topic Cannot get access to web server in DMZ in Network Security

Cannot get access to web server in DMZ

Brad Hodgins — Tue, 12 Mar 2019 02:26:55 GMT

Once again I find myself struggling with NAT and ACLs on a 5505. I am unable to access our new webserver in the DMZ.

The server can ping the DMZ interface of the 5505, but that's it. I've tried allowing ICMP in to it from the outside to test, but I think I'm making a bigger mess of it each time. I've been reading and reading and trying different things, including following Cisco's example for 9.1 but nothing has worked.

ASA Version 8.4(1)

object network LOCALSQL

host 192.168.1.2

object network DMZ-Webserver-Public-IP

host 43.114.152.57

object network dmz-subnet

subnet 192.18.36.0 255.255.255.0

object network webserver

host 192.18.36.57

object-group network DM_INLINE_NETWORK_16

network-object object DMZ-Webserver-Public-IP

network-object object webserver

object-group network DM_INLINE_NETWORK_18

network-object object DMZ-Webserver-Public-IP

network-object object webserver

object-group network DM_INLINE_NETWORK_19

network-object object DMZ-Webserver-Public-IP

network-object object webserver

object-group network DM_INLINE_NETWORK_20

network-object object DMZ-Webserver-Public-IP

access-list outside_acl extended permit tcp any object webserver eq www

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 any object-group

DM_INLINE_NETWORK_19

access-list DMZ_access_in extended permit tcp any object-group DM_INLINE_NETWORK_20 object-group

Web_Services

access-list DMZ_access_in extended permit ip any object webserver

access-list dmz_acl extended permit ip any any

access-list dmz_acl extended deny ip any object Inside_LAN

access-list dmz_acl extended permit object SQL-Server any object LOCALSQL

access-list outside_in extended permit tcp object-group DM_INLINE_NETWORK_10 object-group

DM_INLINE_NETWORK_17 object-group DM_INLINE_TCP_2

access-list outside_in extended permit icmp any object DMZ-Webserver-Public-IP

access-list outside_in extended permit object-group DM_INLINE_SERVICE_3 any object-group

DM_INLINE_NETWORK_18

access-list outside_in extended permit tcp any object-group DM_INLINE_NETWORK_16 object-group

Web_Services

object network dmz-subnet

nat (DMZ,outside) dynamic interface

object network webserver

nat (DMZ,outside) static DMZ-Webserver-Public-IP service tcp www www

access-group outbound in interface inside

access-group outside_acl in interface outside

access-group DMZ_access_in in interface DMZ

Cannot get access to web server in DMZ

Jouni Forss — Fri, 16 Aug 2013 20:04:04 GMT

Hi,

You can try using the "packet-tracer" command to confirm that the ASA configurations are correct.

It might even be that its not matching the correct NAT rule.

packet-tracer input outside tcp 8.8.8.8 12345 43.114.152.57 80

Post the output of the command.

- Jouni

Cannot get access to web server in DMZ

Brad Hodgins — Fri, 16 Aug 2013 20:58:33 GMT

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network webserver

nat (DMZ,outside) static DMZ-Webserver-Public-IP service tcp www www

Additional Information:

NAT divert to egress interface DMZ

Untranslate 43.114.152.57/80 to 192.18.36.157/80

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_acl in interface outside

access-list outside_acl extended permit tcp any object webserver object-group DM_INLINE_TCP_3 log debugging

object-group service DM_INLINE_TCP_3 tcp

port-object eq www

port-object eq https

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network webserver

nat (DMZ,outside) static DMZ-Webserver-Public-IP service tcp www www

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 4953608, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

Everything here seems to check out, but I cannot access the website from the outside world, yet when I connect from (inside) 192.18.36.14 on VLAN10 to (DMZ) 192.18.36.157 on VLAN10, I can see the website with no problems, whereas 192.18.36.157 is the interal web server IP.

Cannot get access to web server in DMZ

Brad Hodgins — Sat, 17 Aug 2013 02:25:06 GMT

Jouni,

This came up in the log when I was attempting to connect:

2 Aug 16 2013 22:15:49 24.208.153.185 64024 43.114.152.57 443 Inbound TCP connection denied from 24.208.153.185/64024 to 43.114.152.57/443 flags SYN on interface outside

Cannot get access to web server in DMZ

Julio Carvajal — Sat, 17 Aug 2013 06:20:43 GMT

Hello Brad,

You are trying to connect to port 443 (Inbound TCP connection denied from 24.208.153.185/64024 to 43.114.152.57/443 flags SYN on interface outside).

Make sure you have the NAT statement for that as well on your ASA as on the configuration I can only see it for the WEB-Service HTTP TCP/80 and that you allowed on the ACL on the outside interface

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura