08-13-2013 08:12 PM - edited 03-11-2019 07:25 PM
Hi all,
I couldn't access my server from Outside. Seem the setting is OK as i see it but please see if I missed out anything.
From Outside, I need to access http://60.x.x.50:8080. but failed to access. Please help. Thanks.
Below I attached part of the config.
-----------------------------------------------------
: Saved
:
ASA Version 8.0(4)
!
name 172.47.1.10 NarayaServer description Naraya Server
name 62.x.x.172 NarayaTelco1
name 62.x.x.178 NarayaTelco2
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 60.x.x.50 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.27.17.100 255.255.0.0
!
access-list inside_access_in extended deny ip any Japan02 255.255.255.0
access-list inside_access_in extended deny tcp object-group PermitInternet any object-group torrent1
access-list inside_access_in extended permit ip object-group PermitInternet any
access-list inside_access_in extended permit ip host NAVNew any
access-list inside_access_in extended permit ip host NarayaServer any
access-list inside_access_in extended permit ip host IPVSSvr any
access-list inside_access_in extended permit ip host 172.17.100.30 any
access-list outside_access_in extended permit object-group NECareService object-group NECare any
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 host NarayaServer
access-list outside_1_cryptomap extended permit ip host NarayaServer object-group Nry_Png
access-list outsidein extended permit tcp any host 60.x.x.50 eq https
access-list outsidein extended permit tcp any host 60.x.x.50 eq 8080
access-list outsidein extended permit ip object-group DM_INLINE_NETWORK_3 host IPVSSvr
access-list outsidein extended permit object-group rdp any host 60.x.x.50
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list inside_mpc extended permit tcp any any eq www
access-list inside_nat0_outbound extended permit ip host NarayaServer any
ip local pool lot10ippool 172.27.17.240-172.27.17.245 mask 255.255.255.0
ip verify reverse-path interface outside
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8080 NarayaServer 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 NAVNew 3389 netmask 255.255.255.255
access-group outsidein in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 60.54.140.49 1
route inside 0.0.0.0 255.255.255.255 60.54.140.49 1
route inside 172.17.100.20 255.255.255.255 172.27.17.100 1
route inside NAVNew 255.255.255.255 172.27.17.100 1
route inside 172.17.100.30 255.255.255.255 172.27.17.100 1
route inside NarayaServer 255.255.255.255 172.27.17.100 1
http server enable
http 172.17.100.30 255.255.255.255 inside
http NAVNew 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
--------------------------------------------------------------------------------------------------------------------------
Solved! Go to Solution.
08-13-2013 09:08 PM
Hello,
No worries,
1- Packet will reach the ASA from outside , the ASA will check the destination IP address which is the server and will look for a route . It will then say Okey to get to that IP address I need to send the packet to my self. It will never happen.....
2- Is the server at the moment with connectivity to the internet???
Can you share the show route?
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-13-2013 08:33 PM
Hello My friend,
Things to remove from configuration:
no route inside 0.0.0.0 255.255.255.255 60.54.140.49 1
no route inside 172.17.100.20 255.255.255.255 172.27.17.100 1
no oute inside NAVNew 255.255.255.255 172.27.17.100 1
no route inside 172.17.100.30 255.255.255.255 172.27.17.100 1
no route inside NarayaServer 255.255.255.255 172.27.17.100 1
Things to Add
route inside 172.16.0.0 255.240.0.0 IP_ADDRESS_OF_INSIDE_ROUTER
That inside router should be the one that connects to the server
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-13-2013 08:43 PM
Hi,
The route command is existing configuration, it shoudnt be deleted.
I confuse, why need to add "route inside 172.16.0.0 255.240.0.0 IP_ADDRESS_OF_INSIDE_ROUTER"
08-13-2013 08:48 PM
Hello Mohd,
Because the route is pointing to the ASA itself.... So it's never going to be routed... Do you see what I mean?
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-13-2013 08:59 PM
Hi jcarvaja,
Appreciate your help,
Question:
1. I'm still learning, but i dont see unable to access from Outside to Inside is related to routing? Sorry, I bit confuse on this.
2. If i remove above route as u mention, does the host (172.17.100.20, NAVNew, NarayaServer) able to Internet?
Hope to hear soonest
Thanks,
08-13-2013 09:08 PM
Hello,
No worries,
1- Packet will reach the ASA from outside , the ASA will check the destination IP address which is the server and will look for a route . It will then say Okey to get to that IP address I need to send the packet to my self. It will never happen.....
2- Is the server at the moment with connectivity to the internet???
Can you share the show route?
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-13-2013 10:32 PM
Sorry, I click on the correct Answer instead of reply,
Anyway,
1. I attach the full config. Current configuration is working fine as of 2nd August 2013.
2. On 3rd Aug, i configured Site to Site VPN, working
3. During the process of troubleshooting site to site, I may or not deleted some line ( i forget which one already)
4. On 4th August, my colleague said that the server can't be access anymore.
5. Maybe the config line, i may deleted but I'm not sure which one could be related.
6. Before 2nd August, the server access from Outside able to do without the routing config you suggested.
See if you can help to identified the problem,
Thanks.
08-13-2013 11:07 PM
Hello Mohd,
Here are the facts:
route inside NarayaServer 255.255.255.255 172.27.17.100
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.27.17.100 255.255.0.0
So basically send the packet to yourself (Does not make any sense.. Try to read it so you can understand what I mean.
access-list inside_nat0_outbound extended permit ip host NarayaServer any
nat (inside) 0 access-list inside_nat0_outbound
Do the following :
access-list inside_nat0_outbound permit ip host NarayaServer OTHER_site_VPN_subnet
no access-list inside_nat0_outbound extended permit ip host NarayaServer any
Then u should be able to connect,
Let me know if you will follow my instructions, otherwise I think I am not helping here
Note: As you already mark the question as answered you could provide kudos (stars) on my next answers
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide