annuler
Affichage des résultats de 
Rechercher plutôt 
Vouliez-vous dire : 
cancel
710
Visites
0
Compliment
3
Réponses

Cisco ASA 5505 Allow inside host to reach web server with public IP

hichamgreen1
Level 1
Level 1

Hello,

I have a local network 192.168.1.0/24 and Cisco ASA as Firewall.

Hosts in local network can't reach web server using public IP, However simple ping to public IP works and users from outside network can reach web server perfectly.

Bellow my ASA configuration:

 

 

 

 

 

 

 

ASA Version 8.2(5)
!
hostname asa-sh
domain-name dom.intra
names
name 192.168.1.13 server
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.252
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.12
 name-server 8.8.8.8
 domain-name dom.intra
object-group network Machines-SMTP
 description Machines qui ont le droit d'envoyer du trafic SMTP
 network-object 192.168.1.0 255.255.255.0
object-group network Machines-POP
 description Machines qui ont le droit de recevoir du trafic POP
 network-object 192.168.1.0 255.255.255.0
object-group network Serveurs-DNS
 description Serveurs qui ont le droit d'envoyer du trafic DNS
 network-object host 192.168.1.12
object-group network Machines-Web
 description Machines qui ont le droit de naviguer sur le web.
 network-object 192.168.1.0 255.255.255.0
object-group network Machines-ALL
 description Machines qui ont le droit sur tous les protocoles
 network-object 192.168.1.0 255.255.255.0
object-group network Machine-ALL
 network-object 192.168.1.0 255.255.255.0
object-group network LocalNetwork
 network-object 192.168.1.0 255.255.255.0
object-group network Serveur-SAP
 network-object host server
access-list acl-in extended permit tcp object-group Machines-SMTP any eq smtp
access-list acl-in extended permit tcp object-group Machines-Web any eq https
access-list acl-in extended permit udp object-group Serveurs-DNS any eq domain
access-list acl-in extended permit tcp object-group Serveurs-DNS any eq domain
access-list acl-in extended permit icmp any any
access-list acl-in extended permit tcp object-group Machines-POP any eq pop3
access-list acl-in extended permit tcp object-group Machines-Web any eq www
access-list acl-in extended permit ip object-group Machines-ALL any
access-list acl-in extended permit tcp object-group Serveurs-DNS any eq www
access-list acl-in extended permit tcp object-group Serveurs-DNS any eq https
access-list acl-in extended permit tcp object-group Machines-POP any eq 995
access-list acl-in extended permit tcp object-group Machines-POP any eq 993
access-list acl-in extended permit tcp object-group Machines-POP any eq imap4
access-list acl-in extended permit udp object-group Machines-Web any eq domain
access-list acl-in extended permit tcp object-group Machines-Web any eq domain
access-list acl-in extended permit tcp object-group Machines-SMTP any eq domain
access-list acl-in extended permit udp object-group Machines-SMTP any eq domain
access-list acl-in extended permit tcp object-group Machines-SMTP any eq 465
access-list acl-in extended permit ip object-group Machine-ALL any
access-list acl-out extended permit tcp any host 172.16.1.2 eq smtp
access-list acl-out extended permit tcp any host 172.16.1.2 eq pop3
access-list acl-out extended permit icmp any any echo-reply
access-list acl-out extended permit tcp any host 172.16.1.2 eq 995
access-list acl-out extended permit tcp any host 172.16.1.2 eq 993
access-list acl-out extended permit tcp any host 172.16.1.2 eq imap4
access-list acl-out extended permit tcp any host 172.16.1.2 eq 3389
access-list acl-out extended permit tcp any host 172.16.1.2 eq 8080
access-list acl-out extended permit tcp any host 172.16.1.2 eq 8443
access-list acl-out extended permit tcp any host 172.16.1.2 eq 4370
access-list acl-out extended permit udp any host 172.16.1.2 eq 4370
access-list acl-out extended permit tcp any host 172.16.1.2 eq 9540
access-list acl-out extended permit udp any host 172.16.1.2 eq 9540
access-list acl-out extended permit tcp any host 172.16.1.2 eq 70000
access-list acl-out extended permit udp any host 172.16.1.2 eq 70000
access-list acl-out extended permit tcp any host 172.16.1.2 eq 70020
access-list acl-out extended permit udp any host 172.16.1.2 eq 70020
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 4370 192.168.1.201 4370 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 server 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 server 9540 netmask 255.255.255.255
static (inside,outside) tcp interface 40000 server 70000 netmask 255.255.255.255
static (inside,outside) udp interface 8100 server 9540 netmask 255.255.255.255
static (inside,outside) udp interface 40000 server 70000 netmask 255.255.255.255
static (inside,outside) tcp interface 40020 server 70020 netmask 255.255.255.255
static (inside,outside) udp interface 40020 server 70020 netmask 255.255.255.255

access-group acl-in in interface inside
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.210 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd dns 192.168.1.12 8.8.8.8 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
asa-sh#

 

 

 

 

 

 

 

3 RÉPONSES 3

balaji.bandi
Hall of Fame
Hall of Fame

You need to tell us what is the internal Web Server IP and what port web Server Listening - 80 and 443

bare in mind ASA listening for managmenet on 443, so you may need to use other port or move the manangement port to different port to work as expected.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/nat-reference.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Internal Web Server is 192.168.1.13 (server) and listening port in web server is 8100

https://community.cisco.com/t5/network-security/hairpin-nat-asa5506-x-version-9-8/td-p/3756235

you need hairpin NATing for INside hosts to access Server using it Public IP