topic Re: How can we allow Internal network to access external web? in Network Security

How can we allow Internal network to access external web?

Beginnerrr — Tue, 12 Dec 2023 16:32:13 GMT

Hi All,

I am configuring the Cisco ASA to allow the Internal network to access external web which is run by the router at Cisco B as shown in the diagram below. I run the web server from the router using ip http server.
interface g0/0

ip address 192.168.50.1 255.255.255.0

nameif inside

security-level 100

interface g0/1

ip address 192.168.20.1 255.255.255.252

nameif outside

security-level 0

ip route outside 0.0.0.0 0.0.0.0 192.168.20.2

object-group internal-network

subnet 192.168.50.0 255.255.255.0

nat (inside,outside) static interface

object-group external

subnet 209.170.200.224 255.255.255.252

access-list inside_external extended permit tcp object-group internal-network object-group external eq http

access-group inside_external in interface inside

Router B

ip http server

access-list 12 permit any

ip http access-class 12
ip http authentication local

username cisco privilege 15 secret cisco

I tried running the external IP, 209.170.200.225 on the web browser and it is not showing the web server.
Please kindly assist.

Re: How can we allow Internal network to access external web?

Rob Ingram — Tue, 12 Dec 2023 16:27:29 GMT

@Beginnerrr ACL 12 on router B is incorrect, traffic will be natted behind the ASA outside interface (192.168.20.1), so traffic will not come from the internal network. For testing remove the ACL and try again, then apply the ACL with the correct network/host.

Also is routing setup on the routers and ASA, so they know how to communicate with each other? Make sure the ASA can ping 209.170.200.225.

Re: How can we allow Internal network to access external web?

Beginnerrr — Tue, 12 Dec 2023 16:33:56 GMT

@Rob Ingram ,

I have recorrect-ed access-list 12 and allow any host to access.

Yes routing is set up on the routers and ASA. They are configured as 0.0.0.0 0.0.0.0 to the next hop interface.
ASA can ping 209.170.200.225.
Is the NAT configuration wrong?

Re: How can we allow Internal network to access external web?

Rob Ingram — Tue, 12 Dec 2023 18:24:57 GMT

@Beginnerrr tweak the NAT as below

object network internal-network
 subnet 192.168.50.0 255.255.255.0
 nat (inside,outside) dynamic interface

If that doesn't work run packet-tracer from the CLI of the ASA to simulate the traffic flow, example:

packet-tacer input inside tcp 192.168.50.5 3000 209.170.200.225 80

Re: How can we allow Internal network to access external web?

Beginnerrr — Tue, 12 Dec 2023 18:12:29 GMT

@Rob Ingram ,

It did not work when I accessed the web ip from the browser. 209.170.200.225

the command you provide is not applicable for the NAT

I typed this command, nat (inside,outside) after-auto source dynamic any interface

the output of the packet-tracer is down below.

packet-tacer input inside tcp 192.168.50.5 3000 209.170.200.225 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.20.2 using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_external in interface inside
access-list inside_external extended permit tcp object-group internal-network object-group external eq www
object-group network internal-network
network-object 192.168.50.0 255.255.255.0
object-group network external
network-object 209.170.200.224 255.255.255.252
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:
Dynamic translate 192.168.50.5/3000 to 192.168.20.1/3000

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:

Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Re: How can we allow Internal network to access external web?

Rob Ingram — Tue, 12 Dec 2023 18:31:39 GMT

@Beginnerrr I've amended the command above, regardless the packet-tracer output confirms that traffic should work.

Does the internal PC have the correct default gateway of the ASA?

Run a packet capture on the ASA to confirm the traffic is sent and run a packet capture on the web server to confirm the traffic is received.

Allow ping - run the command fixup protocol icmp on the ASA and ping the web server from the PC to confirm connectivity.

Re: How can we allow Internal network to access external web?

Beginnerrr — Tue, 12 Dec 2023 18:49:34 GMT

@Rob Ingram ,

the access worked. there is some issue in the asa. i have resetted the ASA device and redo the configuration.

it is working.

For the NAT configuration, is there a difference between your and mine?

nat (inside,outside) after-auto source dynamic any interface

Re: How can we allow Internal network to access external web?

Rob Ingram — Tue, 12 Dec 2023 18:55:49 GMT

@Beginnerrr using the after-auto will process those NAT rules last, after the other NAT rules. If you apply both NAT rules, then run "show nat detail" you will see the order of the rules being processed.