11-20-2013 12:31 PM - edited 03-11-2019 08:07 PM
i have already assing a public ip addd to the outside interface of the ASA ,My requirement is to configure firewall to host my web server publicly using the public ip not assign to the outside interface but different subnet,i make every configuration is i have done but i cant ping or connect my web server i can ping the web server from my ASA,but from outside i cannot reach my webserver.Could anyone help me in this because i am facing problem.
Below is the configuration of the firewall
server ip add 10.10.10.4(local,reachable)
public ip add-78.72.232.66(default gateway)
sho run configuration of the firewall
:
ASA Version 8.2(5)
!
hostname TAD-FW
domain-name tadrees.com
enable password lpW.MGeEHg0ISQZq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description Connected to TAD-Router G0/1
nameif outside
security-level 0
ip address 78.72.29.174 255.255.255.252
!
interface Ethernet0/1
description Connected to Cisco SMB Switch G1
nameif inside
security-level 100
ip address 10.15.1.1 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
banner login ******** TADREES FIREWALL ********
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 84.22.224.11
name-server 84.22.224.12
domain-name tadrees.com
access-list split-tunnel standard permit 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list Mename-Access extended permit tcp any host78.72.232.66 eq https
access-list Mename-Access extended permit tcp any host 78.72.232.66 eq www
pager lines 24
logging enable
logging buffered debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool sslvpnpool 10.1.1.1-10.1.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 78.722..232.66 www 10.10.10.4 www netmask 255.255.255.255
access-group Mename-Access in interface outside
!
router rip
network 10.0.0.0
version 2
!
route outside 0.0.0.0 0.0.0.0 78.72.29.173 1
route inside 10.10.10.4 255.255.255.255 10.15.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TAD-AD protocol nt
aaa-server TAD-AD (inside) host 10.10.10.1
aaa authentication ssh console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 2
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
no anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
internal-password enable
group-policy sslvpn internal
group-policy sslvpn attributes
wins-server none
dns-server none
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value tadrees.com
group-policy DfltGrpPolicy attributes
webvpn
svc ask enable default webvpn timeout 30
username asad password GxozRbsh8Rp9vCkf encrypted privilege 15
username cisco password HWFflA1bzYiq7Uut encrypted privilege 15
username naveed password d8KsovrcdE3to7qt encrypted privilege 15
tunnel-group TAD-SSLV type remote-access
tunnel-group TAD-SSLV general-attributes
address-pool sslvpnpool
authentication-server-group TAD-AD LOCAL
default-group-policy sslvpn
tunnel-group TAD-SSLV webvpn-attributes
group-alias ssl enable
group-url https://78.93.29.174/ssl enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cec976b762f5e1d9d9856eeb4dea4019
: end
11-20-2013 12:45 PM
From your config -
static (inside,outside) tcp 78.722..232.66 www 10.10.10.4 www netmask 255.255.255.255
the second octet is 722 which is obviously not a valid octet. Should it be 72 instead ?
Jon
11-20-2013 12:47 PM
Please check the subnet that you put on the outside interface of the ASA.
interface Ethernet0/0
description Connected to TAD-Router G0/1
nameif outside
security-level 0
ip address 78.72.29.174 255.255.255.252
The static is on another network scheme:
static (inside,outside) tcp 78.72..232.66 www 10.10.10.4 www netmask 255.255.255.255
Are you routing this network to the firewall external interface?
11-20-2013 12:48 PM
You specified that the address for the static PAT is your gateway?????
11-20-2013 01:03 PM
dear jumora,john
THE ISSUE is that isp provided public ip as that i assign to the interface outside,(78.93.29.174),NOW when i requested for the new public ip for hosting one of my web server isp gave me this public ip (78.93.232.66),and ISP even say that they enabble routing between the 78.96.29.174 and 78.93.232.66,and mine connection adsl connection,so now coming to the issue i must assign the new public ip to outside interface where already i have the public existing or i can directly use the new public ip for hosting the web server.
please help in this regard i am confused to what to do.
11-20-2013 01:34 PM
You do not need to assign the new public IP to an interface. As long as the ISP is routing that IP to your firewall then it should work with a simple static statment.
I haven't used ASAs for a while. Can you see my first post. Is 722 just a typo ie. i don't even know whether the ASA would let you enter this but if it would you need to change it.
Jon
11-20-2013 01:33 PM
If they say that it is routing to the ASA all you can do is setup captures to see if traffic is getting to the ASA and review logs.
If you post your number we can talk.
11-20-2013 01:39 PM
Jumora
It's been a while since i used the ASA. Would the ASA allow you to enter an invalid IP in the static statement as it appears in the original config posted or would it complain and not allow it ?
Jon
11-20-2013 01:47 PM
No it would not, I saw the same thing thinking that he just put a typo
11-20-2013 01:59 PM
I am confused now I am nt getting what to do
do someone hve solution friends for this issue
11-20-2013 02:08 PM
From your config -
route inside 10.10.10.4 255.255.255.255 10.15.1.1 1
10.15.1.1 is the inside interface of the ASA which doesn't make sense especially as you say you can ping 10.10.10.4. Surely the next hop should a different 10.15.1.x address. I'm jus wondering if there is a routing issue within your internal network. When the packets arrive at the web server the source IP will be an internet address so what is the default gateway for the web server ie. a router or L3 switch and does that device know where to send the packets ?
If your'e not sure pick an internet IP and do a traceroute from the web server and see if it gets to the inside interface of the ASA.
Jon
11-20-2013 02:13 PM
Solution, give me your number so we can talk about or setup captures on the ASA to confirm that traffic from the Internet is being routed correctly to the ASA and also review logs.
capture out interface outside match ip any host 78.93.232.66
capture in interface inside match ip any host 10.10.10.4
After you try to access the server via the public IP from an Internet client check the captures:
show capture
If you see packets in the capture, download them:
https://10.15.1.1/capture/in/pcap
https://10.15.1.1/capture/out/pcap
It will ask you for your credentials to be able to download the file.
Check logs via ASDM:
Log into ASDM > Monitoring > logging > Real Time log viewer
Type in the external IP address of the server and run another test, if you see logs post them
11-20-2013 02:15 PM
Well he has RIP
router rip
network 10.0.0.0
version 2
He should be able to forward a show route to us to check and run this packet tracer.
packet-tracer input outside tcp 4.2.2.2 1025 78.93.232.66 80 detail
show route
11-20-2013 02:16 PM
Just post your number or give me access to the device and I will tell you if it works or not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide