topic Re: Why can't I reach internal Web Server from outside asa 9.8(2)? in Network Security

Why can't I reach internal Web Server from outside asa 9.8(2)?

davidzw98 — Sat, 10 Sep 2022 03:53:02 GMT

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.3 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif dmz
security-level 50
ip address 192.168.101.225 255.255.255.0
!
ftp mode passive
object network WWW-EXT
host x.x.x.7
object network WWW-INT
host 192.168.101.225
access-list OUTSIDE extended permit tcp any object WWW-INT eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network WWW-INT
nat (dmz,outside) static WWW-EXT service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.8 1

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

Kasun Bandara — Sat, 10 Sep 2022 04:00:51 GMT

i guess there can be a missing ACLs. check below for sample

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

Asmat Sulaiman — Sat, 10 Sep 2022 06:12:40 GMT

Hi, you can use asa packet tracer tool to understand the packet flow, nat,acl, egress iface. also check "show xlate local 192.168.101.225" if that show correct translation.

if you use ssh, "packet-tracer outside input tcp 1.1.1.1 111 x.x.x.3 443 detail" will provide more info such as NAT, acl. hope this help.

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

MHM Cisco World — Sat, 10 Sep 2022 11:41:02 GMT

Sorry I now see it, You already have static NAT.

Just check the NAT order with

Show nat

I think static come after dynamic

If yes

Only add

1 in static nat to push it up.

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

Rob Ingram — Sat, 10 Sep 2022 11:20:50 GMT

@davidzw98 you've defined the IP address of the webserver host object WWW-INT used in the ACL and NAT, as the IP address of the DMZ interface IP address.....which would not work.

interface GigabitEthernet1/4
nameif dmz
security-level 50
ip address 192.168.101.225 255.255.255.0
!
object network WWW-INT
host 192.168.101.225

Change the WWW-INT object IP address to the real IP address of the webserver in the DMZ.

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

davidzw98 — Sat, 10 Sep 2022 14:23:06 GMT

Thank you for everyone, this is fix, but still not work.
(packet tracer going out from WEB SERVER to internet is ok.)

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.3 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif dmz
security-level 50
ip address 192.168.101.1 255.255.255.0
!
ftp mode passive
object network WWW-EXT
host x.x.x.7
object network WWW-INT
host 192.168.101.225
object network dns-server
host 192.168.1.53
object network inside-subnet
subnet 192.168.1.0 255.255.255.0
access-list OUTSIDE extended permit tcp any object WWW-INT eq www
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
!
object network WWW-INT
nat (dmz,outside) static WWW-EXT service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE in interface outside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.8 1

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

MHM Cisco World — Sat, 10 Sep 2022 14:27:25 GMT

there are different between show nat and show run nat
can you share the output of both

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

davidzw98 — Sat, 10 Sep 2022 14:36:00 GMT

ciscoasa(config)#

ciscoasa(config)# sh nat

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static WWW-INT WWW-EXT service tcp www www

translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)

1 (inside) to (outside) source dynamic any interface

translate_hits = 726, untranslate_hits = 1

ciscoasa(config)#

ciscoasa(config)# show run nat

object network WWW-INT

nat (dmz,outside) static WWW-EXT service tcp www www

nat (inside,outside) after-auto source dynamic any interface

ciscoasa(config)#

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

Rob Ingram — Sat, 10 Sep 2022 15:13:19 GMT

@davidzw98 you've specified the wrong interface in packet-tracer, the source interface would be "OUTSIDE" not "DMZ" - hence the drop. The DMZ interface is the destination interface. Also use the NAT IP address (WWW-EXT) as the destination in packet-tracer not the real IP address.

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

davidzw98 — Sat, 10 Sep 2022 15:29:05 GMT

Ok, thank you for pointing my mistakes. Why can't I open 107.130.54.77 ? if it point to 192.168.101.225, it has APACHE running.

