Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Transparent mode and web server

I am installing a ASA 5510 in transparent mode, it's behind a cisco 3745 router that has NAT translation in the configs.

After I set up the ASA 5510, I created access lists for web server access. All traffic inside passes thru fine however, when an outside user tries to access the web site, the page connection will not load.

Do I have to set a NAT rule for outside access? If not what other suggestions does anyone have.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Transparent mode and web server

You need to allow it with an extended access-list-

access-list Outside_WWW

extended permit eigrp host 1.1.1.1 host 2.2.2.2

A helpful link as well-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

38 REPLIES

Re: Transparent mode and web server

It sounds like that you do need to create a NAT translation in the router.

New Member

Re: Transparent mode and web server

The router has a NAT translation already, when I remove the ASA everything is fine.

I just started the install with a functioning network in place already.

Re: Transparent mode and web server

OK, are you getting hit counts on your ACL? Any messages in your log?

New Member

Re: Transparent mode and web server

I will check later, when I work on the firewall further.

New Member

Re: Transparent mode and web server

When I check would you have any suggestions for me to try.

Re: Transparent mode and web server

Just check the ACL and turn on logging if it's not enabled. I would turn logging buffer to debugging (but don't debug anything).

New Member

Re: Transparent mode and web server

Here is my logging file I captured this morning. Any outside who tries to accept our website recieves the message:

"Connection to Server was reset while the page was loading, network linkwas interupted while negotiating a connection."

Also is a copy of my ASA configs:

ASA Version 8.0(4)

!

firewall transparent

hostname ciscoasa

enable password I3KXhN9OZMFiyurw encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

!

interface Ethernet0/1

nameif inside

security-level 100

!

interface Management0/0

shutdown

no nameif

no security-level

management-only

!

ftp mode passive

access-list outside_access_in extended permit ip any any

access-list permit extended permit eigrp any host 172.21.0.7

access-list permit extended permit eigrp any host 172.21.0.1

access-list inside extended permit eigrp any any

access-list inside_access_out extended permit ip any any

access-list 112 extended permit tcp any any eq 548

access-list 112 extended permit tcp any any eq domain

access-list 112 extended permit udp any any eq domain

access-list 101 extended permit tcp any any

access-list 120 extended permit tcp any host 172.21.0.78 eq domain

access-list 120 extended permit tcp any host 172.21.0.3 eq domain

access-list 120 extended permit tcp any host 172.21.0.2 eq domain

access-list 110 extended permit udp any any

access-list 110 extended permit udp any 172.21.4.0 255.255.252.0 range 3200 3300

access-list 110 extended permit udp any 172.21.8.0 255.255.252.0 range 3200 3300

access-list 110 extended permit udp any 172.21.12.0 255.255.252.0 range 3200 3300

access-list 111 extended permit udp any any

access-list 111 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.7

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp

access-list Outside_VPN extended permit tcp any host 172.21.0.14

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq isakmp

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 4500

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 1701

pager lines 24

logging enable

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address 172.21.0.80 255.255.252.0

ip local pool heights 172.21.12.0 mask 255.255.252.0

ip local pool manito 172.21.4.0 mask 255.255.252.0

ip local pool dogwood 172.21.8.0 mask 255.255.252.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group Outside_VPN in interface outside

route outside 0.0.0.0 0.0.0.0 172.21.0.7 1

route inside 172.21.0.0 255.255.0.0 0.0.0.0 1

route inside 172.21.0.0 255.255.0.0 0.0.0.0 1

route inside 172.21.0.0 255.255.0.0 0.0.0.0 1

route inside 172.21.4.0 255.255.252.0 172.21.0.1 1

route inside 172.21.4.2 255.255.255.255 172.21.0.1 1

route inside 172.21.8.0 255.255.252.0 172.21.0.1 1

route inside 172.21.8.2 255.255.255.255 172.21.0.1 1

route inside 172.21.12.0 255.255.252.0 172.21.0.1 1

route inside 172.21.12.2 255.255.255.255 172.21.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

!

Re: Transparent mode and web server

You don't have an ACL entry allowing HTTP traffic in. You have the following ACL applied to the outside interface-

access-group Outside_VPN in interface outside

And here are the rules that allow traffic in.

access-list Outside_VPN extended permit tcp any host 172.21.0.14

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq isakmp

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 4500

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 1701

Nothing for HTTP.

New Member

Re: Transparent mode and web server

I think:

access-list Outside_VPN extended permit tcp any host 172.21.0.14

will allow all TCP traffic, including HTTP. Am I wrong?

if i'm correct, it shouldn't be a good point to allow this, from a security Point of view.

Re: Transparent mode and web server

You are correct, that would allow all TCP traffic to host 172.21.0.14. You can restrict to just HTTP with this ACL-

access-list Outside_VPN ext permit tcp any host 172.21.0.14 eq 80

You are right again about that first ACL not being very secure. The second should be fine. If you can/want you can further restict by filtering the source IP's.

access-list Outside_VPN ext permit tcp 10.0.0.0 255.0.0.0 host 172.21.0.14 eq 80

This would only allow people with a source address of 10.x.x.x to connect.

New Member

Re: Transparent mode and web server

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp

where did you apply this ACL?

it shouldn't be applied in outside.

Re: Transparent mode and web server

It's not applied to any interface.

New Member

Re: Transparent mode and web server

Thanks for your suggestion, also

Is there a global command to allow all subnets behind the router to communicate with each other regardless of protocols?

I want unrestricted traffic in the network,

however the gateway is on the WAN side of the ASA. Remember the ASA is in transparent mode.

Thanks.

Re: Transparent mode and web server

You will have to create an entry in the ACL. You can do it with an object group which will make it cleaner. Let's say you have 3 internal subnets; 192.168.5.0 /24, 192.168.6.0 /24, and 10.10.0.0 /16.

