topic Sorry, I mixed up the order in Network Security

How do I allow access over port 80 to webserver in DMZ

alafever1 — Tue, 12 Mar 2019 05:04:42 GMT

Hello!

I am fairly new to this level of configuration and was hoping someone would grace me with their knowledge.

My current setup is that I have a webserver (10.1.10.5) in a DMZ with its SQL counterpart on the inside. Traffic is flowing correctly between the two as well as from the DMZ to the internet, however, I cannot access the website on the webserver from the public internet.

When I run canyouseeme.org on the webserver it shows that port 80 is not getting traffic. Any ideas on how to fix my config? I've been /headesk on this one.

Thanks!

You config looks fine. You

Karsten Iwen — Thu, 13 Nov 2014 21:54:00 GMT

You config looks fine. You have a translation for the server and the ACL allows it. You NAT-config seems to be overly complicated but is not the cause of the problem as I see it.

1) Is the Webserver active? Run a "ping tcp 10.1.10.5 80".

2) what is the output of "packet-tracer input outside tcp 1.2.3.4 1234 YOUR-OUTSIDE-IP 80".

Thanks for the reply Karsten.

alafever1 — Thu, 13 Nov 2014 22:31:57 GMT

Thanks for the reply Karsten.

1 - The ping test:

Sending 5 TCP SYN requests to 10.1.10.5 prot 80 from 10.1.10.1, timeout is 2 seconds:

Success rate is 100 percent (5/5)

2 - Attached

I think it really could be a

Karsten Iwen — Thu, 13 Nov 2014 23:06:00 GMT

I think it really could be a NAT-problem. Please change your NAT the following way:

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS route-lookup no-proxy-arp
no nat (outside,inside) source static VPN-HOSTS VPN-HOSTS
no nat (outside,outside) source dynamic INSIDE-HOSTS interface
no nat (inside,dmz) source static OBJ-10.0.10.0-24 OBJ-10.0.10.0-24

object network obj_any
 no nat (inside,outside) dynamic interface
object network DMZ_outside
 no nat (dmz,outside) dynamic interface

nat (dmz,outside) after-auto source dynamic any interface

These changes shouldn't remove any functionality, but many of the rules are probably not needed as they don't make any sense.

Good morning Karsten,I have

alafever1 — Fri, 14 Nov 2014 16:16:34 GMT

Good morning Karsten,

I have cleaned up the rules as you specified with the exception of below. Since I could not get that command to run I haven't removed the corresponding NAT (I assume your rule combines the two separate rules).

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static
VPN-HOSTS VPN-HOSTS route-lookup no-proxy-arp
^
ERROR: % Invalid input detected at '^' marker.

I'm attaching the updated running config.

I ran the packet sniffer again and attached results.

Thanks!

Sorry, I mixed up the order

Karsten Iwen — Fri, 14 Nov 2014 16:16:35 GMT

Sorry, I mixed up the order of the keywords in the first line. This should work now and the other lines are also not needed:

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS no-proxy-arp route-lookup
no nat (outside,inside) source static VPN-HOSTS VPN-HOSTS
no nat (outside,outside) source dynamic INSIDE-HOSTS interface

I've applied that - thank you

alafever1 — Fri, 14 Nov 2014 18:53:19 GMT

I've applied that - thank you. The new running config attached.

The webserver is still not playing nice with the outside world. Since the error message on the tracer isn't giving me specifics is it possible I've gotten interfaces mixed up somewhere?

I tried the following but it was unsuccessful:

ciscoasa(config)# no access-group dmz_acl in interface dmz
ciscoasa(config)# access-group dmz_acl in interface outside

After looking at this I think the correct form is actually:

access-group outside_acl in interface outside

The outside_acl is what contains the rules for the WEBSERVER-TCP80. I removed the dmz_acl. I think it may have been from a prior attempt to get this working.

My latest config is attached.

alafever1 — Fri, 14 Nov 2014 21:25:15 GMT

My latest config is attached...I've been trying various things but have not had any luck thus far. I'm probably going to end up with a lot of junk in there I do not need.

