HOW TO Allow HTTPS through ASAv

Thien are Margo — Sun, 19 May 2024 03:28:01 GMT

Hi, i have topology and i want connect to google.com via browser (Https) . Although i can ping ICMP to google.com but my browser (Win7 VMware virtural machine) can't access. please help me !

ASA Version 9.9(2)
!
terminal width 511
hostname ASA1
domain-name thien.vn
enable password $sha512$5000$uDk98HhXLXO7G1C0xFYfjQ==$lZBdEx9gG70IhJ/aOWpBIw== pbkdf2
names

!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 4.0.0.254 255.0.0.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 8.0.0.254 255.0.0.0
!
interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 3.0.0.254 255.0.0.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
nameif inside1
security-level 100
ip address dhcp
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.27.2
name-server 8.8.8.8
domain-name thien.vn
object network OUT_REAL
host 3.0.0.2
object network DMZ
host 4.0.0.10
object network INSIDE
host 8.0.0.10
object network DMZ_REAL
host 4.0.0.1
object network OUT
host 3.0.0.10
object network INSIDE_REAL
host 8.0.0.1
access-list PING extended permit ip any any
access-list PING extended permit icmp any any
access-list PING extended permit tcp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list dmz extended permit tcp any any
pager lines 23
mtu DMZ 1500
mtu inside 1500
mtu outside 1500
mtu inside1 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (outside,DMZ) source static OUT_REAL DMZ
nat (outside,inside) source static OUT_REAL INSIDE
nat (DMZ,outside) source static DMZ_REAL OUT
nat (inside,outside) source static INSIDE_REAL OUT
access-group dmz in interface DMZ
access-group PING in interface outside
route outside 0.0.0.0 0.0.0.0 3.0.0.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside1
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside1
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
console serial
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username thien password $sha512$5000$jHVviBsVGJrW/16aaGLmjg==$91jqJnATDbeT3o1fDGefRA== pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
inspect icmp error
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:61e1e0d10f4e47892b05dbcbb6c8b0b6
: end

Re: HOW TO Allow HTTPS through ASAv

Thien are Margo — Sun, 19 May 2024 03:30:26 GMT

I am 4 year student, i am newbie

Re: HOW TO Allow HTTPS through ASAv

balaji.bandi — Sun, 19 May 2024 08:57:37 GMT

First of all why you need PC to in DMZ ? any reason ? Always user PC should be inside ?

Do you have any ACL in the DMZ Router mentioned in the diagram ?

i do not see any ACL (high level in your config)

check below configuration to help you :

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html#anc7

Re: HOW TO Allow HTTPS through ASAv

MHM Cisco World — Sun, 19 May 2024 09:10:39 GMT

You need only dynamic NAT form DMZ to OUT

Also you need in user to specify DNS server 8.8.8.8

MHM

Re: HOW TO Allow HTTPS through ASAv

Thien are Margo — Sun, 19 May 2024 12:46:31 GMT

Sorry Balaji.Bandi, i forget show all my topology

So, you can see i want config PC in DMZ to server web local. it help client in LAN connect to DMZ website.

This topology is a graduation project applying network automation to system monitoring (ASA). But i don't have any idea. I want monitor packet http via Asa from PC in CLIENT. Do you think it possible?

Re: HOW TO Allow HTTPS through ASAv

Thien are Margo — Sun, 19 May 2024 12:57:56 GMT

I have static NAT from DMZ to OUT and opposite. I use Dns name-server 192.168.27.2 ( this is wins server of adapter net8 have NAT in VMware) and it pull off. Now i can access to internet. But i have some new question under post. I hope you could read it.

Thank MHM

Re: HOW TO Allow HTTPS through ASAv

balaji.bandi — Sun, 19 May 2024 18:59:34 GMT

Everything is possible in the technology, but doing right thing is always best practice.

But your Server in Inside, Generally we put services in DMZ for semi-trusted.

https://en.wikipedia.org/wiki/DMZ_(computing)

topic Re: HOW TO Allow HTTPS through ASAv in Web Security

HOW TO Allow HTTPS through ASAv

Re: HOW TO Allow HTTPS through ASAv

Re: HOW TO Allow HTTPS through ASAv

Re: HOW TO Allow HTTPS through ASAv

Re: HOW TO Allow HTTPS through ASAv

Re: HOW TO Allow HTTPS through ASAv

Re: HOW TO Allow HTTPS through ASAv