Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2464
Views
0
Helpful
1
Replies

Cisco ASA 5505 setup external access to internal webserver

Go to solution
Paul Grates
Level 1
Level 1

‎10-11-2014 05:16 AM - edited ‎03-11-2019 09:54 PM

I'm hosting internal webserver (ports 80 and 443).
I;m having problems with my Cisco ASA config:

--------------CONFIG BEGIN -----------

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa

names
name 192.168.1.254 ciscoasa
name 192.168.1.0 LAN-Home
name 192.168.1.3 SERVER
name 192.168.1.2 DNS_IP
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address ciscoasa 255.255.255.0
!
interface Vlan2
 mac-address 04c0.6f3e.a1dc
 nameif outside
 security-level 0
 ip address dhcp setroute
 ipv6 enable
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server DNS_IP
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list external extended deny icmp any any echo-reply
access-list external extended permit tcp any host SERVER eq www
access-list external extended permit tcp any host SERVER eq https
access-list dhcp extended permit ip any any
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp deny any outside
icmp permit any time-exceeded outside
asdm image disk0:/asdm-715.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
access-group external in interface outside
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AuthInbound protocol radius
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http LAN-Home 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt No Unauthorised Access. Please enter your User Credentials.
auth-prompt accept Welcome! or are you...
auth-prompt reject Access has been denied.

telnet LAN-Home 255.255.255.0 inside
telnet timeout 20
ssh LAN-Home 255.255.255.0 inside
ssh timeout 20
console timeout 0
management-access inside
dhcp-client broadcast-flag
dhcp-client client-id interface outside
dhcpd dns DNS_IP
!
dhcpd address 192.168.1.220-192.168.1.250 inside
dhcpd option 3 ip ciscoasa interface inside
dhcpd enable inside
!
dhcprelay timeout 60

threat-detection basic-threat
threat-detection scanning-threat shun duration 900000
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect ils
  inspect icmp
!
service-policy global_policy global
prompt hostname context

asdm image disk0:/asdm-715.bin
asdm history enable

------- END CONFIG ---------

I ran:
packet-tracer input outside tcp 0.0.0.0 80 192.168.1.60 80

and i'm getting:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   LAN-Home        255.255.255.0   inside

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

For the life of me I don't know how to fix this.
Any help would be appreciated.

Thanks
Paul

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-11-2014 05:27 AM

Hi,

 

The actual Static PAT (Port Forward) configuration seems fine. Though since you mention HTTPS also you should add

 

static (inside,outside) tcp interface 443 192.168.1.3 443 netmask 255.255.255.255

 

Notice though by doing a Static PAT for port TCP/443 you will prevent using ASDM or SSL VPN from the external network unless you change their ports or use a different port for the Static PAT. Then again, it seems you are not using either from the external network so should not be a problem.

 

I think the only problem with the actual configuration is the ACL. You are allowing the traffic to the real IP address of the server. Now this would be correct if you were running a newer software that is 8.3 (or above) but since you are in the older software levels 8.2 (and below) you should still allow the connections to the public/mapped IP address of the host.

 

So you could try this

 

access-list external permit tcp any interface outside eq 80
access-list external permit tcp any interface outside eq 443

 

You can remove the previous rules for your server on the "external" ACL.


Hope this helps :)

 

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-11-2014 05:27 AM

Hi,

 

The actual Static PAT (Port Forward) configuration seems fine. Though since you mention HTTPS also you should add

 

static (inside,outside) tcp interface 443 192.168.1.3 443 netmask 255.255.255.255

 

Notice though by doing a Static PAT for port TCP/443 you will prevent using ASDM or SSL VPN from the external network unless you change their ports or use a different port for the Static PAT. Then again, it seems you are not using either from the external network so should not be a problem.

 

I think the only problem with the actual configuration is the ACL. You are allowing the traffic to the real IP address of the server. Now this would be correct if you were running a newer software that is 8.3 (or above) but since you are in the older software levels 8.2 (and below) you should still allow the connections to the public/mapped IP address of the host.

 

So you could try this

 

access-list external permit tcp any interface outside eq 80
access-list external permit tcp any interface outside eq 443

 

You can remove the previous rules for your server on the "external" ACL.


Hope this helps :)

 

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card