01-07-2010 12:00 PM - edited 03-11-2019 09:54 AM
I have an Outlook Web Access front end server setup in our internal network. I can connect to it successfully from all internal addresses including our DMZ.
I need to publish OWA to the Internet and I have an external IP address set specifically for this purpose. I have setup the Access Rules and NAT rules identical to what is already setup for the external IP addresses of our web server, but I can't this new address to work. Here's the commands I have set:
access-list outside_acl extended permit tcp any host 66.xxx.xxx.235 eq www
access-list outside_acl extended permit tcp any host 66.xxx.xxx.235 eq https
static (inside,outside) tcp 66.xxx.xxx.235 www 10.xxx.xxx.35 www netmask 255.255.255.255
static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255
From what I've read these are the only commands I need to forward those ports from our external IP address to one of our internal addresses.
Are these commands correct?
Any help would be greatly appreciated.
01-07-2010 12:28 PM
Usually that is enough. Here are a few things to check
1. Is the ACL getting hits on the new entries you created?
show access-list outside_acl | i 66.xxx.xxx.235
2. Does the internal server have a good route to internet address? netstat -nr
3. If there are multiple nics on the server be sure it is using the correct one to reply on.
4. Try usung the packet tracer command to test the policy to make sure nothing else could be causin a problem
packet-tracer input outside tcp 4.2.2.1 1024 66.xxx.xxx.235 80 detailed
packet-tracer input outside tcp 4.2.2.1 1024 66.xxx.xxx.235 80 detailed
Also, how are you testing to the nat'd IP? From the internet or internally. When you try to make the connection what happens? Browser error?
This will run the flow against the FW policy and will tell you if the flow can be created or not and why.
01-07-2010 12:50 PM
1. Yes, I trying to connect to the external address from outside our firewall and I'm getting hits.
2. Not sure what you are looking for here. The netstat -nr shows the routes out to the Internet yes. But, can I ping that external address from the internal server, no.
3. One NIC.
The browser gets a "Connection has timed out" error.
4. That looks good:
Result of the command: "packet-tracer input outside tcp 4.2.2.1 1024 66.xxx.xxx.235 443 detailed"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255
nat-control
match tcp inside host 10.xxx.xxx.35 eq 443 outside any
static translation to 66.xxx.xxx.235/443
translate_hits = 1, untranslate_hits = 6
Additional Information:
NAT divert to egress interface inside
Untranslate 66.xxx.xxx.235/443 to 10.xxx.xxx.35/443 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_acl in interface outside
access-list outside_acl extended permit tcp any host 66.xxx.xxx.235 eq https
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7f31c58, priority=12, domain=permit, deny=false
hits=3, user_data=0xd7f34328, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=66.xxx.xxx.235, mask=255.255.255.255, port=443, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd56a0f70, priority=0, domain=permit-ip-option, deny=true
hits=184693197, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd5fd7ad8, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=26378541, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255
nat-control
match tcp inside host 10.xxx.xxx.35 eq 443 outside any
static translation to 66.xxx.xxx.235/443
translate_hits = 1, untranslate_hits = 6
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd76b22b0, priority=5, domain=nat-reverse, deny=false
hits=5, user_data=0xd708ab78, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.xxx.xxx.35, mask=255.255.255.255, port=443, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255
nat-control
match tcp inside host 10.xxx.xxx.35 eq 443 outside any
static translation to 66.xxx.xxx.235/443
translate_hits = 1, untranslate_hits = 6
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd76c2558, priority=5, domain=host, deny=false
hits=269, user_data=0xd708ab78, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.xxx.xxx.35, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd574da28, priority=0, domain=permit-ip-option, deny=true
hits=128806934, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 272290424, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.95.1.1 using egress ifc inside
adjacency Active
next-hop mac address 001b.0c9f.c5ff hits 254045
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Also, I'm testing both internally and from the Internet. Internally works fine, externally, no.
01-07-2010 01:05 PM
When I try to go to https://66.xxx.xxx.235it works. I get a "Under Construction" message. http just times out. So it seems it works with https and not http. I would check the server. I changed the public IP to protect from being exposed.
01-07-2010 01:09 PM
Strange. Ok, thanks for you help. I guess maybe it's not the ASA causing my problems.
01-07-2010 01:25 PM
No problem. Glad I could help.
Thanks,
Joe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: