topic Re: web access from inside in Network Security

web access from inside

a.e.wiggin — Mon, 11 Mar 2019 11:54:03 GMT

I'm trying to get www, https, svn(3690), and ssh from one of my inside networks to get outside access, but this isn't working for me yet. Can anyone provide some insight as to what I've got wrong on my 5510 configuration? I'm sure it's probably my static's, but I'm having trouble with those.

---

name 192.168.3.0 DEV_NET

name 199.199.xxx.14 MY_WAN_IP

interface Ethernet0/0

nameif outside

security-level 0

ip address MY_WAN_IP 255.255.255.0

interface Ethernet0/3

nameif development

security-level 80

ip address 192.168.3.1 255.255.255.0

object-group service ALL_SERVICES tcp

port-object eq www

port-object eq https

port-object eq 3690

port-object eq ssh

access-list ALL_ACCESS extended permit tcp any any object-group ALL_SERVICES

global (outside) 1 interface

nat (development) 1 DEV_NET 255.255.255.0

static (development,dmz) DEV_NET DEV_NET netmask 255.255.255.0

access-group ALL_ACCESS in interface outside

access-group ALL_ACCESS out interface outside

access-group ALL_ACCESS in interface development

access-group ALL_ACCESS out interface development

route outside 0.0.0.0 0.0.0.0 199.199.xxx.1 1

Re: web access from inside

lisajoseph1970 — Sat, 26 Jan 2008 22:58:00 GMT

What is the IP Address that you are trying to access through the ASA. I see that you have PATTing to the outside interface for DEV_NET when going to the outside interface and also have access-group applied in/out on both the interfaces. Can you remove the access-group and see if you are able to access the web, ssh, etc.

Since, you have Access-Group in/out, look at the traffic flow and define different ACL's accordingly. For example, when you initiate a TCP Connection from inside, the source port would be a randomly generated port while the detination is 80 and the return traffic will have source port 80 and destination of the port that you used. So, I would remove the ACL and give it a shot.

Regards,

Lisa