topic Re: Transparent mode and web server in Network Security

Transparent mode and web server

opsmaster — Mon, 11 Mar 2019 16:00:08 GMT

I am installing a ASA 5510 in transparent mode, it's behind a cisco 3745 router that has NAT translation in the configs.

After I set up the ASA 5510, I created access lists for web server access. All traffic inside passes thru fine however, when an outside user tries to access the web site, the page connection will not load.

Do I have to set a NAT rule for outside access? If not what other suggestions does anyone have.

Re: Transparent mode and web server

Collin Clark — Tue, 28 Jul 2009 19:40:49 GMT

It sounds like that you do need to create a NAT translation in the router.

Re: Transparent mode and web server

opsmaster — Tue, 28 Jul 2009 19:48:39 GMT

The router has a NAT translation already, when I remove the ASA everything is fine.

I just started the install with a functioning network in place already.

Re: Transparent mode and web server

Collin Clark — Tue, 28 Jul 2009 19:51:40 GMT

OK, are you getting hit counts on your ACL? Any messages in your log?

Re: Transparent mode and web server

opsmaster — Tue, 28 Jul 2009 19:54:52 GMT

I will check later, when I work on the firewall further.

Re: Transparent mode and web server

opsmaster — Tue, 28 Jul 2009 20:03:49 GMT

When I check would you have any suggestions for me to try.

Re: Transparent mode and web server

Collin Clark — Tue, 28 Jul 2009 20:05:51 GMT

Just check the ACL and turn on logging if it's not enabled. I would turn logging buffer to debugging (but don't debug anything).

Re: Transparent mode and web server

opsmaster — Wed, 29 Jul 2009 11:32:32 GMT

Here is my logging file I captured this morning. Any outside who tries to accept our website recieves the message:

"Connection to Server was reset while the page was loading, network linkwas interupted while negotiating a connection."

Also is a copy of my ASA configs:

ASA Version 8.0(4)

firewall transparent

hostname ciscoasa

enable password I3KXhN9OZMFiyurw encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

nameif outside

security-level 0

interface Ethernet0/1

nameif inside

security-level 100

interface Management0/0

shutdown

no nameif

no security-level

management-only

ftp mode passive

access-list outside_access_in extended permit ip any any

access-list permit extended permit eigrp any host 172.21.0.7

access-list permit extended permit eigrp any host 172.21.0.1

access-list inside extended permit eigrp any any

access-list inside_access_out extended permit ip any any

access-list 112 extended permit tcp any any eq 548

access-list 112 extended permit tcp any any eq domain

access-list 112 extended permit udp any any eq domain

access-list 101 extended permit tcp any any

access-list 120 extended permit tcp any host 172.21.0.78 eq domain

access-list 120 extended permit tcp any host 172.21.0.3 eq domain

access-list 120 extended permit tcp any host 172.21.0.2 eq domain

access-list 110 extended permit udp any any

access-list 110 extended permit udp any 172.21.4.0 255.255.252.0 range 3200 3300

access-list 110 extended permit udp any 172.21.8.0 255.255.252.0 range 3200 3300

access-list 110 extended permit udp any 172.21.12.0 255.255.252.0 range 3200 3300

access-list 111 extended permit udp any any

access-list 111 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.7

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp

access-list Outside_VPN extended permit tcp any host 172.21.0.14

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq isakmp

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 4500

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 1701

pager lines 24

logging enable

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address 172.21.0.80 255.255.252.0

ip local pool heights 172.21.12.0 mask 255.255.252.0

ip local pool manito 172.21.4.0 mask 255.255.252.0

ip local pool dogwood 172.21.8.0 mask 255.255.252.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group Outside_VPN in interface outside

route outside 0.0.0.0 0.0.0.0 172.21.0.7 1

route inside 172.21.0.0 255.255.0.0 0.0.0.0 1

route inside 172.21.4.0 255.255.252.0 172.21.0.1 1

route inside 172.21.4.2 255.255.255.255 172.21.0.1 1

route inside 172.21.8.0 255.255.252.0 172.21.0.1 1

route inside 172.21.8.2 255.255.255.255 172.21.0.1 1

route inside 172.21.12.0 255.255.252.0 172.21.0.1 1

route inside 172.21.12.2 255.255.255.255 172.21.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

Re: Transparent mode and web server

Collin Clark — Wed, 29 Jul 2009 12:18:54 GMT

You don't have an ACL entry allowing HTTP traffic in. You have the following ACL applied to the outside interface-

access-group Outside_VPN in interface outside

And here are the rules that allow traffic in.

access-list Outside_VPN extended permit tcp any host 172.21.0.14

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq isakmp

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 4500

access-list Outside_VPN extended permit udp any host 172.21.0.14 eq 1701

Nothing for HTTP.

Re: Transparent mode and web server

netsec — Wed, 29 Jul 2009 13:44:44 GMT

I think:

access-list Outside_VPN extended permit tcp any host 172.21.0.14

will allow all TCP traffic, including HTTP. Am I wrong?

if i'm correct, it shouldn't be a good point to allow this, from a security Point of view.

