topic Re: web server behind 5505 in Network Security

web server behind 5505

Richard Langly — Tue, 12 Mar 2019 01:11:58 GMT

I have a web server behind my 5505 that I'd like to access from the outside of the 5505 (still within my home network though). Its running on port 3000. I made the changes but I have been unable to access my server from the outside. I do have an Airport Extreme in from of the 5505 and the 5505 is getting its address via dhcp from the airport. So I'm trying to hit 192.168.2.57:3000 from my wireless airport network.

Any help much appreciated.

[code]

genesis# sh running-config

: Saved

ASA Version 8.4(4)1

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

switchport access vlan 3

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

description Wired Network

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

description Outside to Airport Extreme

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan3

description Currently Not in Use

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.3.1 255.255.255.0

banner motd

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server xx.xx.xx.xx

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network WEBSERVER

host 192.168.1.11

access-list ACL_IN extended permit ip any any

access-list WAN_IN extended permit udp any eq domain any

access-list outside_access_in extended permit tcp any object WEBSERVER eq

3000

pager lines 24

logging enable

logging timestamp

logging trap errors

logging asdm informational

logging host inside 192.168.1.11

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (dmz,outside) source dynamic any interface

object network obj_any

nat (inside,outside) dynamic interface

object network WEBSERVER

nat (inside,outside) static interface service tcp 3000 3000

access-group ACL_IN out interface inside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect

0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd dns xx.xx.xx.xx xx.xx.xx.xx

dhcpd lease 43200

dhcpd address 192.168.1.100-192.168.1.131 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400

average-rate 200

ntp server 24.56.178.140 source inside

webvpn

username me password QHdasgr35fa2Dvc7c encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:ad9282b0e2f32e0dad23cc8b2341d5c8

: end

[/code]

Re: web server behind 5505

Jouni Forss — Sat, 09 Mar 2013 20:01:19 GMT

Hi,

You dont atleast have an ACL on the "outside" interface permitting the traffic

You have created the ACL but not attached the ACL to an interface

access-group outside_access_in in interface outside

Othen than that the configuration seems fine regarding this servers firewall rules.

- Jouni

Re: web server behind 5505

Richard Langly — Sat, 09 Mar 2013 20:12:59 GMT

I added that access-group line, but I still seem to be unable to reach it. My browser just hangs when trying to access http://192.168.2.53:3000/ ... 2.53 is the outside ip on the 5505 and the machine I'm trying to get to it with is 192.168.2.77.

internet --->airport(192.168.2.1) ---> (192.168.2.53)5505(192.168.1.1) --> 192.168.1.11 (web server)

`--->192.168.2.77 (browser)

web server behind 5505

Jouni Forss — Sat, 09 Mar 2013 20:19:24 GMT

Have you tried to see whats happening on the ASA when your trying to access the server?

Either through the CLI or the ASDM (graphical user interface).

They should tell you if the connections is coming to the ASA, if its getting past the ASA and if the connection is being formed.

You can also use the "packet-tracer" comnand on the CLI to test the functionality of the ASAs rule regarding the server.

For example

packet-tracer input outside tcp 192.168.2.77 12345 192.168.2.53 3000

- Jouni

web server behind 5505

Richard Langly — Sat, 09 Mar 2013 21:06:02 GMT

I ran that and here's what I see. I'm guessing the result is not correct?

genesis(config)# packet-tracer input outside tcp 192.168.2.77 12345 192.168.2.$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.2.53 255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

web server behind 5505

Jouni Forss — Sat, 09 Mar 2013 21:16:47 GMT

Hi,

Just to be sure can you copy/paste

The current config
Output of "show ip add"
Output of "show route"
Output of "show arp"

- Jouni

Re: web server behind 5505

Richard Langly — Sat, 09 Mar 2013 21:24:52 GMT

Here it all is. Btw, the 2.52 in the "sh arp" below is the new 2.77 (after a reboot).

genesis# sh running-config

: Saved

ASA Version 8.4(4)1

hostname genesis

enable password 6SEadfadfasdfasfJIA encrypted

passwd 6SEsadfasdfafasdfJIA encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

switchport access vlan 3

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

description Wired Network

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

description Outside to Airport Extreme

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan3

description Currently Not in Use

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.3.1 255.255.255.0

banner motd

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server xx.xx.xx.xx

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network WEBSERVER

host 192.168.1.11

access-list ACL_IN extended permit ip any any

access-list WAN_IN extended permit udp any eq domain any

access-list outside_access_in extended permit tcp any object WEBSERVER eq 3000

pager lines 24

logging enable

logging timestamp

logging trap errors

logging asdm informational

logging host inside 192.168.1.11

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (dmz,outside) source dynamic any interface

object network obj_any

nat (inside,outside) dynamic interface

object network WEBSERVER

nat (inside,outside) static interface service tcp 3000 3000

access-group ACL_IN out interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd dns xx.xx.xx.xx xx.xx.xx.xx

dhcpd lease 43200

dhcpd address 192.168.1.100-192.168.1.131 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 24.56.178.140 source inside

webvpn

username me password QHdgfasdfasfdasdfasfdaYc encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:6274aaab23efb4f275c28298a2dd490f

: end

---------------------

genesis# sh ip add

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG

Vlan2 outside 192.168.2.53 255.255.255.0 DHCP

Vlan3 dmz 192.168.3.1 255.255.255.0 CONFIG

Current IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG

Vlan2 outside 192.168.2.53 255.255.255.0 DHCP

Vlan3 dmz 192.168.3.1 255.255.255.0 CONFIG

---------------------

genesis# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

C 192.168.1.0 255.255.255.0 is directly connected, inside

C 192.168.2.0 255.255.255.0 is directly connected, outside

d* 0.0.0.0 0.0.0.0 [1/0] via 192.168.2.1, outside

---------------------

genesis# sh arp

inside 192.168.1.11 0000.0000.0001 56

outside 192.168.2.52 58b0.3566.4c6f 302

outside 192.168.2.1 78ca.39fd.1094 630

Re: web server behind 5505

Jouni Forss — Sat, 09 Mar 2013 21:47:31 GMT

Hi,

I did some testing on my own ASA and cant really understand what exactly is happening with the NAT. It seems to me that your connection attempts are probably being blocked by another NAT configuration.

Can you remove these NAT configurations

no nat (dmz,outside) source dynamic any interface

no object network obj_any

Then

clear xlate

Which will clear any translation active. Will also clear connections through the ASA

Then reconfigure the above NATs in different way

nat (inside,outside) after-auto source dynamic any interface

nat (dmz,outside) after-auto source dynamic any interface

And then try again connections to the server

EDIT: On a sidenote, I cant see the connection attempting host on the "show arp", all others show.

- Jouni

web server behind 5505

Richard Langly — Sat, 09 Mar 2013 21:57:30 GMT

Jouni,

Though it takes a bit longer than 10 seconds, that actually made it work.In fact, all pages on this site take about that long to load. Thank you for getting me this far.