Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Problem with nat / access rule for webserver in inside network asa 5505 7.2

Hello,

i have trouble setting up nat and access rule for webserver located in inside network.

I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213

Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.

I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.

What am i doing wrong?

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Problem with nat / access rule for webserver in inside network a

Hi,

Two problems, the packet tracer on the destination should have the public IP instead of the private, that in regards of the packet tracer  And the source port  on the acl configurationshould be blank, as TCP source port is whatever up from 1023 to 65535, so your access list should look like

access-list permit tcp any host x.x.x.213 eq 80

Hope it helps.

Mike.

Mike
9 REPLIES
Purple

Re: Problem with nat / access rule for webserver in inside netwo

Hi,

in your ACL you must  use the outside interface IP not the inside IP.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: Problem with nat / access rule for webserver in inside netwo

Hi,

no help from changing outside ip to access rule.

If i try to browse to our public ip from local machine (behind asa, and webserver is in same subnet behind asa also), i can browse it with local ip but not with public (188.x.x.213), and i get error in syslog:

TCP access denied by ACL from 192.168.123.3/58499 to inside:188.x.x.213/80

Purple

Problem with nat / access rule for webserver in inside network a

Hi,

if you want to access the server with outside IP from inside , there are 2 ways:

-hairpinning

-dns doctoring

here is a link for the config:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Problem with nat / access rule for webserver in inside network a

Major problem is that i cannot access webserver from outside network, syslog does not say anything when i try. VPN is working okay.

Purple

Problem with nat / access rule for webserver in inside network a

Hi,

can you do a packet-tracer for traffic going to the server and post output.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: Problem with nat / access rule for webserver in inside netwo

Command:

packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.123.0   255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x35418d8, priority=500, domain=permit, deny=true

    hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=188.x.x.213, mask=255.255.255.255, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Cisco Employee

Problem with nat / access rule for webserver in inside network a

Hi,

Two problems, the packet tracer on the destination should have the public IP instead of the private, that in regards of the packet tracer  And the source port  on the acl configurationshould be blank, as TCP source port is whatever up from 1023 to 65535, so your access list should look like

access-list permit tcp any host x.x.x.213 eq 80

Hope it helps.

Mike.

Mike
New Member

Re: Problem with nat / access rule for webserver in inside netwo

Maykol Rojas,

Changing the access list did the trick, thanks problem solved.

Cisco Employee

Problem with nat / access rule for webserver in inside network a

Glad I was able to help

Cheers,

Mike

Mike
5985
Views
0
Helpful
9
Replies
CreatePlease to create content