Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

asa 5510 won't pass web traffic

I have a problem with my firewall, I've followed all the information on the cisco site about how to allow a certain set of ports. But I still can not get to my web server on my dmz, I have even created a acl that allows all. But I can't get by the implicit deny acl.I have the correct static nat and access-group according to cisco site. So i'm not sure anymore. I didn't original build this box, and I'm not security person so I've become quite frustrated.

16 REPLIES
Hall of Fame Super Blue

Re: asa 5510 won't pass web traffic

Hi

Could you possibly post the config.

Assuming access is from outside as an example

Web server on DMZ = 192.168.5.10

Outside interface of ASA = 195.166.71.10

static (DMZ,outside) tcp interface 80 192.168.5.10 80

access-list from_outside permit tcp any host 195.166.71.10 eq http

access-group from_outside in interface outside

The above example assumes you are Natting the private address of the web server on the DMZ to the IP address of the pix outside interface.

HTH

Jon

New Member

Re: asa 5510 won't pass web traffic

Thank you Jon

Here is static nat I used

(DMZ,outside) 69.11.97.143 192.168.2.249 netmask 255.255.255.255 .the only difference from u but like cisco config on cisco web site

I will send you my latest config

thank again!

Gold

Re: asa 5510 won't pass web traffic

clear configure access-list DMZ_access_in

access-list outside_in permit tcp any host 69.11.97.143 eq 80

access-group outside_in in interface outside

New Member

Re: asa 5510 won't pass web traffic

thanks 4 your help srue

I now am getting syn timeouts and Dney tcp from Dmz to outside

then asa is tearing down tcp connections here is up dated config

Gold

Re: asa 5510 won't pass web traffic

nat (DMZ) 101 0 0

in your current setup, you cannot initiate traffic from your dmz to the inside, just fyi.

New Member

Re: asa 5510 won't pass web traffic

unfortunately changing the nat statement didn't work. I thank you for your help.

I had made the change from my static nat to nat (dmz 101 0 0. But it got worse,No I'm back to getting reject by implicit deny. before I replace nat of dmz at the very least I was seeing tcp syn timeouts .

I just wanted to get the outside interface to allow web.

New Member

Re: asa 5510 won't pass web traffic

Inspite of using interface ip address,can we try to use another public ip?

If not,try commands-

access-list DMZ_access_in extended permit tcp any interface outside eq www

static (DMZ,outside) tcp interface 80 192.168.2.249 80

New Member

Re: asa 5510 won't pass web traffic

Inspite of using interface ip address,can we try to use another public ip?

If not,try commands-

access-list DMZ_access_in extended permit tcp any interface outside eq www

static (DMZ,outside) tcp interface 80 192.168.2.249 80

New Member

Re: asa 5510 won't pass web traffic

Hello and thanks for suggestions,

Unfortunately nothing suggested has worked properly.I have reached a point where I may just try a rebuilt of the system. I will keep you all informed.

New Member

Re: asa 5510 won't pass web traffic

Hello

I have attempted a rebuilt ?fw and here is the log I now get when trying to get to DMZ SERVER,

connection denied from 142.165.31.5/1248 to 69.11.97.143/80 flags SYN on interface Outside.

Thanks again for the help

Hall of Fame Super Blue

Re: asa 5510 won't pass web traffic

Hi

Can you post your updated config

Jon

New Member

Re: asa 5510 won't pass web traffic

Hi

here are my 2 latest syslog events when trying to connect to dmz server

302013 142.165.31.5 69.11.97.143 Built inbound TCP connection 6059 for Outside:142.165.31.5/1541 (142.165.31.5/1541) to DMZ:69.11.97.143/80 (69.11.97.143/80)

6 Dec 05 2007 10:25:26 110003 Routing failed to locate next hop for TCP from Outside:142.165.31.5/1541 to DMZ:69.11.97.143/80.

New Member

Re: asa 5510 won't pass web traffic

Here is updated config

thanks

Hall of Fame Super Blue

Re: asa 5510 won't pass web traffic

Hi

Change

"static (DMZ,Outside) interface 69.11.97.143 netmask 255.255.255.255"

to

static (DMZ,Outside) interface 192.168.2.x netmask 255.255.255.255

where 192.168.2.x is the address of the web server.

Jon

New Member

Re: asa 5510 won't pass web traffic

Hi Jon

have made change still not working.

New Member

Re: asa 5510 won't pass web traffic

Found problem, Not firewall routing is suspect

Thanks everyone for your help.

253
Views
0
Helpful
16
Replies
CreatePlease to create content