This is again the initial

Karsten Iwen — Fri, 14 Nov 2014 22:29:10 GMT

This is again the initial config that will cause NAT-problems.

Here is a cleaned up NAT- and (outside) ACL config which you need for the server and the VPN-communication:

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS no-proxy-arp route-lookup
!
object network WEBSERVER-TCP80
 nat (dmz,outside) static interface service tcp www www
!
nat (any,outside) after-auto source dynamic any interface
!
access-list outside_acl extended permit tcp any object WEBSERVER-TCP80 eq www
access-group outside_acl in interface outside

I removed that extraneous VPN

alafever1 — Fri, 14 Nov 2014 23:19:28 GMT

I removed that extraneous VPN rule as instructed and matched up my config with yours. How else might I track down the point of failure?

Appreciate your time sir!

What is the result of the

Karsten Iwen — Sat, 15 Nov 2014 11:19:35 GMT

What is the result of the packet-tracer with that config?

The new packet sniff results

alafever1 — Sun, 16 Nov 2014 22:10:17 GMT

The new packet sniff results are attached. Still being dropped somewhere. =\

Additional bit of information

alafever1 — Mon, 17 Nov 2014 14:33:33 GMT

Additional bit of information. I was watching the ASDM log as I attempted to hit the webserver. I got the following message:

TCP access denied by ACL from xx.xx.xx.xx/60382 to outside: xx.xx.xx.xx/80

It shows the destination as the correct IP and the port as the correct port.

So I was finally able to get

alafever1 — Mon, 17 Nov 2014 15:09:58 GMT

So I was finally able to get it to pass traffic. I had the NAT interfaces backwards.

My rule should have read:

object network WEBSERVER-TCP80

host 10.1.10.5

nat (DMZ,outside) static interface service tcp www www

My new issue is figuring out why it will not accept the domain address. It only seems to go through if I enter the IP address.

Where do you want to use a

Karsten Iwen — Mon, 17 Nov 2014 18:54:40 GMT

Where do you want to use a domain-name? In this setup with traffic coming from outside, it will probably not work. If you use an object for your server with a fqdn in the ACL, it has to resolve to the internal IP in the DMZ.

I'd like users on the Inside

alafever1 — Mon, 17 Nov 2014 18:57:37 GMT

I'd like users on the Inside interface to be able to enter the web address of the webserver application and access it without having to use the internal IP. I may have to accomplish this using an actual DNS server.

Can you use a dedicated

Karsten Iwen — Mon, 17 Nov 2014 20:07:38 GMT

Can you use a dedicated public IP for the webserver? Then you can tweak the DNS-replys in a form that the ASA changes the public address in a DNS-reply to the actual IP of the server. But that doesn't work if only a port is forwarded. If you can, the translation looks like the following:

object network WEBSERVER-TCP80
 nat (dmz,outside) static a.b.c.d dns

Other ways are to configure the FQDN in your internal DNS with the private IP, or use destination NAT for the public IP. But that again makes your config more complex and harder to troubleshoot.

Unfortunately I only have the

alafever1 — Mon, 17 Nov 2014 21:24:43 GMT

Unfortunately I only have the 1 static IP address.

Would something like this work?

object network internal
 range 192.168.0.1 192.168.0.254
object network external
 host [IP address of your WAN interface]
object network server-internal
 host [server internal IP address]
object network server-external
 host [server external (NATted) IP address]
nat (internal, internal) source static internal external destination static server-external server-internal

That goes into the right

Karsten Iwen — Mon, 17 Nov 2014 21:41:47 GMT

That goes into the right direction (if you really want to go that way):

The destination is changed statically from server-external to server-internal. But you don't have to change the source address. These addresses can be dynamically identity-natted. And if I remember right, the interfaces are (inside,dmz) in this scenario, but I don't remember exactly:

nat (inside, dmz) source dynamic internal internal destination static server-external server-internal

This worked :) I had to

alafever1 — Tue, 18 Nov 2014 20:47:32 GMT

This worked 🙂 I had to create another rule above it to allow my SQL server to still communicate with the webserver using internal IPs. I'm good with everything else being outside.

Thanks so much for all of your insight. You've been a great help!