Solved: CISCO asa 5510 inside interface cannot access webserver

hmongstrong · ‎10-14-2013

The above is a drawing of the network. I want a PC on 10.50.1.0 to access the webserver at 10.10.10.70. The PC and webserver are on default vlans of their switches.

I believe I need a static NAT of some sort but all i've tried doesnt work.

Here's config:

interface Ethernet0/0

nameif outside

security-level 0

ip address EDIT

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.50.1.1 255.255.255.0

!

interface Ethernet0/2

nameif S2

security-level 100

ip address 10.10.1.99 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.50.0.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 24

logging enable

logging asdm debugging

logging mail warnings

logging class auth mail debugging

mtu outside 1500

mtu inside 1500

mtu S2 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (S2,S2) 10.10.10.70 10.10.10.70 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 EDIT

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.50.0.0 255.255.255.0 management

http 10.50.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 management

telnet timeout 5

ssh timeout 5

console timeout 10

management-access inside

dhcpd dns EDIT

!

dhcpd address 10.50.1.50-10.50.1.250 inside

dhcpd enable inside

!

dhcpd address 10.50.0.2-10.50.0.10 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

username admin password HEU0LnYme.ESFRyI encrypted privilege 15

prompt hostname context

Cryptochecksum:c3f0d8a8f3f62e32c6fc86b4736d8a18

: end

asdm image disk0:/asdm-602.bin

no asdm history enable

Jouni Forss · ‎10-14-2013

Hi,

The IP address 10.10.1.99 is from a different network than IP address 10.10.10.70

The interface IP address could be 10.10.10.99 then the server and ASA interface would be from same network.

No connection wont work naturally if your interface is from different than the actual server.

In addition to the IP address change in the interface you would need to change these in the above configuration

no static (S2,S2) 10.10.10.70 10.10.10.70 netmask 255.255.255.255

static (S2,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

You will naturally also have to make sure that the default gateway of the server is the IP address that is configured in the ASA "S2" interface.

And then try the connection to the server 10.10.10.70

- Jouni

View solution in original post

rizwanr74 · ‎10-14-2013

Hi Bee Yang,

Please do this change shown below.

no static (S2,S2) 10.10.10.70 10.10.10.70 netmask 255.255.255.255

static (inside,S2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

Please let me know, if this helps.

Thanks

Rizwan Rafeek.

View solution in original post

Jouni Forss · ‎10-14-2013

Hi,

Where is the network 10.10.10.0/24 located from the perspective of the ASA?

There is no mention of network 10.10.10.0/24 there. The "S2" interface is 10.10.1.0/24 network and there is no static route for the network 10.10.10.0/24

- Jouni

hmongstrong · ‎10-14-2013

The 10.10.10.0 network is connected as diagramed, the interface IP of 10.10.1.99 is what I gave the interface. That is another point of confusion is - what IP address do I give the interface?

Jouni Forss · ‎10-14-2013

Hi,

The IP address 10.10.1.99 is from a different network than IP address 10.10.10.70

The interface IP address could be 10.10.10.99 then the server and ASA interface would be from same network.

No connection wont work naturally if your interface is from different than the actual server.

In addition to the IP address change in the interface you would need to change these in the above configuration

no static (S2,S2) 10.10.10.70 10.10.10.70 netmask 255.255.255.255

static (S2,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

You will naturally also have to make sure that the default gateway of the server is the IP address that is configured in the ASA "S2" interface.

And then try the connection to the server 10.10.10.70

- Jouni

hmongstrong · ‎10-15-2013

yes, i needed the correct interface ip thanks!

rizwanr74 · ‎10-14-2013

Hi Bee Yang,

Please do this change shown below.

no static (S2,S2) 10.10.10.70 10.10.10.70 netmask 255.255.255.255

static (inside,S2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

Please let me know, if this helps.

Thanks

Rizwan Rafeek.

hmongstrong · ‎10-15-2013

wow, that works now! with last statement