Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Server Access Via ASA

Hi,

I have inherited a Cisco 5515 ASA, which is up and running on the company network. As a complete Noob to ASA’s I have the following problem.

Users require accessing an internal server via an external web address. The DNS map of the web address points to one of my Public IP addresses. I configured the ASA using the public servers wizard on the ASDM, everything seems to be fine.

I just can’t access the server from the web address. Below is my config. Any help would be most appreciated.

interface GigabitEthernet0/0

description WAN side to Router

nameif outside

security-level 0

ip address xx.xxx.xxx.xxx 255.255.255.248

!

interface GigabitEthernet0/1

description Link to Data Network

nameif data

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface GigabitEthernet0/2

description Link to Accounts VLAN

nameif Accounts

security-level 90

ip address 192.168.16.1 255.255.255.0

!

interface GigabitEthernet0/3

nameif VOICE

security-level 2

ip address 192.168.14.1 255.255.255.0

!

interface GigabitEthernet0/4

nameif switchmanagement

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/5

no nameif

security-level 1

no ip address

!

interface GigabitEthernet0/5.11

vlan 11

nameif guestwireless

security-level 1

ip address 192.168.11.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network DATA_OBJ

subnet 192.168.2.0 255.255.255.0

object network VOICE_OBJ

subnet 192.168.14.0 255.255.255.0

object network ACCOUNTS_OBJ

subnet 192.168.16.0 255.255.255.0

object network GUEST_OBJ

subnet 192.168.11.0 255.255.255.0

object network PPTP_SERVER

host 192.168.2.234

object service TCP_PPTP

service tcp destination eq pptp

object network HOST_PPTP_TCP

host 192.168.2.234

object service GRE_PPTP

service gre

object network HOST_PPTP_GRE

host 192.168.2.234

object network ESAT_Host

host 192.168.2.145

object service ESAT_TCP1

service tcp destination range 2221 2225

object service ESAT_TCP2

service tcp destination eq 2846

object service ESAT_UDP1

service udp destination range netbios-ns 139

object service ESAT_TCP3

service tcp destination eq 445

object network NETWORK_OBJ_192.168.20.0_24

subnet 192.168.20.0 255.255.255.0

object network NETWORK_OBJ_192.168.16.0_24

subnet 192.168.16.0 255.255.255.0

object network NETWORK_OBJ_192.168.20.0_23

subnet 192.168.20.0 255.255.254.0

object network Video-Conferencing

host 192.168.2.147

object service http

service tcp source eq www destination eq www

object network DEV_SERV

host 192.168.2.32

object-group service PPTP_PROTS

service-object tcp destination eq pptp

service-object gre

object-group service ESAT_TCP tcp

port-object range 2221 2225

port-object eq 2846

port-object eq 445

object-group service ESAT_UDP udp

port-object range netbios-ns 139

object-group service Video_Conf_Group

service-object object Video

service-object object Video_Conf_1

service-object object Video_Conf_2

service-object object Video_Extra

service-object tcp destination eq h323

service-object tcp destination eq https

object-group network azure-networks

network-object 192.168.20.0 255.255.255.0

network-object 192.168.21.0 255.255.255.0

object-group network onprem-networks

network-object 192.168.16.0 255.255.255.0

object-group network DEV-SERV

network-object host 192.168.2.32

access-list OUTSIDE_IN extended permit object http any object DEV_SERV

access-list OUTSIDE_IN extended permit object-group PPTP_PROTS any object PPTP_SERVER

access-list OUTSIDE_IN extended permit tcp any object ESAT_Host object-group ESAT_TCP

access-list OUTSIDE_IN extended permit udp any object ESAT_Host object-group ESAT_UDP

access-list OUTSIDE_IN remark Inbound Video Conferencing

access-list OUTSIDE_IN extended permit object-group Video_Conf_Group host xx.xx.xxx.xx object Video-Conferencing

access-list outside_cryptomap extended permit ip 192.168.16.0 255.255.255.0 192.168.40.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu data 1500

mtu Accounts 1500

mtu VOICE 1500

mtu switchmanagement 1500

mtu guestwireless 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (data,outside) source static ESAT_Host interface service ESAT_TCP1 ESAT_TCP1

nat (data,outside) source static ESAT_Host interface service ESAT_TCP2 ESAT_TCP2

nat (data,outside) source static ESAT_Host interface service ESAT_TCP3 ESAT_TCP3

nat (data,outside) source static ESAT_Host interface service ESAT_UDP1 ESAT_UDP1

nat (outside,data) source static any any destination static interface Video-Conferencing service Video-TCP Video-TCP

nat (Accounts,outside) source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24 destination static NETWORK_OBJ_172.27.16.0_20 NETWORK_OBJ_172.27.16.0_20 no-proxy-arp route-lookup

nat (outside,data) source static any any destination static interface Video-Conferencing service Video_Conf_1 Video_Conf_1

nat (outside,data) source static any any destination static interface Video-Conferencing service Video_Conf_2 Video_Conf_2

!

