10-11-2014 05:16 AM - edited 03-11-2019 09:54 PM
I'm hosting internal webserver (ports 80 and 443).
I;m having problems with my Cisco ASA config:
--------------CONFIG BEGIN -----------
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
names
name 192.168.1.254 ciscoasa
name 192.168.1.0 LAN-Home
name 192.168.1.3 SERVER
name 192.168.1.2 DNS_IP
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address ciscoasa 255.255.255.0
!
interface Vlan2
mac-address 04c0.6f3e.a1dc
nameif outside
security-level 0
ip address dhcp setroute
ipv6 enable
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server DNS_IP
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list external extended deny icmp any any echo-reply
access-list external extended permit tcp any host SERVER eq www
access-list external extended permit tcp any host SERVER eq https
access-list dhcp extended permit ip any any
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp deny any outside
icmp permit any time-exceeded outside
asdm image disk0:/asdm-715.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
access-group external in interface outside
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AuthInbound protocol radius
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http LAN-Home 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt No Unauthorised Access. Please enter your User Credentials.
auth-prompt accept Welcome! or are you...
auth-prompt reject Access has been denied.
telnet LAN-Home 255.255.255.0 inside
telnet timeout 20
ssh LAN-Home 255.255.255.0 inside
ssh timeout 20
console timeout 0
management-access inside
dhcp-client broadcast-flag
dhcp-client client-id interface outside
dhcpd dns DNS_IP
!
dhcpd address 192.168.1.220-192.168.1.250 inside
dhcpd option 3 ip ciscoasa interface inside
dhcpd enable inside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun duration 900000
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ils
inspect icmp
!
service-policy global_policy global
prompt hostname context
asdm image disk0:/asdm-715.bin
asdm history enable
------- END CONFIG ---------
I ran:
packet-tracer input outside tcp 0.0.0.0 80 192.168.1.60 80
and i'm getting:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in LAN-Home 255.255.255.0 inside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
For the life of me I don't know how to fix this.
Any help would be appreciated.
Thanks
Paul
Solved! Go to Solution.
10-11-2014 05:27 AM
Hi,
The actual Static PAT (Port Forward) configuration seems fine. Though since you mention HTTPS also you should add
static (inside,outside) tcp interface 443 192.168.1.3 443 netmask 255.255.255.255
Notice though by doing a Static PAT for port TCP/443 you will prevent using ASDM or SSL VPN from the external network unless you change their ports or use a different port for the Static PAT. Then again, it seems you are not using either from the external network so should not be a problem.
I think the only problem with the actual configuration is the ACL. You are allowing the traffic to the real IP address of the server. Now this would be correct if you were running a newer software that is 8.3 (or above) but since you are in the older software levels 8.2 (and below) you should still allow the connections to the public/mapped IP address of the host.
So you could try this
access-list external permit tcp any interface outside eq 80
access-list external permit tcp any interface outside eq 443
You can remove the previous rules for your server on the "external" ACL.
Hope this helps :)
- Jouni
10-11-2014 05:27 AM
Hi,
The actual Static PAT (Port Forward) configuration seems fine. Though since you mention HTTPS also you should add
static (inside,outside) tcp interface 443 192.168.1.3 443 netmask 255.255.255.255
Notice though by doing a Static PAT for port TCP/443 you will prevent using ASDM or SSL VPN from the external network unless you change their ports or use a different port for the Static PAT. Then again, it seems you are not using either from the external network so should not be a problem.
I think the only problem with the actual configuration is the ACL. You are allowing the traffic to the real IP address of the server. Now this would be correct if you were running a newer software that is 8.3 (or above) but since you are in the older software levels 8.2 (and below) you should still allow the connections to the public/mapped IP address of the host.
So you could try this
access-list external permit tcp any interface outside eq 80
access-list external permit tcp any interface outside eq 443
You can remove the previous rules for your server on the "external" ACL.
Hope this helps :)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide