Announcement

Collapse
No announcement yet.

Problem with setting ASA 5505 to allow port response

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with setting ASA 5505 to allow port response

    Hi

    My situation is this. I have a server with SBS 2003 which I want to host a website. My ISP provided me with:
    external IP A.A.A.A
    gateway IP B.B.B.B
    network mask 255.255.255.240
    dns1 85.255.114.52
    dns2 85.255.112.12

    When I connected it without Cisco ASA 5505 on the way, configuring server network card with the above parameters (not very wise but for reference material) everything worked fine (that is I was able to get to the website under the external IP). With Cisco ASA 5505 on the way however it doesn't work anymore. I believe it is due the default port blocking, thus I was trying to resolve that issue, allowing for example only the 80 port to be visible for a start.
    Following the discussion here, I adjusted my settings as much as I could to resolve the problem, with no success however.
    This is my running config

    Code:
    : Saved
    :
    ASA Version 7.2(3) 
    !
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password **************** encrypted
    names
    !
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0 
    !
    interface Vlan2
     nameif outside
     security-level 0
     ip address A.A.A.A 255.255.255.240 
    !
    interface Ethernet0/0
     switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd **************** encrypted
    ftp mode passive
    dns server-group DefaultDNS
     domain-name default.domain.invalid
    access-list outside_access_in extended permit tcp any any eq www 
    access-list outside_access_in_1 extended permit tcp any eq www host A.A.A.A eq www 
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 
    access-group outside_access_in_1 in interface outside
    route outside 0.0.0.0 0.0.0.0 B.B.B.B 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd dns 85.255.114.52 85.255.112.12 interface inside
    dhcpd update dns both override interface inside
    dhcpd enable inside
    !
    
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny 
      inspect sunrpc 
      inspect xdmcp 
      inspect sip 
      inspect netbios 
      inspect tftp 
    !
    service-policy global_policy global
    prompt hostname context 
    Cryptochecksum:94756fabf0a9b60163b2320ebc756664
    : end
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    Under this configuration I have website connection, I can browse internet freely, but the port 80 is still not responding. Also, 192.168.1.2 is my server address. I have also checked whether port 80 is open on the server and it is open and listening.

    If you could point me what is wrong is this config or give me any advice at all I would be most grateful. Of course, if anything is unclear in this description don't hesitate to demand more info.

    Thanks
    Last edited by kruczer; 29th April 2009, 10:50.

  • #2
    Re: Problem with setting ASA 5505 to allow port response

    Hi kruczer,

    Looking at your config you have access-list:
    access-list outside_access_in_1 extended permit tcp any eq www host A.A.A.A
    eq www

    First re-write the access list as:
    access-list outside_access_in_1 extended permit tcp any host 192.168.1.2 eq www

    make sure that the access-list is applied to the outside interface (when removing the last rule in an acl it removes it from the interface)

    Seeing the you have a /28 you should be able to use an extra IP so I would try to simplify your static nat statement

    try static (inside,outside) C.C.C.C 192.168.1.2 netmask 255.255.255.255


    or

    You can do the following:

    nat (inside) 2 192.168.1.2 192.168.1.2
    global (outside) 2 C.C.C.C


    That way you can just use acl's to control what traffic is allowed to the server.

    Try those things and let us know what the results are. Also if you are using ASDM there is a feature called packet tracer to simulate the traffic you are trying to allow. You can use that to figure out where exactly the packet would drop as if it was live packets crossing the ASA.
    Last edited by ryansmitty; 29th April 2009, 18:49. Reason: typo

    Comment


    • #3
      Re: Problem with setting ASA 5505 to allow port response

      There are two access-lists shown in your config but only one is actually doing anything.

      Code:
      access-list outside_access_in extended permit tcp any any eq www 
      access-list outside_access_in_1 extended permit tcp any eq www host A.A.A.A eq www 
      access-group outside_access_in_1 in interface outside
      The access-group command binds the access-list to an interface, so as the access-group command here shows the "outside_access_in_1" acl the other isn't being used.

      The "outside_access_in_1" is actually saying:
      allow source WWW to destination WWW which isn't how web server access works for this scenario. You need allow source any (well actually random high ports) to destination WWW. So try this one instead:

      Code:
      access-list outside_access_in permit tcp any host A.A.A.A eq www
      access-group outside_access_in in interface outside
      Your static command is already setup correctly for this to work.

      Also I can see your DHCP is set to give out the 1.2 address which you may want to set statically on the host? If this is also a windows domain you may have internal DNS servers too.

      Code:
      dhcpd address 192.168.1.2-192.168.1.129 inside
      dhcpd dns 85.255.114.52 85.255.112.12 interface inside
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: Problem with setting ASA 5505 to allow port response

        It's alive at last!

        Thanks for the effort and the additional info. It will surely help me in further ASA adventures . And yes, the DHCP is now off, it was for 'training purposes' .

        Cheers and once again thanks

        Comment


        • #5
          Re: Problem with setting ASA 5505 to allow port response

          Hi kruczer,

          I am glad that is is now working. What was your fix to get it going?

          Ryan

          Comment

          Working...
          X