Create an object-group-

object-group network INTERNAL_NETWORKS

network-object 192.168.5.0 255.255.255.0

network-object 192.168.6.0 255.255.255.0

network-object 10.10.0.0 255.255.0.0

The use the object-group in the ACL.

access-list Outside_VPN extended permit ip object-group INTERNAL_NETWORKS object-group INTERNAL_NETWORKS

This will allow internal network to communicate.

New Member

Re: Transparent mode and web server

Thanks, your suggestions have worked.

Now I need to clean up the configs and fine tune the box.

Thanks again.

New Member

Re: Transparent mode and web server

everything worked except dhcp clients cannot access web or mail in house.

The ranges for each subnet are:

172.21.7.1-172.21.7.254 gw:172.21.4.1

172.21.9.1-172.21.9.254 gw:172.21.8.1

172.21.13.1-172.21.13.254 gw: 172.21.12.1

The static ip clients can:

172.21.4.0, 172.21.8.0 and 172.21.12.0

any suggestions?

Re: Transparent mode and web server

Can you post the ACL?

New Member

Re: Transparent mode and web server

Here it is:

object-group network internal_group

network-object 172.21.4.0 255.255.252.0

network-object 172.21.8.0 255.255.252.0

network-object 172.21.12.0 255.255.252.0

network-object 172.21.0.0 255.255.252.0

access-list outside_access_in extended permit ip any any

access-list permit extended permit eigrp any host 172.21.0.7

access-list permit extended permit eigrp any host 172.21.0.1

access-list inside extended permit eigrp any any

access-list inside_access_out extended permit ip any any

access-list 112 extended permit tcp any any eq 548

access-list 112 extended permit tcp any any eq domain

access-list 112 extended permit udp any any eq domain

access-list 112 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.78 eq domain

access-list 112 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.78 eq domain

access-list 112 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.78 eq domain

access-list 101 extended permit tcp any any

access-list 120 extended permit tcp any host 172.21.0.78 eq domain

access-list 120 extended permit tcp any host 172.21.0.3 eq domain

access-list 120 extended permit tcp any host 172.21.0.2 eq domain

access-list 125 extended permit tcp any host 172.21.0.9

access-list 125 extended permit tcp any host 172.21.0.11

access-list 125 extended permit tcp any host 172.21.0.5

access-list 110 extended permit udp any any

access-list 111 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.7

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp

access-list Outside_WWW extended permit udp any host 172.21.0.14 eq isakmp

access-list Outside_WWW extended permit udp any host 172.21.0.14 eq 4500

access-list Outside_WWW extended permit udp any host 172.21.0.14 eq 1701

access-list Outside_WWW extended permit tcp any 172.21.0.0 255.255.255.0 eq nntp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq https

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp-data

access-list Outside_WWW extended permit udp any any eq domain

access-list Outside_WWW extended permit tcp any host 172.21.0.8 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.8 eq pop3

access-list Outside_WWW extended permit ip object-group internal_group object-group internal_group

pager lines 24

logging enable

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address 172.21.0.80 255.255.252.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group Outside_WWW in interface outside

route outside 0.0.0.0 0.0.0.0 172.21.0.7 1

route inside 172.21.4.0 255.255.252.0 172.21.0.1 1

route inside 172.21.8.0 255.255.252.0 172.21.0.1 1

route inside 172.21.12.0 255.255.252.0 172.21.0.1 1

Re: Transparent mode and web server

That looks good (nice job on the object-group). When you do a tracerouter, where does it stop? Does the router of the routes for the subnets that are not working?

New Member

Re: Transparent mode and web server

I did a traceroute and the trace seems to stop at the before the server I trace.

Ping from 172.21.9.173 (DHCP client)

I have traced 172.21.0.2 (webserver), it proceeds to -172.21.8.1- 192.168.1.1 (inside interface to internal router) and stops as it enters the next hop, which would go to 172.21.0.2.

When I take the asa offline, the traceroute makes it to 172.21.0.2.

It is strange that the dhcp clients can go to the web but not access the local web server or access mail.

Do i need to create an access group for the dhcp addresses?

Re: Transparent mode and web server

I originally thought the ACL was blocking, but it covers them. Can you take a look at the log when you try and hit the web server? You can filter by the source IP.

show log | i 172.21.9.173

New Member

Re: Transparent mode and web server

I'm at a loss, I did the show log and the ip, nothing with that ip showed up.

I did show log | ip addess. Nothing.

It will not allow access to the web server from DHCP clients or file servers on other subnets, but static clients are ok. Go figure.

I played with nat, access-lists, is it a routing issue?

Re: Transparent mode and web server

If you're not seeing any packets hit the outside ACL, then it is most likely a routing issue. Does your router have all the internal subnets?

New Member

Re: Transparent mode and web server

Yes it does and it's works great without the ASA in line.

Re: Transparent mode and web server

Can you put this entry in?

access-list Outside_WWW extended deny ip any any log

This will replace the explicit deny at the end and log denied connections. Hopefully we'll see something.

New Member

Re: Transparent mode and web server

Nothing seen, here is the configs of the router with all networks connected, this is before the ASA, the ASA is connected to the external router with the 172.21.0.7 gateway.

The traceroutes stop at this router with the asa in line.

New Member

Re: Transparent mode and web server

Here is the show log list.

Re: Transparent mode and web server

I see the following error-

%ASA-3-305005: No translation group found for udp src outside:172.21.0.75/3283 dst inside:172.21.9.172/3283

I thought the firewall was running in transparent mode?

New Member

Re: Transparent mode and web server

I set it for transparent mode.

308
Views
0
Helpful
38
Replies
CreatePlease to create content