topic Server cannot browse to own websites in Network Security

Server cannot browse to own websites

KingPrawns — Mon, 11 Mar 2019 21:45:23 GMT

I've currently got a set of servers that all go through a switch and out via an asa firewall.

I know there isn't a problem with port 80 as the servers can navigate to external sites such as google.

Here is a result of a packet-trace:

bt(config)# packet-tracer input inside tcp 10.20.3.148 www 10.20.3.148 www detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xca88f500, priority=13, domain=capture, deny=false
        hits=37877223, user_data=0xca88f400, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=inside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcabe35b8, priority=1, domain=permit, deny=false
        hits=18614673, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.20.3.0       255.255.255.0   inside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcabe4508, priority=111, domain=permit, deny=true
        hits=0, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=inside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I'm not 100% sure I got that trace correct, should it be inside ip to inside ip or inside ip to outside (or vice versa) ?

I've got the following access-lists in and tried to run a capture but got nothing with regards to serving internal/external ip

access-list cap extended permit ip any host 195.171.9.148
access-list cap extended permit ip host 195.171.9.148 any
access-list cap extended permit ip any host 10.20.3.148
access-list cap extended permit ip host 10.20.3.148 any

Am I missing a rule in the access lists?

Server cannot browse to own websites

varrao — Wed, 02 Nov 2011 11:13:00 GMT

Hi Wez,

what it looks like is you are trying to do u-turning on ASA, use this:

static (inside,inside) 10.20.3.148 10.20.3.148

nat (inside) 5 0.0.0.0 0.0.0.0

global (inside) 5 interface

same-security-traffic permit intra-interface

sysopt noproxyarp inside

If you want to access the server on public ip, then remove the above static and add this:

static (inside,inside) 195.171.9.148 10.20.3.148

Hope that helps.

Thanks,

Varun

Re: Server cannot browse to own websites

KingPrawns — Wed, 02 Nov 2011 11:25:08 GMT

Getting the following error:

bt(config)# nat (inside) 5 0.0.0.0 0.0.0.0

ERROR: This syntax of nat command has been deprecated.

We're on version 8.4, sorry should have said that before.

I think it's arguing with "5". Is that translated to "static/dynamic"?

Also, I tried adding it as a nat rule to "object network" and that overwrote my inside/outside nat. Do I need to add it somewhere different?

Example (post change):

object network Ras
nat (inside,outside) static Ras_Outside  (correct)
object network Dev1
nat (inside,inside) static Dev1   (no longer pointing outside?)

Server cannot browse to own websites

varrao — Wed, 02 Nov 2011 11:41:42 GMT

Hi Wez,

i guess you are using 8.3 or above code, if thats the case use this:

object network public_ip

host 195.171.9.148

object network private_ip

host 10.20.3.148

nat (inside,inside) source dynamic any interface source static public_ip private_ip

same-security-traffic permit intra-interface

sysopt noproxyarp inside

This should do.

Thanks,

Varun

Re: Server cannot browse to own websites

KingPrawns — Wed, 02 Nov 2011 11:59:09 GMT

Still having problems with the nat rule. where is the config hierarchy should I be putting it?

(config)# nat (inside,inside) source dynamic any interface source static Dev1_Outside Dev1
              ^

ERROR: % Invalid input detected at '^' marker.

Will I have to add this rule for every server? Just found another issue, it seems that the servers on this .3. subnet can't browse to any of the websites on servers in the same subnet (not just themselves). Is this now a routing issue?

Message was edited by: Wez Morris (formatting)

Server cannot browse to own websites

varrao — Wed, 02 Nov 2011 12:06:19 GMT

Could you please share your config.

Varun

Re: Server cannot browse to own websites

KingPrawns — Wed, 02 Nov 2011 12:20:39 GMT

Sent you a PM

Server cannot browse to own websites

KingPrawns — Mon, 07 Nov 2011 11:04:18 GMT

Still having trouble with this issue.

Can anybody recommend a way of debugging the problem?

I need a server to access websites that it hosts, but I can't work out the traceroute/packet-trace

Server cannot browse to own websites

KingPrawns — Mon, 07 Nov 2011 14:20:16 GMT

Sorry, last update.

Problem solved for one server using these lines:

nat (inside,inside) source dynamic any interface Destination static public_ip private_ip

same-security-traffic permit intra-interface

2 remaining questions:

1) Can I change Public_IP and Private_IP to object groups?

2) Do I need sysopt noproxyarp inside?

Server cannot browse to own websites

varrao — Mon, 07 Nov 2011 14:24:25 GMT

If the server are not in the directly connected subnet of the ASA, then you mght need to add the sysopt command.

Yes you can chnage the Private and Public to object-groups, no issues with it.

Thanks,

Varun