cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7071
Views
0
Helpful
9
Replies

Problem with nat / access rule for webserver in inside network asa 5505 7.2

Icharus83
Level 1
Level 1

Hello,

i have trouble setting up nat and access rule for webserver located in inside network.

I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213

Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.

I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.

What am i doing wrong?

1 Accepted Solution

Accepted Solutions

Hi,

Two problems, the packet tracer on the destination should have the public IP instead of the private, that in regards of the packet tracer  And the source port  on the acl configurationshould be blank, as TCP source port is whatever up from 1023 to 65535, so your access list should look like

access-list permit tcp any host x.x.x.213 eq 80

Hope it helps.

Mike.

Mike

View solution in original post

9 Replies 9

cadet alain
VIP Alumni
VIP Alumni

Hi,

in your ACL you must  use the outside interface IP not the inside IP.

Regards.

Alain

Don't forget to rate helpful posts.

Hi,

no help from changing outside ip to access rule.

If i try to browse to our public ip from local machine (behind asa, and webserver is in same subnet behind asa also), i can browse it with local ip but not with public (188.x.x.213), and i get error in syslog:

TCP access denied by ACL from 192.168.123.3/58499 to inside:188.x.x.213/80

Hi,

if you want to access the server with outside IP from inside , there are 2 ways:

-hairpinning

-dns doctoring

here is a link for the config:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Regards.

Alain

Don't forget to rate helpful posts.

Major problem is that i cannot access webserver from outside network, syslog does not say anything when i try. VPN is working okay.

Hi,

can you do a packet-tracer for traffic going to the server and post output.

Regards.

Alain

Don't forget to rate helpful posts.

Command:

packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.123.0   255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x35418d8, priority=500, domain=permit, deny=true

    hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=188.x.x.213, mask=255.255.255.255, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Two problems, the packet tracer on the destination should have the public IP instead of the private, that in regards of the packet tracer  And the source port  on the acl configurationshould be blank, as TCP source port is whatever up from 1023 to 65535, so your access list should look like

access-list permit tcp any host x.x.x.213 eq 80

Hope it helps.

Mike.

Mike

Maykol Rojas,

Changing the access list did the trick, thanks problem solved.

Glad I was able to help

Cheers,

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: