10-04-2017 10:18 AM - edited 02-21-2020 06:25 AM
I’m trying to finish a ASA install in our office and am having some difficulty getting my Web Server in the DMZ available to the outside world.
The web server is listening on Port 8888, and can be reached from a computer on the inside network, but not from the outside. If I config the web server to listen and the ASA to connect via port 80 all clients work was expected (both connecting from the inside and connecting from the outside) So I can make it work, and fail… But not work the way I need it to.
Attached is a (what should be a cleaned up) config of both the working and non-working configs, and pdf showing physical traffic flow.
When in the non-working config, I’m able to capture an error on the ASA when a machine on the outside try’s to connect. Same repeating error. Any help would be greatly appreciated..
——————
Goal:
- Connect to web server on port 8888 in DMZ from both inside and from outside (customer access) networks.
Data flow Required from Inside pc:
- client pc web browser port 80 -> 3560 SW -> 2911 router -> asa 5505 -> DMZ -> Web Sever port 8888 -> Back to client
Data flow Required from Outside pc:
- client pc web browser port 80 -> asa 5505 -> DMZ -> Web Sever port 8888 -> Back to client
ASA Log Error:
3|Oct 03 2017|14:51:31|710003|<Client IPAddress>|23397|< aaa.bbb.ccc.ddd >|80|TCP access denied by ACL from <Client IPAddress>/23397 to outside:< aaa.bbb.ccc.ddd >
thank you
10-04-2017 11:07 AM
I think I might have gotten this to work, but brings up another basic question..
Resolustion (So far): updating the ACL from port 80 -> 8888
Additional question (Basic question) I thought the flow thru the ASA in my setup was :
- ACL
- NAT
- To Desitination
But it seems that it's NAT -> ACL -> Destination...
Is that correct?
thank you
10-04-2017 11:06 PM
Hi,
Please find the config for the web server object on the outside:
object network web_server
nat (DMZ,Outside) static interface no-proxy-arp service tcp 8888 8888
object-group service web8888
service-object tcp destination eq 8888
access-list Outside_access_in extended permit object-group web8888 any object web_server
As your are saying "The web server is listening on Port 8888, and can be reached from a computer on the inside network, but not from the outside." I don't think any config is required for the inside network.
Best Regards,
Kias
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide