topic Re: Unable to access website from inside LAN - 5505 in Network Security

Unable to access website from inside LAN - 5505

Simon.peters1 — Mon, 08 Jul 2019 16:01:23 GMT

Hello,

We have a DMZ Vlan setup on a 5505 and any pc on the inside network is unable to access the website inside that is hosted on a webserver on the DMZ. They have to use the ip address to browse the site as www or https doesn't work. The log returns the below.

Failed to locate egress interface for protocol from src
interface:src IP/src port to dest IP/dest port

Any pointers would be gratefully received.

Thanks!

Re: Unable to access website from inside LAN - 5505

balaji.bandi — Mon, 08 Jul 2019 16:54:55 GMT

How is the WebServer configured in DMZ, is this Public IP address ? or Private Address.

From Lan are you able to resolve the IP to DNS REsoluton ? check DNS configuration on your side

nslookup is your tool to test.

Re: Unable to access website from inside LAN - 5505

Simon.peters1 — Mon, 08 Jul 2019 18:47:08 GMT

Hello,

Thanks for your reply.

The pc is able to resolve the DNS name to the correct IP but it doesn't reply like it does if I do it from a pc on the outside of the lan.

Thanks!

Re: Unable to access website from inside LAN - 5505

balaji.bandi — Mon, 08 Jul 2019 19:21:17 GMT

check the complete logs in ASA for that request from PC to DMZ, it would be nice if you can post the configuraiton to have look.

Re: Unable to access website from inside LAN - 5505

Simon.peters1 — Tue, 09 Jul 2019 07:54:25 GMT

Hello,

In the logs for just that one IP I can see a Teardown for UDP connection 1424951 for outside:8.8.8.8/53 to inside and also a teardown dynamic UDP translation form inside:192.168.xx to outside:81.144.xx.xx/54282 and then the failed to locate engress interface for TCP from inside 192.168.xx.xx to 81.144.xx.xx

Thanks!

Re: Unable to access website from inside LAN - 5505

balaji.bandi — Tue, 09 Jul 2019 15:57:35 GMT

suggest to post the configuration to have look.

Re: Unable to access website from inside LAN - 5505

Simon.peters1 — Fri, 12 Jul 2019 07:37:51 GMT

Re: Unable to access website from inside LAN - 5505

Simon.peters1 — Fri, 12 Jul 2019 07:06:56 GMT

Anyone have any suggestions? Thanks!

Re: Unable to access website from inside LAN - 5505

Simon.peters1 — Fri, 12 Jul 2019 07:38:25 GMT

Thanks

ASA Version 9.1(7)32
!
hostname ASA
enable password FhRoI.scdBbFcz15 encrypted
passwd FhRoI.scdBbFcz15 encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.168 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BTI
ip address 81.144.xx.xx 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 10
ip address 172.16.1.168 255.255.0.0
!
boot system disk0:/asa917-32-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside-NAT
subnet 192.168.1.0 255.255.255.0
object network Site1-IP
subnet 192.168.1.0 255.255.255.0
object network Branch
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.8_29
subnet 192.168.50.8 255.255.255.248
object network Branch1
subnet 192.168.4.0 255.255.255.0
object network ConSett
subnet 192.168.3.0 255.255.255.0
object network Branch2
subnet 192.168.5.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network WebServices
host 192.168.1.140
description Server
object network dmz-hst-172.16.1.140
host 172.16.1.140
object network dmz-net
subnet 172.16.0.0 255.255.0.0
object network STATIC-TCP-1433
host 172.16.1.140
object network STATIC-TCP4018
host 172.16.1.140
object network STATIC-TCP8080
host 172.16.1.140
object network STATIC-TCP8090
host 172.16.1.140
object network STATIC-TCP8172
host 172.16.1.140
object network STATIC-TCP4343
object network STATIC-TCP8081
object network inside-net
object network inside-hst-192.168.1.140
host 192.168.1.140
description Server
object network HTTPS
host 172.16.1.140
object network WWW
host 172.16.1.140
access-list 102 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list incoming-outside extended permit icmp any any echo
access-list incoming-outside extended permit icmp any any echo-reply
access-list incoming-outside extended permit tcp object dmz-hst-172.16.1.140 object inside-hst-192.168.1.140 eq 5555
access-list incoming-outside extended permit tcp host 84.92.198.2 object STATIC-TCP4018 eq 4018
access-list incoming-outside extended permit tcp any object WWW eq www
access-list incoming-outside extended permit tcp any object HTTPS eq https
access-list incoming-outside extended permit tcp any object WebServices eq 8081
access-list outside_cryptomap_65535.1 extended permit ip 192.168.1.0 255.255.255.0 object Branch
access-list outside_cryptomap_65535.2 extended permit ip 192.168.1.0 255.255.255.0 object Branch1
access-list outside_cryptomap_65535.3 extended permit ip 192.168.1.0 255.255.255.0 object ConSett
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Branch2
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
access-list dmz_in extended permit tcp object inside-hst-192.168.1.140 object dmz-hst-172.16.1.140 eq 1433
access-list dmz_in extended permit tcp object dmz-hst-172.16.1.140 object inside-hst-192.168.1.140 eq 1434
access-list dmz_in extended permit tcp object dmz-hst-172.16.1.140 object inside-hst-192.168.1.140 eq 5555
access-list dmz_access_in extended permit ip object dmz-hst-172.16.1.140 any4
access-list dmz_access_in extended permit tcp object dmz-hst-172.16.1.140 object inside-hst-192.168.1.140 eq 5555
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-NAT Inside-NAT destination static Site1-IP Site1-IP no-proxy-arp route-lookup
nat (inside,outside) source static Inside-NAT Inside-NAT destination static Branch Branch no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.50.8_29 NETWORK_OBJ_192.168.50.8_29 no-proxy-arp route-lookup
nat (inside,outside) source static Inside-NAT Inside-NAT destination static Branch1 Branch1 no-proxy-arp route-lookup
nat (inside,outside) source static Inside-NAT Inside-NAT destination static ConSett ConSett no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Branch2 Brnach2 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network Inside-NAT
nat (inside,outside) dynamic interface
object network WebServices
nat (inside,outside) static interface service tcp 8081 8081
object network dmz-net
nat (dmz,outside) dynamic interface
object network STATIC-TCP4018
nat (dmz,outside) static interface service tcp 4018 4018
object network STATIC-TCP8080
nat (dmz,outside) static interface service tcp 8080 8080
object network HTTPS
nat (dmz,outside) static interface service tcp https https
object network WWW
nat (dmz,outside) static interface service tcp www www
access-group incoming-outside in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 81.144.xx.xx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable 4433
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group BTI request dialout pppoe
vpdn group BTI localname D@.btclick.com
vpdn group BTI ppp authentication chap
vpdn username D@.btclick.com password ***** store-local