Re: Transparent mode and web server

Collin Clark — Wed, 29 Jul 2009 13:49:29 GMT

You are correct, that would allow all TCP traffic to host 172.21.0.14. You can restrict to just HTTP with this ACL-

access-list Outside_VPN ext permit tcp any host 172.21.0.14 eq 80

You are right again about that first ACL not being very secure. The second should be fine. If you can/want you can further restict by filtering the source IP's.

access-list Outside_VPN ext permit tcp 10.0.0.0 255.0.0.0 host 172.21.0.14 eq 80

This would only allow people with a source address of 10.x.x.x to connect.

Re: Transparent mode and web server

netsec — Wed, 29 Jul 2009 13:53:04 GMT

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp

where did you apply this ACL?

it shouldn't be applied in outside.

Re: Transparent mode and web server

Collin Clark — Wed, 29 Jul 2009 13:55:08 GMT

It's not applied to any interface.

Re: Transparent mode and web server

opsmaster — Wed, 29 Jul 2009 14:44:59 GMT

The VPN access list is for VPN Server.

The WWW access list is for the WWW and Mail server. They are 2 different servers on a NAT scheme.

I need to apply the Access-list for WWW to the outside interface for HTTP traffic to our web server.

Re: Transparent mode and web server

opsmaster — Wed, 29 Jul 2009 16:36:13 GMT

Thanks for your suggestion, also

Is there a global command to allow all subnets behind the router to communicate with each other regardless of protocols?

I want unrestricted traffic in the network,

however the gateway is on the WAN side of the ASA. Remember the ASA is in transparent mode.

Thanks.

Re: Transparent mode and web server

Collin Clark — Wed, 29 Jul 2009 17:57:56 GMT

You will have to create an entry in the ACL. You can do it with an object group which will make it cleaner. Let's say you have 3 internal subnets; 192.168.5.0 /24, 192.168.6.0 /24, and 10.10.0.0 /16.

Create an object-group-

object-group network INTERNAL_NETWORKS

network-object 192.168.5.0 255.255.255.0

network-object 192.168.6.0 255.255.255.0

network-object 10.10.0.0 255.255.0.0

The use the object-group in the ACL.

access-list Outside_VPN extended permit ip object-group INTERNAL_NETWORKS object-group INTERNAL_NETWORKS

This will allow internal network to communicate.

Re: Transparent mode and web server

opsmaster — Wed, 29 Jul 2009 18:58:22 GMT

Thanks, your suggestions have worked.

Now I need to clean up the configs and fine tune the box.

Thanks again.

Re: Transparent mode and web server

opsmaster — Thu, 30 Jul 2009 16:26:56 GMT

everything worked except dhcp clients cannot access web or mail in house.

The ranges for each subnet are:

172.21.7.1-172.21.7.254 gw:172.21.4.1

172.21.9.1-172.21.9.254 gw:172.21.8.1

172.21.13.1-172.21.13.254 gw: 172.21.12.1

The static ip clients can:

172.21.4.0, 172.21.8.0 and 172.21.12.0

any suggestions?

Re: Transparent mode and web server

Collin Clark — Thu, 30 Jul 2009 17:28:56 GMT

Can you post the ACL?

Re: Transparent mode and web server

opsmaster — Thu, 30 Jul 2009 17:44:06 GMT

Here it is:

object-group network internal_group

network-object 172.21.4.0 255.255.252.0

network-object 172.21.8.0 255.255.252.0

network-object 172.21.12.0 255.255.252.0

network-object 172.21.0.0 255.255.252.0

access-list outside_access_in extended permit ip any any

access-list permit extended permit eigrp any host 172.21.0.7

access-list permit extended permit eigrp any host 172.21.0.1

access-list inside extended permit eigrp any any

access-list inside_access_out extended permit ip any any

access-list 112 extended permit tcp any any eq 548

access-list 112 extended permit tcp any any eq domain

access-list 112 extended permit udp any any eq domain

access-list 112 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.78 eq domain

access-list 112 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.78 eq domain

access-list 112 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.78 eq domain

access-list 101 extended permit tcp any any

access-list 120 extended permit tcp any host 172.21.0.78 eq domain

access-list 120 extended permit tcp any host 172.21.0.3 eq domain

access-list 120 extended permit tcp any host 172.21.0.2 eq domain

access-list 125 extended permit tcp any host 172.21.0.9

access-list 125 extended permit tcp any host 172.21.0.11

access-list 125 extended permit tcp any host 172.21.0.5

access-list 110 extended permit udp any any

access-list 111 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.7

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp

access-list Outside_WWW extended permit udp any host 172.21.0.14 eq isakmp

access-list Outside_WWW extended permit udp any host 172.21.0.14 eq 4500

access-list Outside_WWW extended permit udp any host 172.21.0.14 eq 1701

access-list Outside_WWW extended permit tcp any 172.21.0.0 255.255.255.0 eq nntp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq https

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp-data

access-list Outside_WWW extended permit udp any any eq domain

access-list Outside_WWW extended permit tcp any host 172.21.0.8 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.8 eq pop3

access-list Outside_WWW extended permit ip object-group internal_group object-group internal_group

pager lines 24

logging enable

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address 172.21.0.80 255.255.252.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group Outside_WWW in interface outside

route outside 0.0.0.0 0.0.0.0 172.21.0.7 1

route inside 172.21.4.0 255.255.252.0 172.21.0.1 1

route inside 172.21.8.0 255.255.252.0 172.21.0.1 1

route inside 172.21.12.0 255.255.252.0 172.21.0.1 1