topic Can't access server from Outside in Network Security

Can't access server from Outside

Mohd Khairul Nizam — Tue, 12 Mar 2019 02:25:26 GMT

Hi all,

I couldn't access my server from Outside. Seem the setting is OK as i see it but please see if I missed out anything.

From Outside, I need to access http://60.x.x.50:8080. but failed to access. Please help. Thanks.

Below I attached part of the config.

-----------------------------------------------------

: Saved

ASA Version 8.0(4)

name 172.47.1.10 NarayaServer description Naraya Server

name 62.x.x.172 NarayaTelco1

name 62.x.x.178 NarayaTelco2

interface Ethernet0/0

nameif outside

security-level 0

ip address 60.x.x.50 255.255.255.252

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.27.17.100 255.255.0.0

access-list inside_access_in extended deny ip any Japan02 255.255.255.0

access-list inside_access_in extended deny tcp object-group PermitInternet any object-group torrent1

access-list inside_access_in extended permit ip object-group PermitInternet any

access-list inside_access_in extended permit ip host NAVNew any

access-list inside_access_in extended permit ip host NarayaServer any

access-list inside_access_in extended permit ip host IPVSSvr any

access-list inside_access_in extended permit ip host 172.17.100.30 any

access-list outside_access_in extended permit object-group NECareService object-group NECare any

access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 host NarayaServer

access-list outside_1_cryptomap extended permit ip host NarayaServer object-group Nry_Png

access-list outsidein extended permit tcp any host 60.x.x.50 eq https

access-list outsidein extended permit tcp any host 60.x.x.50 eq 8080

access-list outsidein extended permit ip object-group DM_INLINE_NETWORK_3 host IPVSSvr

access-list outsidein extended permit object-group rdp any host 60.x.x.50

access-list inside_mpc extended permit object-group TCPUDP any any eq www

access-list inside_mpc extended permit tcp any any eq www

access-list inside_nat0_outbound extended permit ip host NarayaServer any

ip local pool lot10ippool 172.27.17.240-172.27.17.245 mask 255.255.255.0

ip verify reverse-path interface outside

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 8080 NarayaServer 8080 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 NAVNew 3389 netmask 255.255.255.255

access-group outsidein in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 60.54.140.49 1

route inside 0.0.0.0 255.255.255.255 60.54.140.49 1

route inside 172.17.100.20 255.255.255.255 172.27.17.100 1

route inside NAVNew 255.255.255.255 172.27.17.100 1

route inside 172.17.100.30 255.255.255.255 172.27.17.100 1

route inside NarayaServer 255.255.255.255 172.27.17.100 1

http server enable

http 172.17.100.30 255.255.255.255 inside

http NAVNew 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 outside

--------------------------------------------------------------------------------------------------------------------------

Can't access server from Outside

Julio Carvajal — Wed, 14 Aug 2013 03:33:47 GMT

Hello My friend,

Things to remove from configuration:

no route inside 0.0.0.0 255.255.255.255 60.54.140.49 1

no route inside 172.17.100.20 255.255.255.255 172.27.17.100 1

no oute inside NAVNew 255.255.255.255 172.27.17.100 1

no route inside 172.17.100.30 255.255.255.255 172.27.17.100 1

no route inside NarayaServer 255.255.255.255 172.27.17.100 1

Things to Add

route inside 172.16.0.0 255.240.0.0 IP_ADDRESS_OF_INSIDE_ROUTER

That inside router should be the one that connects to the server

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Can't access server from Outside

Mohd Khairul Nizam — Wed, 14 Aug 2013 03:43:49 GMT

Hi,

The route command is existing configuration, it shoudnt be deleted.

I confuse, why need to add "route inside 172.16.0.0 255.240.0.0 IP_ADDRESS_OF_INSIDE_ROUTER"

Can't access server from Outside

Julio Carvajal — Wed, 14 Aug 2013 03:48:23 GMT

Hello Mohd,

Because the route is pointing to the ASA itself.... So it's never going to be routed... Do you see what I mean?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Can't access server from Outside

Mohd Khairul Nizam — Wed, 14 Aug 2013 03:59:57 GMT

Hi jcarvaja,

Appreciate your help,

Question:

1. I'm still learning, but i dont see unable to access from Outside to Inside is related to routing? Sorry, I bit confuse on this.

2. If i remove above route as u mention, does the host (172.17.100.20, NAVNew, NarayaServer) able to Internet?

Hope to hear soonest

Thanks,

Can't access server from Outside

Julio Carvajal — Wed, 14 Aug 2013 04:08:35 GMT

Hello,

No worries,

1- Packet will reach the ASA from outside , the ASA will check the destination IP address which is the server and will look for a route . It will then say Okey to get to that IP address I need to send the packet to my self. It will never happen.....

2- Is the server at the moment with connectivity to the internet???

Can you share the show route?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Re: Can't access server from Outside

Mohd Khairul Nizam — Wed, 14 Aug 2013 05:32:59 GMT

Sorry, I click on the correct Answer instead of reply,

Anyway,

1. I attach the full config. Current configuration is working fine as of 2nd August 2013.

2. On 3rd Aug, i configured Site to Site VPN, working

3. During the process of troubleshooting site to site, I may or not deleted some line ( i forget which one already)

4. On 4th August, my colleague said that the server can't be access anymore.

5. Maybe the config line, i may deleted but I'm not sure which one could be related.

6. Before 2nd August, the server access from Outside able to do without the routing config you suggested.

See if you can help to identified the problem,

Thanks.

Re: Can't access server from Outside

Julio Carvajal — Wed, 14 Aug 2013 06:07:15 GMT

Hello Mohd,

Here are the facts:

I honestly think you need to change that route statement as it basically says if you want to contact the NARAYASERVER send the packet via the INSIDE interface to the IP address 172.27.17.100

route inside NarayaServer 255.255.255.255 172.27.17.100

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.27.17.100 255.255.0.0

So basically send the packet to yourself (Does not make any sense.. Try to read it so you can understand what I mean.

The NAT 0 is breaking the translation.

access-list inside_nat0_outbound extended permit ip host NarayaServer any

nat (inside) 0 access-list inside_nat0_outbound

Do the following :

access-list inside_nat0_outbound permit ip host NarayaServer OTHER_site_VPN_subnet

no access-list inside_nat0_outbound extended permit ip host NarayaServer any

Then u should be able to connect,

Let me know if you will follow my instructions, otherwise I think I am not helping here

Note: As you already mark the question as answered you could provide kudos (stars) on my next answers

Cheers,

Julio Carvajal Segura