Solved: Failed to access web server on inside through ASA5505

nathen121203 · ‎02-19-2014

Hello, I have a very simple issue need your kindly helps! I need to access from outside a web server (192.18.81.13) through ASA5505, and I used static nat to map it to the intreface outside IP,198.18.81.232. Everything seemed OK but I failed to access it through http://192.18.81.232, from the Real-time Log Viewer I found no problems. Attached please find my config. Any suggestions? Thank you!

Jouni Forss · ‎02-20-2014

Ok,

Well according to the logs it seems to me that the clients have correct network configurations as they forward the connection to the ASA. The ASA also seems to have a correct configuration as it builds the connection through the ASA but the connection never fully forms between client and server.

I would suggest checking the network settings of the server to confirm that it has its default gateway set.

If that is fine then I would confim that the service itself is running on the server and no software firewall is blocking the connection attempts. You could naturally test the connectivity with some other TCP based service through the ASA though you would have to configure the same type of Static PAT (Port Forward) and make the ACL rule addition.

- Jouni

View solution in original post

Jouni Forss · ‎02-19-2014

Hi,

So are you saying that there is only the connected network behind "outside" interface? I can only see a default route that is pointing towards "inside"? Or is there an error on the default route as in a typical setup you would have it towards "outside" or is this ASA somewhere else than the edge of the internal/external network?

As you can see from the logs the connection is allowed through the ASA but it ends with SYN Timeout. It either means the server does not reply or the server (and/or devices between it and the ASA) dont have a route towards the "outside" network of the ASA pointing towards ASA so the return traffic for the connection doesnt go where it needs to go.

- Jouni

nathen121203 · ‎02-20-2014

My host is connected directly to ASA, and Web server is through a switch. The actual topology is as below,

Jouni Forss · ‎02-20-2014

Ok,

Well according to the logs it seems to me that the clients have correct network configurations as they forward the connection to the ASA. The ASA also seems to have a correct configuration as it builds the connection through the ASA but the connection never fully forms between client and server.

I would suggest checking the network settings of the server to confirm that it has its default gateway set.

If that is fine then I would confim that the service itself is running on the server and no software firewall is blocking the connection attempts. You could naturally test the connectivity with some other TCP based service through the ASA though you would have to configure the same type of Static PAT (Port Forward) and make the ACL rule addition.

- Jouni

nathen121203 · ‎02-20-2014

Checking the gateway sounds very reasonable, I will check next week, no time in this week. Thank you!

nathen121203 · ‎02-24-2014

It was really the gateway to blame. I set the server's default gateway to firewall's inside IP then all was OK. To my knowledage there is no need to set gateway since they are connected by a switch, it is strange to me, anyway, it was OK now. Thank you very much!