Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Webservice calls

Hello,

This has been eating at me all day and I am sure I am probably overlooking something right in front of me.

I have a dmz2 and my inside LAN's.  I am adding ACL's to the firewall to allow dmz2 machine to my inside machine on port 8080.  they are unable to talk.

the inside machine is listening on port 8080 and I can ping the inside from dmz2 machine but I am unable to hit the web browser URL used to make the call.

here is a snippet -

access-list dmz2_acl line 37 extended permit tcp host 192.168.2.11 host 10.1.1.22 eq www (hitcnt=0) 0x68af75b4

access-list dmz2_acl line 38 extended permit tcp host 192.168.2.11 host 10.1.1.22 eq telnet (hitcnt=0) 0xaa10742f

access-list dmz2_acl line 39 extended permit udp host 192.168.2.11 host 10.1.1.22 eq 8080 (hitcnt=0) 0x4c181596

access-list dmz2_acl line 40 extended permit tcp host 10.1.1.22 host 192.168.2.11 eq 8080 (hitcnt=0) 0x25c68faa

As you can see I have gone as far as adding the reverse ACL. 

Any help or thoughts would be appreciated!

thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Webservice calls

Hi,

Its this configuration line

access-list dmz2_acl extended deny ip any object-group og_ip_nat_dmz2

If you want to allow the traffic then you can use these commands

access-list dmz2_acl line 1 remark Allow traffic from DMZ2 to internal server

access-list dmz2_acl line 2 permit tcp host host eq 8080

This should allow the connection without removing anything from the ACL.

Notice that we enter the ACL rules with line numbers 1 and 2. This means they are at the top of the ACL.

Hope this helps

- Jouni

5 REPLIES
Super Bronze

Webservice calls

Hi,

There are no hitcounts on the ACL you copy/pasted? Is there a previous line in the ACL that blocks the traffic?

Use the "packet-tracer" command to test the ASA configurations.

packet-tracer input dmz2 tcp 12345 8080

Share the output

- Jouni

New Member

Webservice calls

Looks as though I have it denied somewhere -

packet-tracer input dmz2 tcp 192.168.2.11 12345 10.1.1.22 8080

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.1.0.0        255.255.0.0     inside

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network obj-10.1.0.0

nat (inside,dmz2) static 10.1.0.0 no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface inside

Untranslate 10.1.1.22/8080 to 10.1.1.22/8080

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group dmz2_acl in interface dmz2

access-list dmz2_acl extended deny ip any object-group og_ip_nat_dmz2

object-group network og_ip_nat_dmz2

network-object 10.1.0.0 255.255.0.0

Additional Information:

Result:

input-interface: dmz2

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

harrgasa#

Super Bronze

Re: Webservice calls

Hi,

Its this configuration line

access-list dmz2_acl extended deny ip any object-group og_ip_nat_dmz2

If you want to allow the traffic then you can use these commands

access-list dmz2_acl line 1 remark Allow traffic from DMZ2 to internal server

access-list dmz2_acl line 2 permit tcp host host eq 8080

This should allow the connection without removing anything from the ACL.

Notice that we enter the ACL rules with line numbers 1 and 2. This means they are at the top of the ACL.

Hope this helps

- Jouni

Super Bronze

Re: Webservice calls

Hi,

Let me know if adding the rule helped or if there is any more problems with connectivity.

Otherwise please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

New Member

Re: Webservice calls

It seems as though my firewall skills need a lot of brushing up!

thank you for the quick help!

113
Views
0
Helpful
5
Replies
CreatePlease login to create content