dhcpd auto_config outside
!
dhcpd address 192.168.1.220-192.168.1.230 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
port 4433
enable outside
dtls port 4433
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a6f2ab49c2ef12d8d5d669871856928a
: end
no asdm history enable

Re: Unable to access website from inside LAN - 5505

Richard Burts — Sat, 13 Jul 2019 17:40:07 GMT

Does this 5505 have the Base license or the Plus license?

HTH

Rick

Re: Unable to access website from inside LAN - 5505

Simon.peters1 — Sat, 13 Jul 2019 17:43:51 GMT

Hello,

Plus.

Regards,
Simon

Re: Unable to access website from inside LAN - 5505

Simon.peters1 — Sat, 13 Jul 2019 17:45:23 GMT

Hello,

It has the plus license.

Thanks

Re: Unable to access website from inside LAN - 5505

Richard Burts — Sat, 13 Jul 2019 19:21:52 GMT

Thanks for the information. Knowing that the 5505 has the Plus license does eliminate one potential problem. The error message says that the ASA is not able to identify which interface to use to send this traffic. It might help us understand the issue better if you could post the actual text of one of the error messages so that we can see exactly what it is trying to do. It might also help if you would post the output of show route from the ASA.

HTH

Rick

Re: Unable to access website from inside LAN - 5505

Simon.peters1 — Mon, 15 Jul 2019 15:54:28 GMT

Hi Rick,

Thanks for the reply.

The exact error is attached.

Regards,
S

Re: Unable to access website from inside LAN - 5505

Marvin Rhoads — Mon, 15 Jul 2019 17:38:09 GMT

You didn't answer how the server is actually configured - if it's using the private address then we would not expect clients to try to connect using the NATted address of 81.144.xxx.xxx.

You might try telling the ASA to translate DNS replies (i.e. use the "dns" parameter in your relevant NAT rule)

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html#pgfId-1778544

Re: Unable to access website from inside LAN - 5505

Richard Burts — Tue, 16 Jul 2019 00:20:06 GMT

I am a bit puzzled. The original post mentions an error message about being unable to identify the egress interface. We have asked for details and the recent post shows messages about tearing down translation table entries. How did the discussion change focus? The translation table entries show that the duration was zero, which sort of confirms that there was a problem but does not shed any light on what the problem was. So are we looking for issues about translation table entries or are we looking for issues about egress interface? Some clarification would be appreciated.

HTH

Rick

Re: Unable to access website from inside LAN - 5505

Simon.peters1 — Tue, 16 Jul 2019 07:09:35 GMT

Hi Rick,

Sorry for the confusion. The engress errors appear to have stopped. The issue is when any IP on the inside interface tries to access www. which is hosted behind the DMZ on 172.16.1.xx they are unable to and when looking through the live logging the errors in my screen shot are what's being logged.

Thanks!