topic Re: How to Publish my Web Server in Network Security

How to Publish my Web Server

David Aguirre — Tue, 12 Mar 2019 00:59:49 GMT

Hello!

I'm configuring a Cisco ASA 5505 ASA Version 8.3.1

I want to publish my web server is in the DMZ (10.30.30.1) and server address is 10.30.30.30 but it still fails.

I have only one public IP, and hope that when they call the Public IP, my web server appears, another problem I have is that when I assign the public IP to my interface OUTSIDE my LAN loses internet connection.

I have to do to publish my web server and the LAN computers have internet access?

Thank you very much for the help.

Re: How to Publish my Web Server

Jouni Forss — Tue, 12 Feb 2013 19:38:35 GMT

Hi,

Here is a configuration for NAT that should handle both the PAT translation for normal LAN user traffic to Internet and the allow HTTP connections to your Web server

Default PAT rule for Internet traffic

Where

DEFAULT-PAT-SOURCE = object-group under which all the local networks are defined which need PAT translation for normal Internet traffic
10.10.10.0 255.255.255.0 = Example LAN network
10.30.30.0 255.255.255.0 = Your DMZ network
"any" = Defines in the NAT configuration that source networks for NAT can be behind "any" interface
after-auto = Moves the NAT rule to the last section of NAT rules processed by the ASA (so it wont overrule any other rule)
"interface" = Specifies that the destination interfaces IP address is used for the PAT translation (in this case your "outside" interface public IP address)

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.30.30.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Port Forward or Static PAT for the Web server

Where

WEB-SERVER = Contains the Web Servers local IP address and NAT configuration under it
10.30.30.30 = Your DMZ server local IP address
nat = The NAT configuration that does Static NAT between "dmz" and "outside" interface. It uses the "outside" interface public IP address BUT only for TCP/80 port
access-list = The access-list below only allows TCP/80 to the Web server from "any" source address on the Internet. Notice that the traffic is allowed to the Real IP address of the server under the "object network". This is because of the new NAT/ACL format. Traffic is always opened towards the Real IP address of the host.
access-group = Attach the ACL to the "outside" interface

object network WEB-SERVER

host 10.30.30.30

nat (dmz,outside) static interface service tcp 80 80

access-list OUTSIDE-IN remark Allow Web access to Web server

access-list OUTSIDE-IN permit tcp any object WEB-SERVER eq 80

access-group OUTSIDE-IN in interface outside

Hopefully the above information has been helpfull

- Jouni

Re: How to Publish my Web Server

David Aguirre — Tue, 12 Feb 2013 20:49:34 GMT

Thank you very much for your quick response;

I followed your instructions exactly, I'm still no luck in either case, the LAN has no internet access and does not display the Web server

Only the LAN have internet access when the OUTSIDE interface obtains the address by DHCP

this is my setup.

ASA Version 8.3 (1)

hostname ciscoasa

enable password encrypted tna0ggcckiszs8HE

2KFQnbNIdI.2KYOU encrypted passwd

names

VLAN1 interface

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

interface VLAN2

nameif outside

security-level 0

ip address 186.151.161.26 255 255 255 252

VLAN3 interface

no forward interface vlan1

nameif DMZ

security-level 50

ip address 10.30.30.1 255.255.255.0

interface Ethernet0 / 0

switchport access vlan 2

interface Ethernet0 / 1

switchport access vlan 3

interface Ethernet0 / 2

interface Ethernet0 / 3

interface Ethernet0 / 4

interface Ethernet0 / 5

interface Ethernet0 / 6

interface Ethernet0 / 7

ftp passive mode

network object obj_any

subnet 0.0.0.0 0.0.0.0

Web-Server network object

host 10.30.30.30

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.10.0 255.255.255.0

network-object 10.30.30.0 255.255.255.0

access-list OUTSIDE-IN remark Allow Web access to Web server

access-list OUTSIDE-IN extended permit tcp any object eq www WEB-SERVER

pager lines 24

asdm informational logging

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

network object obj_any

nat (inside, outside) dynamic interface

Web-Server network object

nat (DMZ, outside) static interface service tcp www www

nat (any, outside) after-auto source dynamic PAT-SOURCE-DEFAULT interface

access-group OUTSIDE-IN in interface outside

timeout xlate 3:00:00

timeout conn 0:10:00 half-closed 1:00:00 udp 0:02:00 icmp 0:00:02

0:10:00 timeout sunrpc 0:05:00 h323 1:00:00 mgcp 0:05:00 mgcp H225-pat 0:05:00

sip_media 0:30:00 timeout sip 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 0:05:00 absolute uauth

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkDown coldStart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

auto_config outside dhcpd

192.168.10.5-192.168.10.36 inside dhcpd address

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

WebVPN

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

inspection_default class

inspect dns preset_dns_map

inspect ftp

inspect h323 H225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy overall global_policy

prompt hostname context

Cryptochecksum: 41349d632bcea77042960f9993c68d46

: End

----

Re: How to Publish my Web Server

Jouni Forss — Tue, 12 Feb 2013 20:53:37 GMT

I dont know what is up with the above configuration. Have you edited it yourself and not copy/pasted it directly?

There are some configuration lines that are not possible on the ASA even.

