0.0 0.0.0.0 66.64.170.17 1
to point to the wan gateway.
But it appears that the outside interface is being mapped to 66.64.170.16.
I am confused as I need to translate 66.64.170.18 which is our mx record and points to our internal hosted server. But I have no NAT or routes for the 66.64.170.16 address that appears to be assigned to the outside interface when all along I thought it was 66.64.170.18.
The old router did this but I am not able to duplicate it on the asa5505, do mostly to my ignorance. Thanks for you time and patients.
06-07-2007 09:03 AM
"But it appears that the outside interface is being mapped to 66.64.170.16."
.16 is the network address, it is not a host address. It will not be an address on your asa.
66.64.170.16/29
.16 = network address
.17
.18
.19
.20
.21
.22
.23 = broadcast address
All that route table is telling you is that the 66.64.170.16/29 network is attached to the WAN interface, NOT that .16 is the external address.
06-07-2007 09:16 AM
Ok.
I have to route:
route outside 0.0.0.0 0.0.0.0 66.64.170.17 1
or I have no internet access. Do I need the other route to .16 that was set up on the previous router?
06-07-2007 09:21 AM
No, there is no need to route to .16, for one this is not a host and two the .16/29 network is directly attached to the pix. You should be good to go then, .17 is your gateway, .18 is outside of ASA.
06-07-2007 09:23 AM
But I am still unable to connect. Follow steps above. How can I troubleshoot or log further?
06-07-2007 09:25 AM
Are you sure .17 is gateway? You can get to the internet? Post your new config with changes made.
06-07-2007 09:32 AM
Yes. .17 Is gateway confirmed with ISP. I can get to the internet (posting here from behind router).
I ran log and I do not see any translation going from .18 to 192.168.1.50
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(2)
!
hostname ASA5505
domain-name amcinc.us
enable password 8aPd93D5bXaT2fFZ encrypted
names
!
interface Vlan1
mac-address 0012.3f7f.9876
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description NuVox T1
nameif outside
security-level 0
ip address 66.64.170.18 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
domain-name amcinc.us
access-list out2in extended permit tcp any any eq smtp
access-list out2in extended permit tcp any any eq https
access-list out2in extended permit tcp any any eq 9850
access-list out2in extended permit tcp any any eq 1677
access-list out2in extended permit tcp any any eq 7205
access-list out2in extended permit udp any any eq 9850 inactive
access-list out2in extended permit udp any any eq 1677 inactive
access-list out2in extended permit udp any any eq 7205 inactive
pager lines 24
logging enable
logging asdm informational
logging from-address thomas.estes@amcinc.us
logging recipient-address thomas.estes@amcinc.us level errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255
static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255
static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255
static (inside,outside) udp interface 9850 192.168.1.50 9850 netmask 255.255.255.255
static (inside,outside) udp interface 1677 192.168.1.50 1677 netmask 255.255.255.255
static (inside,outside) udp interface 7205 192.168.1.50 7205 netmask 255.255.255.255
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 66.64.170.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username estest password pfaW5bAu431sHznu encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.1 community ASA5505
snmp-server location Data Room
snmp-server contact Tom Estes
snmp-server community ASA5505
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.114 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.149 inside
dhcpd dns 64.89.70.2 64.89.74.2 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3a9acacb8fa6c437b6a95c271048ffde
: end
06-07-2007 09:34 AM
06-07-2007 09:47 AM
well how about that?!!?!
I still can't hit it from the internal network, but when I fire up a laptop with an air card I was able to see it.
Thank very much.
PS> We were able to hit it from the internal network b4, any idea why I can't now?
06-07-2007 09:52 AM
Yes, you cannot becuase the asa does not allow it by default. You have a few options, where does your dns sit for inside clients? If it is outside you can perform dns doctoring, but this does not work when combined with port forwarding like you are doing. Second, you can create another static, enable same-security-traffic permit intra-interface and hairpin. This will allow the traffic to hit inside interface of ASA and be directed back inside to the server. Here is a good doc here..let me know if you need asssistance.
If you had a dmz you could do a statement like this...
static (dmz,inside)
06-07-2007 10:06 AM
You should also change the way you are writing you acl's, using any as a destination is an unnecessary security risk
access-list out2in extended permit tcp any host 66.64.170.18 eq https
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide