topic Re: Need help configuring http port on Cisco ASA 5510 in Network Security

Need help configuring http port on Cisco ASA 5510

sylvainnguyen — Fri, 21 Feb 2020 09:13:38 GMT

Hi All,

I have a Cisco ASA 5510.

I have a NT Server hosting a web server setup to use the http port 10300.

How can I configure my pix to allow traffic to this application from other machines in the network?

My NT Server private IP is 10.0.1.25 and I'm able to access it from the other machines in the network, but when I connect to the web application through the url: http:\\<server name>.<domain name>:10300\xxxx

then I receive a "Server Not found error".

I tried multiple config of the access list / nat but could not get it to work.

Here is an extract of my current configuration:

ASA Version 7.0(4)

[...]

interface Ethernet0/0

nameif outside

security-level 0

ip address 67.104.112.162 255.255.255.240

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.0.1.1 255.255.255.0

interface Ethernet0/2

shutdown

nameif DMZ

security-level 50

ip address 172.16.1.1 255.255.255.0

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

access-list outside-in extended permit icmp any any

access-list outside-in extended permit tcp any eq www host 67.104.112.163 eq 10300

access-list SPLIT-TUNNEL extended permit ip 10.0.1.0 255.255.255.0 192.168.24.0 255.255.255.0

access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 192.168.24.0 255.255.255.0

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit ip any any

[...]

global (outside) 1 interface

nat (outside) 1 192.168.24.0 255.255.255.0

nat (inside) 0 access-list NONAT

nat (inside) 1 10.0.1.0 255.255.255.0

static (inside,outside) 67.104.112.163 10.0.1.25 netmask 255.255.255.255

static (inside,outside) 67.104.112.164 10.0.1.26 netmask 255.255.255.255

access-group outside-in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 67.104.112.161 1

[...]

http server enable

http 167.1.162.143 255.255.255.255 outside

http 10.0.1.0 255.255.255.0 inside

http 10.0.1.25 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 management

[...]

I would really appreciate if you can help me!

Thanks in advance.

Re: Need help configuring http port on Cisco ASA 5510

mmorris11 — Tue, 10 Oct 2006 17:36:46 GMT

change this:

static (inside,outside) 67.104.112.163 10.0.1.25 netmask 255.255.255.255

to:

static (inside,outside) 67.104.112.163 10.0.1.25 netmask 255.255.255.255 dns

HTH pls rate!

Re: Need help configuring http port on Cisco ASA 5510

sylvainnguyen — Tue, 10 Oct 2006 18:24:30 GMT

Thanks a lot for your help.

I tried that. I'm wondering if I'm not missing something in the acl because from inside the network (where I am right now), I'm not able to connect to the application on this server (10.0.1.25).

Do you think the acl are correctly defined?

Re: Need help configuring http port on Cisco ASA 5510

sylvainnguyen — Tue, 10 Oct 2006 18:34:39 GMT

I also tried adding:

access-list inside_access_in extended permit tcp any eq www host 67.104.112.163 eq 10300

but this doesn't seem to improve anything...

Re: Need help configuring http port on Cisco ASA 5510

jwjohansen — Tue, 10 Oct 2006 22:43:49 GMT

Maybe I am missing something here...but isn't this NAT on your outside interface?

Thus the ACE you would need to add would need to be on your outside ACL. Also the source port isn't going to be 80 it is going to be random I believe. The destination port is going to be in this case 10300...for normal www traffic it would be 80 of course. Thus I think that eq www statement is blocking this. Are you seeing the deny on the syslog when you test?

So thus it would be something like:

access-list outside-acl(whatever your acl is) permit tcp any host 67.104.112.163 eq 10300

Re: Need help configuring http port on Cisco ASA 5510

a.kiprawih — Tue, 10 Oct 2006 23:33:46 GMT

Try this, hopefully it helps.

Q: How can I configure my pix to allow traffic to this application from other machines in the network?

My NT Server private IP is 10.0.1.25 and I'm able to access it from the other machines in the network, but when I connect to the

web application through the url: http:\\.:10300\xxxx , then I receive a "Server Not found error".

A: Disabled the proxyarp on your inside interface,

command: sysopt noproxyarp , hostname(config)# sysopt noproxyarp inside

To enable it, use "no sysopt noproxyarp interface_name"

In rare circumstances, you might want to disable proxy ARP for global addresses.

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the security appliance interface. The only way traffic can reach the hosts is if the security appliance uses proxy ARP to claim that the security appliance MAC address is assigned to destination global addresses.

Before that, pls ensure that your HTTP service via port 10300 is working fine. Otherwise, this could be the primary issue.

Q: How to allow outside/internet clients access your web server via 10300 (TC)

A: Since you're not using standard port 80-www, this might require port redirection.

Change your current static map from :

static (inside,outside) 67.104.112.163 10.0.1.25 netmask 255.255.255.255

static (inside,outside) tcp 67.104.112.163 www 10.0.1.25 10300 netmask 255.255.255.255

Changed the ACL as well to:

access-list outside-in extended permit tcp any host 67.104.112.163 eq www

The above will allow outsiders to access your server without having to specify "10300" in their web browser. PIX/ASA will do the redirection automatically to port 10300.

Cheers!

Re: Need help configuring http port on Cisco ASA 5510

mmorris11 — Wed, 11 Oct 2006 12:25:49 GMT

If you are behind the pix, using a web browser on a host 10.0.1.x and you cannot connect to your web server on your nonstandard port which you specified, check your web server config. You certainly need to get this working before anyone can be expected to access it through the firewall.

HTH

Re: Need help configuring http port on Cisco ASA 5510

sylvainnguyen — Wed, 11 Oct 2006 21:11:42 GMT

Hi, Thanks for your answer.

I ran "sysopt noproxyarp inside" but still wasn't able to connect to http:\.:10300\ from behind the pix. Connecting to http:\\10.0.1.25 is fine though.

How can I make sure that my HTTP service is working fine for port 10300?

I also ran:

access-list outside-in extended permit tcp any host 67.104.112.163 eq www

static (inside,outside) tcp 67.104.112.163 www 10.0.1.25 10300 netmask 255.255.255.255 dns

I'm not able to check immediately if access from outside is possible since I'm behind the pix, but will do later tonight.

Again, thanks a lot for taking the time to reply. Unfortunately at this point, I am still not able to access to this url...

sylvain

Re: Need help configuring http port on Cisco ASA 5510

sylvainnguyen — Wed, 11 Oct 2006 21:13:22 GMT

Hi,

thanks for your answer.

I'm able to connect to http:\\10.0.1.25 from a laptop behind the pix, but not to http:\\.:10300\...

Anything else I should be checking?

Sylvain

Re: Need help configuring http port on Cisco ASA 5510

sylvainnguyen — Wed, 11 Oct 2006 21:20:44 GMT

Hi,

Thanks for your answer. I agree I had it backward.

I tried this:

access-list outside-in extended permit tcp any host 67.104.112.163 eq 10300

and it did not make any changes.

Thanks

Sylvain

Re: Need help configuring http port on Cisco ASA 5510

a.kiprawih — Thu, 12 Oct 2006 06:09:36 GMT

To verify your http via port 10300 is working:

a. check your http port setup on the www server or application.

b. run http test from the server itself using web browser. Try any of these:

http://10.0.1.25:10300

http://:10300

http://127.0.0.1:10300

c. from any pc in the same segment, telnet to the server's IP:

telnet 10.0.1.25 10300

OR telnet from outside firewall to the public IP natted to 10.0.1.25 (which is 67.104.112.163)

telnet 67.104.112.163 10300

Make sure you got some kindly of successful telnet reply, with http keyword...

Hope this helps.

Re: Need help configuring http port on Cisco ASA 5510

a.kiprawih — Thu, 12 Oct 2006 06:19:50 GMT

Or from Outside/internet, you can do port scan to the public IP of 67.104.112.163. Make sure the port is open or visible from outside.

YOu can download lots of free port scanning tool, i.e yaps..

Cheers!

Re: Need help configuring http port on Cisco ASA 5510

sylvainnguyen — Fri, 13 Oct 2006 03:11:35 GMT

Hi,

Thanks. I tried Yaps which gave me the following results from outside:

67.104.112.163:80 -> www-http (World Wide Web HTTP) -> HTTP/1.1 404 Not Found..

getting this resutls for port 10300 and 10500 was kind of expected, but not for port 80.

when running it for ports 10300 to 10500, it wasn't even giving me any results.

Re: Need help configuring http port on Cisco ASA 5510

sylvainnguyen — Fri, 13 Oct 2006 03:14:56 GMT

Hi,

all tests gave me an error 404 Not Found.

I wasn't able to telnet using 10.0.1.25 from my laptop which was 10.0.1.6.

I received the following results from outside:

C:\>telnet 67.104.112.163 10300

Connecting To 67.104.112.163...Could not open connection to the host, on port 10300: Connect failed

C:\>telnet 67.104.112.163

Connecting To 67.104.112.163...Could not open connection to the host, on port 23: Connect failed

same thing after launching the VPN Client.

Re: Need help configuring http port on Cisco ASA 5510

a.kiprawih — Fri, 13 Oct 2006 03:42:17 GMT

If you telnet from local subnet or from a PC in same subnet with the server, and if the server port 10300 is up & running, you should be able to get some kind of reply with 'http' keyword, not the "..could not open connection to..". The error indicates service port not running/opened.

Do port scanning from local LAN and outside firewall, and compare the results.

From internal LAN, you should see port 10300 opened. Indirectly, this will also verify that the service port is running fine.

If you can't see this port, check the server itself & verify the port is really working fine.

Re: Need help configuring http port on Cisco ASA 5510

sylvainnguyen — Fri, 13 Oct 2006 21:25:20 GMT

Hi,

From inside the LAN I ran Yaps which gave me the following results:

Started scan

10.0.1.25:10300

Stopping scan

I assume it means 10300 is configured properly on the server. But in this case, why wouldn't I be able to access it when I type in the url http?

I tried something different with Yaps. I entered the name of the server in the IP address and it returned 10.0.1.6 which is a dynamic IP used by the same server but on a different ethernet card (this server has 3 cards). Could that be the problem?

Thanks

Re: Need help configuring http port on Cisco ASA 5510

sylvainnguyen — Fri, 13 Oct 2006 21:29:40 GMT

For example, the results of Yaps while resolving name are:

Started scan

10.0.1.6:10300 ->

10.0.1.25:10300

Stopping scan

Re: Need help configuring http port on Cisco ASA 5510

a.kiprawih — Sat, 14 Oct 2006 18:03:04 GMT

Interesting additional info. So, your server actually has 3 NICs, in which 2 of it bearing 10.0.1.6 and 10.0.1.25.

What's the gateway for each IPs:

ip: 10.0.1.6, gw: ??

ip: 10.0.1.25, gw: ??

Do you point both to inside interface IP (10.0.1.1) as gateway, or only one?

Also, can you run "http://10.0.1.6:10300/" and check what's the result looks like? IF this is ok, try to eliminate/isolate the problem by disabling/disconnect the card with 10.0.1.6 IP, and let it run on the 10.0.1.25.

The port scan result show the http using tcp 10300 was running fine.

Re: Need help configuring http port on Cisco ASA 5510

sylvainnguyen — Mon, 16 Oct 2006 16:50:01 GMT

Hi,

Thanks for your reply.

So I disabled all cards but the one configured as a static IP 10.0.1.25.

I ran:

C:\>ping

Ping request could not find host . Please check the name and try again.

C:\>ping 10.0.1.25

Pinging 10.0.1.25 with 32 bytes of data:

Reply from 10.0.1.25: bytes=32 time<1ms TTL=128

The weird thing is that after disabling the 2 NICs on the server, I am not able to connect to the web application from the server itself (which I'm able to do when the NICS are enabled).

So the server name is recognized only for the IP 10.0.1.6. Not sure how this could be changed...

FYI: both IP use the same default gateway 10.0.1.1

Thanks