You are also missing the default route command

"route outside 0.0.0.0 0.0.0.0 "

- Jouni

Re: How to Publish my Web Server

David Aguirre — Tue, 12 Feb 2013 21:08:10 GMT

thanks for replying

I added this line and I have internet connection from LAN

"route 0.0.0.0 0.0.0.0 186.151.161.25" (Gateway ISP Router)

The other lines that add were these:

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.10.0 255.255.255.0

network-object 10.30.30.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

object network WEB-SERVER

host 10.30.30.30

nat (dmz,outside) static interface service tcp 80 80

access-list OUTSIDE-IN remark Allow Web access to Web server

access-list OUTSIDE-IN permit tcp any object WEB-SERVER eq 80

access-group OUTSIDE-IN in interface outside

---

How to Publish my Web Server

Jouni Forss — Tue, 12 Feb 2013 21:27:57 GMT

Hi,

The following configuration wont be needed since you have the Default PAT configuration that I mentioned above

network object obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside, outside) dynamic interface

Is the Web server working now also?

- Jouni

Re: How to Publish my Web Server

David Aguirre — Tue, 12 Feb 2013 22:47:19 GMT

No, not yet visible my web server, where is the problem.

Thank you very much for your help.

How to Publish my Web Server

Jouni Forss — Wed, 13 Feb 2013 00:18:41 GMT

Hi,

Well that is strange. Would imagine it should work already

Next I guess we could take the "packet-tracer" command output and see what it tells us.

You could use the command

packet-tracer input outside tcp 1.2.3.4 1234 80

Then copy/paste the output here on the forums

- Jouni

Re: How to Publish my Web Server

David Aguirre — Wed, 13 Feb 2013 14:53:18 GMT

Hello!!

This is the result;

ciscoasa(config)# packet-tracer input outside tcp 1.2.3.4 1234 186.151.161.26 $

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network WEB-SERVER

nat (DMZ,outside) static interface service tcp www www

Additional Information:

NAT divert to egress interface DMZ

Untranslate 186.151.161.26/80 to 10.30.30.30/80

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE-IN in interface outside

access-list OUTSIDE-IN extended permit tcp any object WEB-SERVER eq www

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network WEB-SERVER

nat (DMZ,outside) static interface service tcp www www

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1466, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

How to Publish my Web Server

Jouni Forss — Wed, 13 Feb 2013 16:16:27 GMT

Hi,

According to that output it would seem to me that everything is fine with the firewall configurations.

I would suggest going through the Web servers network settings and the servers firewall software

Seem to me that IF the connection from Internet are getting through to your firewall they should reach the Web server just fine if the server itself isnt preventing it.

You can always open the ASDM and from there go to the real time log monitoring. Then test the website connection from the Internet and see what the logs say. If the server doesnt respond to the HTTP connection the connection should be removed by the firewall after 30 seconds with a "Teardown" message that states a reason "SYN Timeout"

- Jouni

Re: How to Publish my Web Server

David Aguirre — Wed, 13 Feb 2013 16:43:23 GMT

Hi !

I took some screenshots of ASDM.

And I disconnected the web server but not shown me any message.

Re: How to Publish my Web Server

Jouni Forss — Wed, 13 Feb 2013 16:55:15 GMT

Hi,

Looking at the Log Window in the above post I can see the following things

Denied ICMP traffic from the "outside" interface but the source IP addresses are private IP addresses?
The "red" log messages would lead me to believe that you are trying to connect to the Web server from the "inside" using the Public IP address of the server? Do notice that this is not possible. If you want to connect to the server from behind the "inside" interface, you will have to use the actual IP address of the server on the DMZ (10.30.30.30)

Have you tried to connect to the server from the Internet? Atleast someone has since we can see in one of the pictures that there is hits on the ACL rule you configured.

If you have so far only tested the Web server connection by using the public IP address and from your own LAN then the ASA is blocking it. The ASA wont let you connect to the using the public IP address from the LAN. And this would be normal operation from the ASA.

EDIT: There might be a possibility to configure some NAT that would permit the use of the Public IP address even from behind the "inside" interface BUT it would be better to get this working from the Internet first before even trying something like that.

- Jouni

Re: How to Publish my Web Server

David Aguirre — Wed, 13 Feb 2013 17:27:31 GMT

Hello!

you're right, I've tried to do with the public IP, when I put the IP 10.30.30.30 if it works! Now what will happen when the staff in my organization, (which are on the LAN) wish to consult the website? Can view the website?

I tried also accessed from a location outside of my LAN to Public IP, but I can not. And this is what I need most. That outsiders can see if Web site

thank you!

How to Publish my Web Server

Jouni Forss — Wed, 13 Feb 2013 17:45:27 GMT

Hi,

At the moment users on the LAN should be able to use the IP 10.30.30.30 to connect to the web server. But as you said we should try to get the site working from the Internet before trying to possibly making some changes to the LAN users.

Can you once more copy/paste the whole configuration in CLI format here so I can go through it. Looking at the old configuration there should be no reason that a user with a public IP address from the Internet shouldnt be able to connect to the Web server unless the web server is blocking the connections.

- Jouni

Re: How to Publish my Web Server

David Aguirre — Tue, 19 Feb 2013 19:50:31 GMT

Hello JouniForss

Thank you very much for all the help.

Everything is running fine, the problem was with the ISP, and the settings you made for me is correct.

My web server is published, and LAN internet access, all I ask is that you help me to achieve that when people want to see the website from the LAN will be allowed.

Again thank you very much.

How to Publish my Web Server

Jouni Forss — Wed, 20 Feb 2013 16:53:03 GMT

Hi,

If you want to try a Static NAT configuration to be able to reach the Web server with public IP address from the "inside" you could try this configuration

object network WEB-SERVER-TO-INSIDE

host 10.30.30.30

nat (dmz,inside) static

Note that after the above command the Web server should be visible to the "inside" with only the public IP address, not the private IP address.

See if this works

- Jouni

Re: How to Publish my Web Server

David Aguirre — Fri, 22 Feb 2013 18:38:34 GMT

Hi JouniForss!

The above mentioned

It was the right thing and works perfectamentte

Thank you very much for all the help.