topic I have included part of my in Network Security

ASA 5516 to allow http connection from outside

ptoumbas2011 — Tue, 12 Mar 2019 06:21:24 GMT

Hi,

I am trying to allow http/80 connection on my new asa 5516 to access a web server. I am using static nat with port translation to redirect the traffic to the web server.

There are 2 problems:

1) Http traffic is blocked as soon as it arrives at outside interface (Block by ACL implicit rule)

2) I only have 1 public ip for my outside interface. Is it fine to use it to access the web server (static nat)?

I am also using AnyConnect (working fine) on https://my-firewall

> 1) Http traffic is blocked

Karsten Iwen — Thu, 30 Jul 2015 08:50:45 GMT

> 1) Http traffic is blocked as soon as it arrives at outside interface (Block by ACL implicit rule)

Have you used the real (internal) IP as the destination in the ACL?

> 2) I only have 1 public ip for my outside interface. Is it fine to use it to access the web server (static nat)?

Why not? At least it's all you can do without additional addresses. Only when you want to deploy TLS on your server you'll have to decide which system gets TCP/443: The ASA for VPN or the server.

Yes, I have added an inbound

ptoumbas2011 — Thu, 30 Jul 2015 09:04:22 GMT

Yes,

I have added an inbound rule on the outside interface to allow traffic destined for the server (private ip) and it did not work. This is what i get on the log:

source_ip 53804 destination_ip 80 TCP access denied by ACL from source_ip/53804 to outside:destination_ip/80

* Destination IP is the real public ip of the asa

Have you assigned the right

Karsten Iwen — Thu, 30 Jul 2015 09:20:27 GMT

Have you assigned the right ACL to the interface? Are there other ACEs in the ACL above your rule that deny access?

This is my configuration,

ptoumbas2011 — Thu, 30 Jul 2015 09:55:20 GMT

This is my configuration,

(config)#object network out_to_in_server
(config-network-object)#host 10.0.0.11
(config-network-object)#nat (services_Lan,outside) static interface service tcp 80 80
(config-network-object)#access-list OutsideToServer permit tcp any host 10.0.0.11 eq www
(config)# access-group OutsideToServer in interface outside

And this is what the ASA says

The ASA denied an attempt to connect to the interface service. For example, the ASA received an SNMP request from an unauthorized SNMP management station

That part of the config looks

Karsten Iwen — Thu, 30 Jul 2015 10:24:45 GMT

That part of the config looks good. The problem is probably located in the rest of the config. If you can share your complete config, that could help.

I have included part of my

ptoumbas2011 — Thu, 30 Jul 2015 11:22:20 GMT

I have included part of my config, just ips are changed from real. Hope it helps.

Do i have to do something with my policy map?

> I have included part of my

Karsten Iwen — Thu, 30 Jul 2015 12:31:56 GMT

> I have included part of my config, just ips are changed from real. Hope it helps.

at least it shows one mistake in NAT, your dynamic rule has to be the last in the order:

no nat (any,outside) source dynamic any interface
nat (any,outside) after-auto source dynamic any interface

We have fixed the issue by

ptoumbas2011 — Tue, 04 Aug 2015 07:15:41 GMT

We have fixed the issue by correcting the NAT statements and by applying the correct global rules

Object service obj_http

Service tcp source eq 80

Nat (Services_Lan,outside) source static SRV interface service obj_http obj_http

Access-list global_access permit tcp any host 10.0.0.11 eq 80

Thank you for your quick and helpful responses