topic ASA 5510 - outside and inside can not access web server in DMZ in Network Security

ASA 5510 - outside and inside can not access web server in DMZ

cole xu — Mon, 11 Mar 2019 18:45:32 GMT

Hello, there may be some problems with the ASA's config, but I can find where are the problems.

Below is the basic config for this ASA:

Inside ip address :　192.168.10.1/24

Outside ip address: 120.195.153.151/26

DMZ ip address: 192.168.30.1/24

Web server ip address: 192.168.30.5/24

I wanna complete the tasks , the status of which are as below:

1. Inside ping Web server successfully

2. Inside ping www.cisco.com successfully

3. DMZ ping www.cisco.com successfully

4. Inside access web sites in web server through http://192.168.30.5 failed

5. Outside access web sites in web server through http://120.195.153.151 failed

Please get the detailed config in the attached file, and kindly help have a check to find where are the problems.thanks!

Re: ASA 5510 - outside and inside can not access web server in D

Jennifer Halim — Mon, 27 Sep 2010 09:18:02 GMT

You would need to remove the following line as follows:

no static (inside,DMZ) 192.168.30.0 192.168.10.0 netmask 255.255.255.0

Replace with the following:

static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

Then you would need to "clear xlate" to clear existing translation.

The above will fix issue# 4.

The following will fix issue# 5:

static (DMZ,outside) tcp interface 80 192.168.30.5 80 netmask 255.255.255.255

Then you would need to "clear xlate" to clear existing translation.

Hope that helps.

Re: ASA 5510 - outside and inside can not access web server in D

cole xu — Mon, 27 Sep 2010 09:57:15 GMT

Hi, Jennifer

Thanks for your helps, now the issue #4 was fixed, but issue #5 still exists. need your kindly help to check again. thanks!

1. Inside ping Web server successfully

2. Inside ping www.cisco.com successfully

3. DMZ ping www.cisco.com successfully

4. Inside access web sites in web server through http://192.168.30.5 successfully

5. Outside access web sites in web server through http://120.195.153.151 failed

Re: ASA 5510 - outside and inside can not access web server in D

Jennifer Halim — Mon, 27 Sep 2010 10:06:16 GMT

Can you try using a different public ip address (public ip address that has not been used elsewhere) instead?

Remove the existing translation first:

no static (dmz,outside) tcp interface www 192.168.30.5 www netmask 255.255.255.255

Then add the following line with the spare public ip address:

static (dmz,outside) 120.195.153.x 192.168.30.5 netmask 255.255.255.255

Then "clear xlate". You might also want to "clear arp" on both the ASA, and the upstream router.

Re: ASA 5510 - outside and inside can not access web server in D

cole xu — Mon, 27 Sep 2010 10:22:00 GMT

I'm sorry to say that ISP only assigned one public ip address for me, I can not use any other address.

Re: ASA 5510 - outside and inside can not access web server in D

Jennifer Halim — Mon, 27 Sep 2010 10:34:34 GMT

Really? your outside subnet is /26, doesn't that mean you have the whole /26 subnet to use?

Anyway, in that case, let's continue to use the ASA interface ip address.

To troubleshoot further, please configure the following ACL line:

access-list 102 line 1 extended permit tcp any host 120.195.153.151 eq www

Then try to access it from the outside again, and then issue "show access-list 102", and check if you have any hitcount on the first line.

Re: ASA 5510 - outside and inside can not access web server in D

cole xu — Mon, 27 Sep 2010 12:37:24 GMT

Sorry for the late reply, I've tried to add the command as you advised, but still no luck.

Below is the output of 'sh access-list 102', quantity of hit count is no zero.

ciscoasa# sh access-list 102
access-list 102; 4 elements
access-list 102 line 1 extended permit tcp any host 120.195.153.151 eq www (hitc
nt=4)
access-list 102 line 2 extended permit icmp any any (hitcnt=682)
access-list 102 line 3 extended permit ip any any (hitcnt=145)
access-list 102 line 4 extended permit tcp any any eq www (hitcnt=0)

Re: ASA 5510 - outside and inside can not access web server in D

Jennifer Halim — Mon, 27 Sep 2010 13:39:57 GMT

Can you share the output of "sh conn | i 192.168.30.5" as soon as you tried to access it from the outside.

