Announcement

Collapse
No announcement yet.

Can't access internal web server from outside through ASA 5505

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't access internal web server from outside through ASA 5505

    Hi everyone,
    Can anybody please help me out with my asa 5505 configuration. I have made several attempt trying to get vpn working for external users to access our internal web server but all my effort seems not giving positive result. I resulted to this solution- leaving the server on the inside network and permitting only http access to it form the internet but this also seems not working.

    I have created a static nat that maps the private address of the server 192.168.0.1 to the public address from our isp (the same address asigned to the outside interface ) and created a acl entry for http inflow to both public and private address of the server.

    Here is the sh run from cli

    ASA Version 7.2(4)

    !

    hostname ASA

    domain-name asa.com

    enable password 8Ry2YjIyt7RRXU24 encrypted

    passwd 2KFQnbNIdI.2KYOU encrypted

    names

    name 192.168.0.1 WEB_SERVER_private

    name 1.2.3.4 WEB_SERVER_public

    !

    interface Vlan1

    nameif inside

    security-level 100

    ip address 192.168.0.21 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    ip address WEB_SERVER_public 255.255.255.192

    !

    interface Vlan3

    shutdown

    no forward interface Vlan1

    nameif dmz

    security-level 50

    no ip address

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    !

    time-range 12noon-to-11pm

    periodic daily 12:00 to 23:00

    !

    time-range 4pm-to-11pm

    periodic daily 16:00 to 23:00

    !

    time-range 8am-to-4pm

    periodic daily 8:00 to 16:00

    !

    ftp mode passive

    clock timezone CEST 1

    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

    dns server-group DefaultDNS

    domain-name ORG-gateway.com

    same-security-traffic permit inter-interface

    same-security-traffic permit intra-interface

    object-group network ACCOUNT1-PCs

    network-object host 192.168.0.27

    network-object host 192.168.0.34

    object-group network ACCOUNT2-PCs

    network-object host 192.168.0.28

    network-object host 192.168.0.31

    network-object host 192.168.0.32

    network-object host 192.168.0.33

    object-group network ADIMN

    network-object host 192.168.0.48

    object-group network MARKETING-PCs

    description Collection of IP addresses asigned to marketing workstations

    network-object host 192.168.0.61

    network-object host 192.168.0.62

    network-object host 192.168.0.95

    network-object host 192.168.0.96

    network-object host 192.168.0.98

    network-object host 192.168.0.99

    object-group network WRITER1

    network-object host 192.168.0.36

    network-object host 192.168.0.37

    object-group network WRITER2

    network-object host 192.168.0.40

    network-object host 192.168.0.42

    network-object host 192.168.0.43

    network-object host 192.168.0.44

    object-group network DM_INLINE_NETWORK_1

    group-object ACCOUNT2-PCs

    group-object ADIMN

    group-object MARKETING-PCs

    group-object WRITER1

    group-object WRITER2

    access-list outside_access_in extended permit tcp any host WEB_SERVER_public eq www log disable

    access-list ORG-GROUP_splitTunnelAcl standard permit any

    access-list outside_access_out extended deny ip object-group ACCOUNT1-PCs any time-range 12noon-to-11pm

    access-list outside_access_out extended deny ip object-group DM_INLINE_NETWORK_1 any time-range 8am-to-4pm

    access-list outside_access_out extended permit ip any any

    pager lines 24

    logging asdm informational

    mtu outside 1500

    mtu inside 1500

    mtu dmz 1500

    icmp unreachable rate-limit 1 burst-size 1

    asdm image disk0:/asdm-524.bin

    no asdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 1 0.0.0.0 0.0.0.0

    static (inside,outside) tcp interface www WEB_SERVER_private www netmask 255.255.255.255

    access-group outside_access_in in interface outside

    access-group outside_access_out out interface outside

    route outside 0.0.0.0 0.0.0.0 41.75.199.65 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    http server enable

    http 192.168.0.0 255.255.255.0 inside

    http 192.168.1.0 255.255.255.0 inside

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmp authentication linkup linkdown coldstart

    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

    crypto map outside_map interface outside

    crypto isakmp enable outside

    crypto isakmp policy 10

    authentication pre-share

    encryption des

    hash sha

    group 2

    lifetime 86400

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    dhcpd auto_config outside

    !

    dhcpd address 192.168.0.100-192.168.0.130 inside

    dhcpd dns 217.117.0.35 217.117.15.106 interface inside

    dhcpd domain ORG.com interface inside

    dhcpd enable inside

    !



    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

    username ORG password Q/zjZIOUziicgEHF encrypted privilege 15

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    parameters

    message-length maximum 512

    policy-map global_policy

    class inspection_default

    inspect dns preset_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect esmtp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    inspect xdmcp

    inspect sip

    inspect netbios

    inspect tftp

    !

    service-policy global_policy global

    prompt hostname context

    Cryptochecksum:2c346952ea323d330a9a49ff8619b6ff

    : end

    asdm image disk0:/asdm-524.bin

    no asdm history enable



    I don't know what can be wrong here
    Last edited by paulino; 12th July 2011, 18:36.

  • #2
    Re: Can't access internal web server from outside through ASA 5505

    From a configuration standpoint... I do not see anything wrong with the inside->outside or outside->inside traffic flow part of your configuration. This part of the configuration should be working. Are you sure the timed based ACL's are not "inactive" when you test?

    On the VPN side... the crypto-map configuration looks correct, but the associated group-policy, tunnel-group and NAT exclusion definitions are missing.

    Comment


    • #3
      Re: Can't access internal web server from outside through ASA 5505

      Thanx scowles,

      I gave up on the VPN after several attempts trying all possible pamutations of the available options for the remote VPN connection, so i must have taken away some of the vpn entrires while trying to resolve access to the web server.

      I have gone steps further to add permit any any rule to inflow and outflow of both the inside and the outside interface but the result still remains the same. could this be a problem with the IOS on the ASA.

      Comment

      Working...
      X