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

Rob Ingram — Sat, 10 Sep 2022 15:33:50 GMT

@davidzw98 well that output indicates the ASA configuration is ok, so perhaps check the actual server.

Does the server running apache have a default gateway of the ASA?

Is there a local firewall on the server running apache that could be blocking external access? If so reconfigure it or disable it.

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

davidzw98 — Sat, 10 Sep 2022 16:27:53 GMT

It is in 101 zone, so I use 192.168.101.1 as defaultrouter.

do you means use ASA's 192.168.1.1 or ISP's gateway?

I can open Apache from inside zone 192.168.1.* by opening 192.168.101.225

Thank you!

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

Rob Ingram — Sat, 10 Sep 2022 16:39:06 GMT

@davidzw98 that sounds fine then, just checking the DMZ interface of 192.168.101.1 would need to be configured as the default gateway of the server.

Why open it from the inside zone/network? You said you want to allow access from the outside.

TCP/80 needs to be open on the server firewall from any IP address if you want to connect to the apache server from the internet.

For testing disable the firewall on the server and test connectivity from the internet to prove the ASA is working.

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

davidzw98 — Sat, 10 Sep 2022 16:43:31 GMT

>Why open it from the inside zone/network?

just to check if apache24 is running.

I think server firewall is not an issue, it can host PDF file on internet without ASA.

Thank you!

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

Rob Ingram — Sat, 10 Sep 2022 17:01:45 GMT

@davidzw98 The packet-tracer confirms it should work now, so what else do you have in your environment that could be causing an issue?

Regardless if you don't think disabling the local server firewall will be an issue, test it to confirm.

Take a packet capture on the server to confirm whether packets even reach the server from the internet.

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

davidzw98 — Sat, 10 Sep 2022 17:09:46 GMT

This is what I got:

ciscoasa#

ciscoasa# packet-tracer input outside tcp 204.79.197.212 12345 107.130.54.77 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network WWW-INT

nat (dmz,outside) static WWW-EXT service tcp www www

Additional Information:

NAT divert to egress interface dmz

Untranslate 107.130.54.77/80 to 192.168.101.225/80

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE in interface outside

access-list OUTSIDE extended permit tcp any object WWW-INT eq www

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network WWW-INT

nat (dmz,outside) static WWW-EXT service tcp www www

Additional Information:

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3637, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: allow

ciscoasa# packet-tracer input outside tcp 204.79.197.212 12345 192.168.101.225 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.101.225 using egress ifc dmz

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE in interface outside

access-list OUTSIDE extended permit tcp any object WWW-INT eq www

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network WWW-INT

nat (dmz,outside) static WWW-EXT service tcp www www

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

Rob Ingram — Sat, 10 Sep 2022 17:21:00 GMT

@davidzw98 thats a packet tracer output not the requested packet capture. Regardless, the first packet-tracer you using the correct destination IP address and therefore the result is allow, but the second packet-tracer you are using incorrect destination IP address. In packet-tracer you don't specify the destination as the real IP address if using NAT.

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

davidzw98 — Sat, 10 Sep 2022 17:26:28 GMT

OK. Thank you! I will try to see if I can figure out.

At mean time, just let you know ,

I bought this ASA5508 from ebay brand new. Is it something internally not allow me to use it?

Haven't registered PAK and PIN, don't know how to do it.

eBay item number:193807253089

New message from: cnedirect
Hello

Unfortunately this is not something we could help with,
I will mention we have sold roughly 500 of these and never had any issues
with the buyers having problems with this. Unfortunately we do not have
any Cisco experts on staff and don't specialize in Cisco,
we get Cisco overstock product from time to time.

Thank You

Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

MHM Cisco World — Sat, 10 Sep 2022 18:49:13 GMT

ciscoasa(config)# sh nat

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static WWW-INT WWW-EXT service tcp www www

translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)

1 (inside) to (outside) source dynamic any interface

translate_hits = 726, untranslate_hits = 1

the hit is zero for both direction