Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How do I allow access over port 80 to webserver in DMZ

Hello!

I am fairly new to this level of configuration and was hoping someone would grace me with their knowledge.  

My current setup is that I have a webserver (10.1.10.5) in a DMZ with its SQL counterpart on the inside.  Traffic is flowing correctly between the two as well as from the DMZ to the internet, however, I cannot access the website on the webserver from the public internet.  

When I run canyouseeme.org on the webserver it shows that port 80 is not getting traffic.  Any ideas on how to fix my config?  I've been /headesk on this one. 

Thanks!

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

That goes into the right

That goes into the right direction (if you really want to go that way):

The destination is changed statically from server-external to server-internal. But you don't have to change the source address. These addresses can be dynamically identity-natted. And if I remember right, the interfaces are (inside,dmz) in this scenario, but I don't remember exactly:

nat (inside, dmz) source dynamic internal internal destination static server-external server-internal

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
20 REPLIES
VIP Purple

You config looks fine. You

You config looks fine. You have a translation for the server and the ACL allows it. You NAT-config seems to be overly complicated but is not the cause of the problem as I see it.

1) Is the Webserver active? Run a "ping tcp 10.1.10.5 80".

2) what is the output of "packet-tracer input outside tcp 1.2.3.4 1234 YOUR-OUTSIDE-IP 80".


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thanks for the reply Karsten.

Thanks for the reply Karsten.

 

1 - The ping test:

Sending 5 TCP SYN requests to 10.1.10.5 prot 80 from 10.1.10.1, timeout is 2 seconds:

Success rate is 100 percent (5/5)

2 - Attached

VIP Purple

I think it really could be a

I think it really could be a NAT-problem. Please change your NAT the following way:

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS route-lookup no-proxy-arp
no nat (outside,inside) source static VPN-HOSTS VPN-HOSTS
no nat (outside,outside) source dynamic INSIDE-HOSTS interface
no nat (inside,dmz) source static OBJ-10.0.10.0-24 OBJ-10.0.10.0-24

object network obj_any
 no nat (inside,outside) dynamic interface
object network DMZ_outside
 no nat (dmz,outside) dynamic interface

nat (dmz,outside) after-auto source dynamic any interface

These changes shouldn't remove any functionality, but many of the rules are probably not needed as they don't make any sense.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Good morning Karsten,I have

Good morning Karsten,

I have cleaned up the rules as you specified with the exception of below.  Since I could not get that command to run I haven't removed the corresponding NAT (I assume your rule combines the two separate rules).


nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static
VPN-HOSTS VPN-HOSTS route-lookup no-proxy-arp
                                                                 ^
ERROR: % Invalid input detected at '^' marker.

I'm attaching the updated running config. 

I ran the packet sniffer again and attached results.

Thanks!

 

VIP Purple

Sorry, I mixed up the order

Sorry, I mixed up the order of the keywords in the first line. This should work now and the other lines are also not needed:

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS no-proxy-arp route-lookup
no nat (outside,inside) source static VPN-HOSTS VPN-HOSTS
no nat (outside,outside) source dynamic INSIDE-HOSTS interface

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

I've applied that - thank you

I've applied that - thank you.  The new running config attached.  

The webserver is still not playing nice with the outside world.  Since the error message on the tracer isn't giving me specifics is it possible I've gotten interfaces mixed up somewhere?

 

I tried the following but it was unsuccessful:

ciscoasa(config)# no access-group dmz_acl in interface dmz
ciscoasa(config)# access-group dmz_acl in interface outside

After looking at this I think the correct form is actually:

access-group outside_acl in interface outside

The outside_acl is what contains the rules for the WEBSERVER-TCP80.  I removed the dmz_acl.  I think it may have been from a prior attempt to get this working.

 

 

New Member

My latest config is attached.

My latest config is attached...I've been trying various things but have not had any luck thus far.  I'm probably going to end up with a lot of junk in there I do not need.

VIP Purple

This is again the initial

This is again the initial config that will cause NAT-problems.

Here is a cleaned up NAT- and (outside) ACL config which you need for the server and the VPN-communication:

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS no-proxy-arp route-lookup
!
object network WEBSERVER-TCP80
 nat (dmz,outside) static interface service tcp www www
!
nat (any,outside) after-auto source dynamic any interface
!
access-list outside_acl extended permit tcp any object WEBSERVER-TCP80 eq www
access-group outside_acl in interface outside

  


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

I removed that extraneous VPN

I removed that extraneous VPN rule as instructed and matched up my config with yours.  How else might I track down the point of failure?

 

Appreciate your time sir!

VIP Purple

What is the result of the

What is the result of the packet-tracer with that config?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

The new packet sniff results

The new packet sniff results are attached.  Still being dropped somewhere.  =\

New Member

So I was finally able to get

So I was finally able to get it to pass traffic.  I had the NAT interfaces backwards. 

My rule should have read:

object network WEBSERVER-TCP80

host 10.1.10.5

nat (DMZ,outside) static interface service tcp www www

My new issue is figuring out why it will not accept the domain address.  It only seems to go through if I enter the IP address.

New Member

Additional bit of information

Additional bit of information.  I was watching the ASDM log as I attempted to hit the webserver.  I got the following message:

TCP access denied by ACL from xx.xx.xx.xx/60382 to outside: xx.xx.xx.xx/80

It shows the destination as the correct IP and the port as the correct port.

VIP Purple

Where do you want to use a

Where do you want to use a domain-name? In this setup with traffic coming from outside, it will probably not work. If you use an object for your server with a fqdn in the ACL, it has to resolve to the internal IP in the DMZ.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

I'd like users on the Inside

I'd like users on the Inside interface to be able to enter the web address of the webserver application and access it without having to use the internal IP.  I may have to accomplish this using an actual DNS server.

VIP Purple

Can you use a dedicated

Can you use a dedicated public IP for the webserver? Then you can tweak the DNS-replys in a form that the ASA changes the public address in a DNS-reply to the actual IP of the server. But that doesn't work if only a port is forwarded. If you can, the translation looks like the following:

object network WEBSERVER-TCP80
 nat (dmz,outside) static a.b.c.d dns

 

Other ways are to configure the FQDN in your internal DNS with the private IP, or use destination NAT for the public IP. But that again makes your config more complex and harder to troubleshoot.

 

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Unfortunately I only have the

Unfortunately I only have the 1 static IP address.  

 

Would something like this work?

object network internal
 range 192.168.0.1 192.168.0.254
object network external
 host [IP address of your WAN interface]
object network server-internal
 host [server internal IP address]
object network server-external
 host [server external (NATted) IP address]
nat (internal, internal) source static internal external destination static server-external server-internal
VIP Purple

That goes into the right

That goes into the right direction (if you really want to go that way):

The destination is changed statically from server-external to server-internal. But you don't have to change the source address. These addresses can be dynamically identity-natted. And if I remember right, the interfaces are (inside,dmz) in this scenario, but I don't remember exactly:

nat (inside, dmz) source dynamic internal internal destination static server-external server-internal

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

This worked :)  I had to

This worked :)  I had to create another rule above it to allow my SQL server to still communicate with the webserver using internal IPs.  I'm good with everything else being outside.  


Thanks so much for all of your insight.  You've been a great help!

VIP Purple

fine that it works. And now

fine that it works. And now don't forget to go to

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html

for even more NAT-knowledge ... ;-)


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
614
Views
5
Helpful
20
Replies