Re: ASA 5510 - outside and inside can not access web server in D

cole xu — Mon, 27 Sep 2010 13:48:33 GMT

Ok, please refer to the following output:

ciscoasa# sh conn | i 192.168.30.5
UDP out 117.85.147.201:1316 in 192.168.30.5:2792 idle 0:00:00 bytes 1014585 flag
s -
TCP out 114.243.120.255:5938 in 192.168.30.5:2790 idle 0:00:40 bytes 458 flags U
IO
TCP out 117.85.147.201:1378 in 192.168.30.5:80 idle 0:00:11 bytes 0 flags aB

Re: ASA 5510 - outside and inside can not access web server in D

Jennifer Halim — Tue, 28 Sep 2010 04:47:13 GMT

OK, looking at this line:

TCP out 117.85.147.201:1378 in 192.168.30.5:80 idle 0:00:11 bytes 0 flags aB

Flags of aB means that ASA is receiving SYN packet from outside host towards the DMZ server, however, it never receives the SYN-ACK back.

Can you check what is the default gateway on the DMZ server (pls make sure that it's the ASA DMZ interface ip address).

Re: ASA 5510 - outside and inside can not access web server in D

cole xu — Tue, 28 Sep 2010 05:03:18 GMT

The default gateway of DMZ server is 192.168.30.1 , which is the ip address of DMZ interface.

Re: ASA 5510 - outside and inside can not access web server in D

Jennifer Halim — Tue, 28 Sep 2010 05:24:56 GMT

Can you please run a packet capture on the outside and dmz interface of the ASA to see where the traffic breaks.

Also, if you can run the packet tracer on the ASA from the outside towards the dmz server public ip address and make sure that it passes through OK.

Re: ASA 5510 - outside and inside can not access web server in D

rjpselguera — Tue, 28 Sep 2010 06:26:06 GMT

Hi Jennifer,

Sorry for butting in but I'm curious. Do the following configuration mentioned above also applicable for ASA5510 with IOS version of 8.0 or 8.2?

Thanks.

Re: ASA 5510 - outside and inside can not access web server in D

cole xu — Tue, 28 Sep 2010 06:38:24 GMT

I've runned the following commands:

1. capture outside inter outside

2. capture dmz inter dmz

and get the below output, seems no traffic breaks

capture outside type raw-data interface outside [Capturing - 330602 bytes]
capture dmz type raw-data interface dmz [Capturing - 465476 bytes]

Re: ASA 5510 - outside and inside can not access web server in D

Jennifer Halim — Tue, 28 Sep 2010 10:23:04 GMT

Please remove the existing capture first:

no capture outside type raw-data interface outside
no capture dmz type raw-data interface dmz

Please make it more specific so we can capture only the specific information:

(NB: assuming that you are testing from ip address: 117.85.147.201)

access-list cap-out permit tcp host 117.85.147.201 host 120.195.153.151

access-list cap-out permit tcp host 120.195.153.151 host 117.85.147.201

access-list cap-dmz permit tcp host 117.85.147.201 host 192.168.30.5

access-list cap-dmz permit tcp host 192.168.30.5 host 117.85.147.201

capture cap-out access-list cap-out interface outside

capture cap-dmz access-list cap-dmz interface dmz

Then test accessing the website from 117.85.147.201.

Then gather the output:

show cap cap-out

show cap cap-dmz

Re: ASA 5510 - outside and inside can not access web server in D

cole xu — Thu, 30 Sep 2010 04:39:51 GMT

Hi, jennifer

Thanks a lot for your help . I think I have found where is the problem , just got reply from telecom company, the port 80 is blocked by them.

Re: ASA 5510 - outside and inside can not access web server in D

Jennifer Halim — Thu, 30 Sep 2010 04:42:29 GMT

Great, and thanks for the update.

Pls kindly mark the post as answered.

Re: ASA 5510 - outside and inside can not access web server in D

Jennifer Halim — Thu, 30 Sep 2010 04:49:38 GMT

Thank you..