Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
0
Helpful
2
Replies

Connect to Web Server in DMZ on non-standard port

aaron-saz
Level 1
Level 1

‎10-04-2017 10:18 AM - edited ‎02-21-2020 06:25 AM

I’m trying to finish a ASA install in our office and am having some difficulty getting my Web Server in the DMZ available to the outside world.

 

The web server is listening on Port 8888, and can be reached from a computer on the inside network, but not from the outside. If I config the web server to listen and the ASA to connect via port 80 all clients work was expected (both connecting from the inside and connecting from the outside) So I can make it work, and fail… But not work the way I need it to.

 

Attached is a (what should be a cleaned up) config of both the working and non-working configs, and pdf showing physical traffic flow.

 

When in the non-working config, I’m able to capture an error on the ASA when a machine on the outside try’s to connect. Same repeating error. Any help would be greatly appreciated..

 

——————

 

Goal:
- Connect to web server on port 8888 in DMZ from both inside and from outside (customer access) networks.

 

Data flow Required from Inside pc:
- client pc web browser port 80 -> 3560 SW -> 2911 router -> asa 5505 -> DMZ -> Web Sever port 8888 -> Back to client

 

Data flow Required from Outside pc:
- client pc web browser port 80 -> asa 5505 -> DMZ -> Web Sever port 8888 -> Back to client

 

ASA Log Error:
3|Oct 03 2017|14:51:31|710003|<Client IPAddress>|23397|< aaa.bbb.ccc.ddd >|80|TCP access denied by ACL from <Client IPAddress>/23397 to outside:< aaa.bbb.ccc.ddd >


thank you

Labels:
Preview file
17 KB
Preview file
3 KB
Preview file
3 KB
0 Helpful
2 Replies 2

aaron-saz
Level 1
Level 1

‎10-04-2017 11:07 AM

I think I might have gotten this to work, but brings up another basic question..

 

Resolustion (So far):  updating the ACL from port 80 -> 8888

 

Additional question (Basic question) I thought the flow thru the ASA in my setup was :

 - ACL

 - NAT

 - To Desitination 

 

But it seems that it's NAT -> ACL -> Destination...

 

Is that correct?

 

thank you 

 

 

0 Helpful

Kias
Level 1
Level 1

‎10-04-2017 11:06 PM

Hi,

 

Please find the config for the web server object on the outside:

 

object network web_server
 nat (DMZ,Outside) static interface no-proxy-arp service tcp 8888 8888

 

object-group service web8888

service-object tcp destination eq 8888

 

access-list Outside_access_in extended permit object-group web8888 any object web_server

 

As your are saying "The web server is listening on Port 8888, and can be reached from a computer on the inside network, but not from the outside." I don't think any config is required for the inside network.

 

Best Regards,

 

Kias

 

 

 

 

 

Kias
Fonicom Limited
raiseaticket Malta
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card