Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

web access from inside

I'm trying to get www, https, svn(3690), and ssh from one of my inside networks to get outside access, but this isn't working for me yet. Can anyone provide some insight as to what I've got wrong on my 5510 configuration? I'm sure it's probably my static's, but I'm having trouble with those.

---

name 192.168.3.0 DEV_NET

name 199.199.xxx.14 MY_WAN_IP

interface Ethernet0/0

nameif outside

security-level 0

ip address MY_WAN_IP 255.255.255.0

interface Ethernet0/3

nameif development

security-level 80

ip address 192.168.3.1 255.255.255.0

object-group service ALL_SERVICES tcp

port-object eq www

port-object eq https

port-object eq 3690

port-object eq ssh

access-list ALL_ACCESS extended permit tcp any any object-group ALL_SERVICES

global (outside) 1 interface

nat (development) 1 DEV_NET 255.255.255.0

static (development,dmz) DEV_NET DEV_NET netmask 255.255.255.0

access-group ALL_ACCESS in interface outside

access-group ALL_ACCESS out interface outside

access-group ALL_ACCESS in interface development

access-group ALL_ACCESS out interface development

route outside 0.0.0.0 0.0.0.0 199.199.xxx.1 1

2 REPLIES
Community Member

Re: web access from inside

What is the IP Address that you are trying to access through the ASA. I see that you have PATTing to the outside interface for DEV_NET when going to the outside interface and also have access-group applied in/out on both the interfaces. Can you remove the access-group and see if you are able to access the web, ssh, etc.

Since, you have Access-Group in/out, look at the traffic flow and define different ACL's accordingly. For example, when you initiate a TCP Connection from inside, the source port would be a randomly generated port while the detination is 80 and the return traffic will have source port 80 and destination of the port that you used. So, I would remove the ACL and give it a shot.

Regards,

Lisa

Community Member

Re: web access from inside

I guess I'm not following here. I want to have the traffic of ALL_SERVICES accessable from the outside as well as use them from the inside, so that's why I put it on both interfaces in both directions.

I made a small change so the following is what I'm working with ...

name 192.168.3.0 DEV_NET

name 199.199.xxx.14 MY_WAN_IP

interface Ethernet0/0

nameif outside

security-level 0

ip address MY_WAN_IP 255.255.255.0

interface Ethernet0/3

nameif development

security-level 80

ip address 192.168.3.1 255.255.255.0

object-group service ALL_SERVICES tcp

port-object eq www

port-object eq https

port-object eq 3690

port-object eq ssh

access-list ALL_ACCESS extended permit tcp any any object-group ALL_SERVICES

nat-control

global (outside) 1 interface

nat (development) 1 DEV_NET 255.255.255.0

static (development,outside) DEV_NET DEV_NET netmask 255.255.255.0

access-group ALL_ACCESS in interface outside

access-group ALL_ACCESS out interface outside

access-group ALL_ACCESS in interface development

access-group ALL_ACCESS out interface development

route outside 0.0.0.0 0.0.0.0 199.199.xxx.1 1

257
Views
0
Helpful
2
Replies
CreatePlease to create content