Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Server cannot browse to own websites

I've currently got a set of servers that all go through a switch and out via an asa firewall.

I know there isn't a problem with port 80 as the servers can navigate to external sites such as google.

Here is a result of a packet-trace:

bt(config)# packet-tracer input inside tcp 10.20.3.148 www 10.20.3.148 www detailed

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca88f500, priority=13, domain=capture, deny=false

        hits=37877223, user_data=0xca88f400, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcabe35b8, priority=1, domain=permit, deny=false

        hits=18614673, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=inside, output_ifc=any

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.20.3.0       255.255.255.0   inside

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xcabe4508, priority=111, domain=permit, deny=true

        hits=0, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=inside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule


I'm not 100% sure I got that trace correct, should it be inside ip to inside ip or inside ip to outside (or vice versa) ?

I've got the following access-lists in and tried to run a capture but got nothing with regards to serving internal/external ip

access-list cap extended permit ip any host 195.171.9.148
access-list cap extended permit ip host 195.171.9.148 any
access-list cap extended permit ip any host 10.20.3.148
access-list cap extended permit ip host 10.20.3.148 any

Am I missing a rule in the access lists?

1 ACCEPTED SOLUTION

Accepted Solutions
Red

Server cannot browse to own websites

Hi Wez,

i guess you are using 8.3 or above code, if thats the case use this:

object network public_ip

host 195.171.9.148

object network private_ip

host 10.20.3.148

nat (inside,inside) source dynamic any interface source static public_ip private_ip

same-security-traffic permit intra-interface

sysopt noproxyarp inside

This should do.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
9 REPLIES
Red

Server cannot browse to own websites

Hi Wez,

what it looks like is you are trying to do u-turning on ASA, use this:

static (inside,inside) 10.20.3.148 10.20.3.148

nat (inside) 5 0.0.0.0 0.0.0.0

global (inside) 5 interface

same-security-traffic permit intra-interface

sysopt noproxyarp inside

If you want to access the server on public ip, then remove the above static and add this:

static (inside,inside) 195.171.9.148 10.20.3.148

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Community Member

Re: Server cannot browse to own websites

Getting the following error:

bt(config)# nat (inside) 5 0.0.0.0 0.0.0.0

ERROR: This syntax of nat command has been deprecated.

We're on version 8.4, sorry should have said that before.

I think it's arguing with "5". Is that translated to "static/dynamic"?

Also, I tried adding it as a nat rule to "object network" and that overwrote my inside/outside nat. Do I need to add it somewhere different?

Example (post change):

object network Ras
nat (inside,outside) static Ras_Outside  (correct)
object network Dev1
nat (inside,inside) static Dev1   (no longer pointing outside?)
Red

Server cannot browse to own websites

Hi Wez,

i guess you are using 8.3 or above code, if thats the case use this:

object network public_ip

host 195.171.9.148

object network private_ip

host 10.20.3.148

nat (inside,inside) source dynamic any interface source static public_ip private_ip

same-security-traffic permit intra-interface

sysopt noproxyarp inside

This should do.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Community Member

Re: Server cannot browse to own websites

Still having problems with the nat rule. where is the config hierarchy should I be putting it?

(config)# nat (inside,inside) source dynamic any interface source static Dev1_Outside Dev1
              ^

ERROR: % Invalid input detected at '^' marker.

Will I have to add this rule for every server?   Just found another issue, it seems that the servers on this .3. subnet can't browse to any of the websites on servers in the same subnet (not just themselves).  Is this now a routing issue?

Message was edited by: Wez Morris (formatting)

Red

Server cannot browse to own websites

Could you please share your config.

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Community Member

Re: Server cannot browse to own websites

Sent you a PM

Community Member

Server cannot browse to own websites

Still having trouble with this issue.

Can anybody recommend a way of debugging the problem?

I need a server to access websites that it hosts, but I can't work out the traceroute/packet-trace

Community Member

Server cannot browse to own websites

Sorry, last update.

Problem solved for one server using these lines:

nat (inside,inside) source dynamic any interface Destination static public_ip private_ip

same-security-traffic permit intra-interface

2 remaining questions:

1) Can I change Public_IP and Private_IP to object groups?

2) Do I need sysopt noproxyarp inside?

Red

Server cannot browse to own websites

If the server are not in the directly connected subnet of the ASA, then you mght need to add the sysopt command.

Yes you can chnage the Private and Public to object-groups, no issues with it.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
721
Views
0
Helpful
9
Replies
CreatePlease to create content