object network DATA_OBJ

nat (data,outside) dynamic interface

object network VOICE_OBJ

nat (VOICE,outside) dynamic interface

object network GUEST_OBJ

nat (guestwireless,outside) dynamic interface

object network DEV_SERV

nat (data,outside) static xx.xx.xxx.xx service tcp www www

!

nat (Accounts,outside) after-auto source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24 destination static NETWORK_OBJ_192.168.40.0_24 NETWORK_OBJ_192.168.40.0_24 no-proxy-arp

nat (Accounts,outside) after-auto source static NETWORK_OBJ_192.168.16.0_24 interface no-proxy-arp

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.2.0 255.255.255.0 data

http 2.221.5.51 255.255.255.255 outside

http 213.249.189.232 255.255.255.248 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt connection tcpmss 1350

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal SHA1

protocol esp encryption aes-256

protocol esp integrity sha-1

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 102400000

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set ikev2 ipsec-proposal SHA1 DES 3DES AES AES192 AES256

crypto map outside_map0 1 match address outside_cryptomap_1

crypto map outside_map0 1 set peer xxx.xxx.xxx.xx

crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 2 match address outside_cryptomap_2

crypto map outside_map0 2 set peer 138.91.41.237

crypto map outside_map0 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=Rhead-Firewall.null,O=Rhead Group,C=UK

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

subject-name CN=Rhead-Firewall

crl configure

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh xxx.xxx.xxx.xxx 255.255.255.248 outside

ssh xxx.xxx.xxx.xxx 255.255.255.0 data

ssh timeout 60

ssh version 2

console timeout 0

management-access data

dhcpd dns 194.72.6.57 194.73.82.242

dhcpd lease 43200

!

dhcpd address 192.168.2.50-192.168.2.254 data

dhcpd ping_timeout 1000 interface data

dhcpd option 3 ip 192.168.2.1 interface data

dhcpd enable data

!

dhcpd address 192.168.16.100-192.168.16.120 Accounts

dhcpd dns 192.168.16.11 interface Accounts

dhcpd option 3 ip 192.168.16.1 interface Accounts

dhcpd enable Accounts

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1

webvpn

enable outside

group-policy GroupPolicy_xxx.xxx.128.78 internal

group-policy GroupPolicy_xxx.xxx.128.78 attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_xxx.xx.41.237 internal

group-policy GroupPolicy_xxx.xx.41.237 attributes

vpn-tunnel-protocol ikev1

username admin password 2AUxfp8R5OBMFa5Y encrypted

username cisco password t6qc0eqEa2iqtcfC encrypted

tunnel-group xxx.xxx.xxx.78 type ipsec-l2l

tunnel-group xxx.xxx.xxx.78 general-attributes

default-group-policy GroupPolicy_xxxx.xxx.xxx.78

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 138.91.41.237 type ipsec-l2l

tunnel-group 138.91.41.237 general-attributes

default-group-policy GroupPolicy_138.91.41.237

tunnel-group 138.91.41.237 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group Rhead_Group type remote-access

!

class-map inspection_d

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

Cryptochecksum:9cb5eac49e7de6564e1f6712d13d66e6

: end

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Server Access Via ASA

Hi,

I presume that this is the ACL rule that you have created

object service http

service tcp source eq www destination eq www

access-list OUTSIDE_IN extended permit object http any object DEV_SERV

And I presume that this is the Static PAT (Port Forward) configuration for the server you require access to.

object network DEV_SERV

host 192.168.2.32

nat (data,outside) static xx.xx.xxx.xx service tcp www www

While the NAT configuration seems fine if you want to do Static PAT and dont have a spare public IP address to do Static NAT, it does seem that your ACL rule is wrong.

Notice that you define the service to be sourced from port TCP/80 and also destined to port TCP/80. The source port of a clients web server connection will probably never be TCP/80. It will be some random number above 1024 usually. You should only limit the connectivity on the basis of the destination port.

So you could add this ACL configuration rather

access-list OUTSIDE_IN permit tcp any object DEV_SERV eq www

Let me know how it goes

Hope this helps

- Jouni

2 REPLIES
Super Bronze

Server Access Via ASA

Hi,

I presume that this is the ACL rule that you have created

object service http

service tcp source eq www destination eq www

access-list OUTSIDE_IN extended permit object http any object DEV_SERV

And I presume that this is the Static PAT (Port Forward) configuration for the server you require access to.

object network DEV_SERV

host 192.168.2.32

nat (data,outside) static xx.xx.xxx.xx service tcp www www

While the NAT configuration seems fine if you want to do Static PAT and dont have a spare public IP address to do Static NAT, it does seem that your ACL rule is wrong.

Notice that you define the service to be sourced from port TCP/80 and also destined to port TCP/80. The source port of a clients web server connection will probably never be TCP/80. It will be some random number above 1024 usually. You should only limit the connectivity on the basis of the destination port.

So you could add this ACL configuration rather

access-list OUTSIDE_IN permit tcp any object DEV_SERV eq www

Let me know how it goes

Hope this helps

- Jouni

New Member

Server Access Via ASA

Jouni,

Many thanks. It was my access list. Soon as I amended it, it all dropped in.

120
Views
0
Helpful
2
Replies
CreatePlease login to create content