Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem configuration ASA 8.2 With HTTP access OUTDOOR

Hello

I have problem i want to access to my http server in my local network from outside

192.168.2.42 : it my server http 

195.X.X.X  its my internet IP but it was connected in eth 0/4

static (DMZ,Orange) 195.X.X.X 192.168.2.42 netmask  255.255.255.255

access-list outside-acl permit tcp any host 195.X.X.X eq 80

access-group outside-acl in int orange

but its not good why

thanks for your help

15 REPLIES
VIP Purple

Re: Problem configuration ASA 8.2 With HTTP access OUTDOOR

"Orange" is your interface with the default-route to the internet?

You can use the packet-tracer to look at what the ASA would do with a packet:

packet-tracer input Orange tcp 1.2.3.4 1234 195.X.X.X 80


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Problem configuration ASA 8.2 With HTTP access OUTDOOR

Yes

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (DMZ,ORANGE) 195.X.X.X 192.168.2.42 netmask 255.255.255.255

nat-control

  match ip DMZ host 192.168.2.42 ORANGE any

    static translation to 195.X.X.X

    translate_hits = 26, untranslate_hits = 1

Additional Information:

NAT divert to egress interface DMZ

Untranslate 195.X.X.X/0 to 192.168.2.42/0 using netmask 255.255.255.255

VIP Purple

Problem configuration ASA 8.2 With HTTP access OUTDOOR

that looks good, but half of the packet-tracer-output is missing ...


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Problem configuration ASA 8.2 With HTTP access OUTDOOR

Sorry

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside-acl in interface ORANGE

access-list outside-acl extended permit tcp any host 195.x.x.x eq www

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (DMZ,ORANGE) 195.x.x.x 192.168.2.42 netmask 255.255.255.255

nat-control

  match ip DMZ host 192.168.2.42 ORANGE any

    static translation to 195.x.x.x

    translate_hits = 0, untranslate_hits = 1

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (DMZ,DMZ) tcp interface www 192.168.2.42 www netmask 255.255.255.255

nat-control

  match tcp DMZ host 192.168.2.42 eq 80 DMZ any

    static translation to 192.168.2.1/80

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2838450, packet dispatched to next module

Result:

input-interface: ORANGE

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

VIP Purple

Problem configuration ASA 8.2 With HTTP access OUTDOOR

Your ASA says it would allow the connection to the Server. So it's likely that the problem is somewhere else.

Local Firewall on the Server or other devices on the path that filter traffic?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Problem configuration ASA 8.2 With HTTP access OUTDOOR

No i have not other equipement for filter traffic and my server is a debian with just apache

VIP Purple

Problem configuration ASA 8.2 With HTTP access OUTDOOR

have you doublechecked the IP-config of the server? Default-gateway pointing to the ASA? Webserver running?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Problem configuration ASA 8.2 With HTTP access OUTDOOR

yes i can access to my webserver in local

VIP Purple

Problem configuration ASA 8.2 With HTTP access OUTDOOR

can the webserver reach the internet through the ASA?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Problem configuration ASA 8.2 With HTTP access OUTDOOR

Hello Piere,

Adding to what Karsten have tell you can you create some captures:

capture capin interface dmz match tcp any host 192.168.2.42. eq 80

capture caporange interface orange match tcp any host 195.xx.xx.xx eq 80.

capture asp type asp-drop all circular-buffer

Then try to connect from the outside world to the 195.xx.xx.xx on port 80. After you have done that please provide me the following information:

Show cap capout

Show cap capin

Show cap asp | inc  192.168.2.42

Regards,

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Problem configuration ASA 8.2 With HTTP access OUTDOOR

Hello thanks for your help

This capture don't worked

capture capin interface dmz match tcp any host 192.168.2.42. eq 80

Show cap asp | inc  192.168.2.42

This capture worked

capture caporange interface orange match tcp any host 195.xx.xx.xx eq 80 :

1: 09:13:01.401773 802.1Q vlan#5 P0 195.6.x.x.48991 > 195.X.X.X.80: S 3140373812:3140373812(0) win 8192

