topic Re: Application through our ASA in Network Security

Application through our ASA

stephenarbour — Mon, 11 Mar 2019 17:01:45 GMT

We have a Educational Application server within our LAN that students access via Web browser. We now want to make this internal Web site available to 15 students outside our network.

The internal server website is 192.168.2.15 and the application uses ports 80 and 1209.

We have a dedicated public address that we can assign to this purpose nnn.nnn.nnn.004

In spite of my (enough to be dangerous) knowledge, my access list entries and static entries have not worked to get this application traffic through our ASA5510.

Can someone help me place the appropriate commands?

hostnameASA(config)# show run
: Saved
:
ASA Version 7.2(3)
!
hostname hostnameASA
domain-name default.domain.invalid
enable password xxxxxxxxx encrypted
names
name 192.168.2.4 serverApps02
name 192.168.2.5 serverApps03
name 192.168.2.3 serverdom01
name 192.168.42.4 server1
name 192.168.42.6 server2
name 192.168.42.49 serverdom01
name 192.168.42.41 serverdom02
name 192.168.42.9 serverApps01
name 192.168.2.1 serverRouter
name 192.168.42.1 serverRouter
name 192.168.42.15 serverMail
name 192.168.42.7 serverVPN
!
interface Ethernet0/0
nameif outside
security-level 0
ip address nnn.nnn.nnn.151 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid

access-list outside extended permit tcp any host nnn.nnn.nnn.207 eq pptp
access-list outside extended permit tcp any host nnn.nnn.nnn.207 eq 47
access-list outside extended permit udp any host nnn.nnn.nnn.10 eq 1719
access-list outside extended permit udp any host nnn.nnn.nnn.10 range 2326 2373
access-list outside extended permit tcp any host nnn.nnn.nnn.10 range 5555 5565
access-list outside extended permit tcp any host nnn.nnn.nnn.206 eq https
access-list outside extended permit tcp any host nnn.nnn.nnn.206 eq www
access-list outside extended permit tcp any host nnn.nnn.nnn.220 eq www
access-list 101 extended permit ip 192.168.0.0 255.255.0.0 192.168.100.0 255.255.255.0
pager lines 24
logging timestamp
logging monitor debugging
logging trap debugging
logging asdm informational
logging host inside 192.168.42.39
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) nnn.nnn.nnn.213 serverApps03 netmask 255.255.255.255
static (inside,outside) nnn.nnn.nnn.214 serverdom01 netmask 255.255.255.255
static (inside,outside) nnn.nnn.nnn.216 serverRT1 netmask 255.255.255.255
static (inside,outside) nnn.nnn.nnn.218 serverdom01 netmask 255.255.255.255
static (inside,outside) nnn.nnn.nnn.219 serverdom02 netmask 255.255.255.255
static (inside,outside) nnn.nnn.nnn.220 serverApps01 netmask 255.255.255.255
static (inside,outside) nnn.nnn.nnn.221 serverRouter netmask 255.255.255.255
static (inside,outside) nnn.nnn.nnn.222 serverRouter netmask 255.255.255.255
static (inside,outside) nnn.nnn.nnn.217 serverRT2 netmask 255.255.255.255
static (inside,outside) nnn.nnn.nnn.207 serverVPN netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 nnn.nnn.nnn.152 1
route inside 192.168.0.0 255.255.0.0 192.168.30.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
url-server (inside) vendor websense host 192.168.42.17 timeout 30 protocol TCP v
ersion 1 connections 5
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect http
!
service-policy global_policy global
url-block url-mempool 1500
url-block url-size 4
url-block block 128
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
hostnameASA#

Re: Application through our ASA

Jon Marshall — Tue, 26 Jan 2010 17:37:17 GMT

stephenarbour wrote:
We have a Educational Application server within our LAN that students access via Web browser. We now want to make this internal Web site available to 15 students outside our network.
The internal server website is 192.168.2.15 and the application uses ports 80 and 1209.
We have a dedicated public address that we can assign to this purpose nnn.nnn.nnn.004
In spite of my (enough to be dangerous) knowledge, my access list entries and static entries have not worked to get this application traffic through our ASA5510.
Can someone help me place the appropriate commands?

hostnameASA#

static (inside,outside) xxx.xxx.xxx.4 192.168.2.15 netmask 255.255.255.255

access-list outside permit tcp any host xxx.xxx.xxx.4 eq 80

access-list outside permit tcp any host xxx.xxx.xxx.4 eq 1209

note i have used "any" in the access-list but if you know the 15 IPs of the external students it would be better to use them.

Jon

Re: Application through our ASA

stephenarbour — Wed, 27 Jan 2010 14:06:31 GMT

Hi Jon,

Thanks for the timely response. The students still aren't able to access the page. I had one of them ping the address nnn.nnn.nnn.4 and they don't get a reply.

The "outside" interface nnn.nnn.nnn.151 is responding to pings though. I wonder if I need to add a command so that the outside interface responds to requests for nnn.nnn.nnn.4?

Re: Application through our ASA

Kureli Sankar — Wed, 27 Jan 2010 14:19:14 GMT

You need this

access-list outside permit icmp any host xxx.xxx.xxx.4

in order to be able to ping.

They are unable to load the page? What do you see in the logs when it fails? Do you see the acl hit count increment? The server is not responding? Is the server working internally? Meaning when an inside computer in the 192.168.2.0/24 network opens a browser and goes to http://192.168.2.15 does it load the page?

-KS

Re: Application through our ASA

stephenarbour — Wed, 27 Jan 2010 15:41:21 GMT

The error is "Opps! This link appears to be broken. Page not found - connection failure."

Opening a browser and going to http://192.168.2.15 does yes open the page and the server responds perfectly.

The logging entries that you see are left over and inactive as the PC that was hosting is not anymore. I need to set this up again.

Re: Application through our ASA

Kureli Sankar — Wed, 27 Jan 2010 16:01:35 GMT

On the web server check the gateway and make sure it is 192.168.30.2 and check the router 192.168.30.2 and make sure its default gateway is pointing to this firewall.

Is this server able to go to the internet through this firewall? If so, when you go to http://ipchicken from this webserver does it show the ip address x.x.x.4 that it is supposed to look like when it goes to the internet?

-KS

Re: Application through our ASA

stephenarbour — Wed, 27 Jan 2010 17:43:01 GMT

The address shown by ipchicken is nnn.nnn.nnn.151 and not the correct address: nnn.nnn.nnn.4

The gateway for the server is the local 192.168.2.1

The router gateway is the firewall.

Re: Application through our ASA

Jon Marshall — Wed, 27 Jan 2010 18:54:33 GMT

stephenarbour wrote:

The address shown by ipchicken is nnn.nnn.nnn.151 and not the correct address: nnn.nnn.nnn.4

The gateway for the server is the local 192.168.2.1

The router gateway is the firewall.

When you added the config i posted did you clear the xlate table ? If not the ASA might still have the old entry although it should have timed out by now.

Note you should clear the individual entry for 192.168.2.15 and not the entire table as that will destroy all current connections on the firewall.

Jon

Re: Application through our ASA

Kureli Sankar — Wed, 27 Jan 2010 19:05:30 GMT

hmm...that is the problem. Do what Jon says "clear local 192.168.2.15" then have the server go to the internet and issue "sh xlate debug | i 192.168.2.15" and make sure it is going out as x.x.x.4

Once done you should be able to load the page from the otuside.

-KS

Re: Application through our ASA

stephenarbour — Thu, 28 Jan 2010 20:38:40 GMT

It worked! Thanks very much Jon and Kusankar.