   2: 09:13:04.405038 802.1Q vlan#5 P0 195.6.x.x.48991 > 195.X.X.X.80: S 3140373812:3140373812(0) win 8192

   3: 09:13:10.398477 802.1Q vlan#5 P0 195.6.x.x.48991 > 195.X.X.X.80: S 3140373812:3140373812(0) win 8192

   4: 09:13:22.397547 802.1Q vlan#5 P0 195.6.x.x.59070 > 195.X.X.X.80: S 3721082928:3721082928(0) win 8192

   5: 09:13:25.405496 802.1Q vlan#5 P0 195.6.x.x.59070 > 195.X.X.X.80: S 3721082928:3721082928(0) win 8192

   6: 09:13:31.398920 802.1Q vlan#5 P0 195.6.x.x.59070 > 195.X.X.X.80: S 3721082928:3721082928(0) win 8192

but i think i have problem between my  asa 5505 and my Modem

195.6.x.x > 195.X.X.X.80:

VIP Purple

Re: Problem configuration ASA 8.2 With HTTP access OUTDOOR

the capture shows that the packets reach the ASA, but no traffic is coming back. If the problem would be the connection Modem-ASA, then the packets couldn't reach the ASA.

What didn't work with the capture "capin"? And can your server reach the internet through the ASA?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Problem configuration ASA 8.2 With HTTP access OUTDOOR

Yes if i Ping www.google.fr from my webserver is succeed ping from asa to my webserver is succeed

Re: Problem configuration ASA 8.2 With HTTP access OUTDOOR

Hello Pierre,

Do the following

Show cap asp | inc  95.X.X.X and provide us the output you get.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Problem configuration ASA 8.2 With HTTP access OUTDOOR

show capture asp | inc 195.6.100.5

1: 10:04:36.360516 802.1Q vlan#5 P0 90.149.249.151 > 195.6.100.5: icmp: host 90.149.249.151 unreachable - admin prohibited filter

   2: 10:04:37.985300 802.1Q vlan#5 P0 90.149.249.151 > 195.6.100.5: icmp: host 90.149.249.151 unreachable - admin prohibited filter

   6: 10:04:39.363277 802.1Q vlan#5 P0 90.149.249.151 > 195.6.100.5: icmp: host 90.149.249.151 unreachable - admin prohibited filter

   7: 10:04:39.651043 802.1Q vlan#5 P0 208.82.7.77.443 > 195.6.100.5.50051: . ack 660554390 win 8

   8: 10:04:39.654293 802.1Q vlan#5 P0 208.82.7.77.443 > 195.6.100.5.50051: . ack 660554427 win 7

  10: 10:04:40.992304 802.1Q vlan#5 P0 90.149.249.151 > 195.6.100.5: icmp: host 90.149.249.151 unreachable - admin prohibited filter

  14: 10:04:45.362377 802.1Q vlan#5 P0 90.149.249.151 > 195.6.100.5: icmp: host 90.149.249.151 unreachable - admin prohibited filter

  16: 10:04:46.999856 802.1Q vlan#5 P0 90.149.249.151 > 195.6.100.5: icmp: host 90.149.249.151 unreachable - admin prohibited filter

245: 10:10:34.160636 802.1Q vlan#5 P0 173.37.144.208.443 > 195.6.100.5.65501: . ack 4235667661 win 32768

271: 10:11:00.442954 802.1Q vlan#5 P0 69.171.242.74.80 > 195.6.100.5.57997: R 280852662:280852662(0) ack 3134889716 win 0 Drop-reason: (acl-drop) Flow is denied by configured rule

289: 10:11:06.073665 802.1Q vlan#5 P0 69.171.242.74.80 > 195.6.100.5.48029: R 4181768410:4181768410(0) ack 4072373161 win 0 Drop-reason: (acl-drop) Flow is denied by configured rule

560
Views
0
Helpful
15
Replies
CreatePlease to create content