dear friends i am facing an issue in the hosting of my server from ASA publicly

mohammed abdul naveed · ‎11-20-2013

i have already assing a public ip addd to the outside interface of the ASA ,My requirement is to configure firewall to host my web server publicly using the public ip not assign to the outside interface but different subnet,i make every configuration is i have done but i cant ping or connect my web server i can ping the web server from my ASA,but from outside i cannot reach my webserver.Could anyone help me in this because i am facing problem.

Below is the configuration of the firewall

server ip add 10.10.10.4(local,reachable)

public ip add-78.72.232.66(default gateway)

sho run configuration of the firewall

:

ASA Version 8.2(5)

!

hostname TAD-FW

domain-name tadrees.com

enable password lpW.MGeEHg0ISQZq encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description Connected to TAD-Router G0/1

nameif outside

security-level 0

ip address 78.72.29.174 255.255.255.252

!

interface Ethernet0/1

description Connected to Cisco SMB Switch G1

nameif inside

security-level 100

ip address 10.15.1.1 255.255.255.248

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

banner login ******** TADREES FIREWALL ********

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 84.22.224.11

name-server 84.22.224.12

domain-name tadrees.com

access-list split-tunnel standard permit 10.10.0.0 255.255.0.0

access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.1.1.0 255.255.255.0

access-list Mename-Access extended permit tcp any host78.72.232.66 eq https

access-list Mename-Access extended permit tcp any host 78.72.232.66 eq www

pager lines 24

logging enable

logging buffered debugging

logging asdm debugging

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool sslvpnpool 10.1.1.1-10.1.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-702.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 78.722..232.66 www 10.10.10.4 www netmask 255.255.255.255

access-group Mename-Access in interface outside

!

router rip

network 10.0.0.0

version 2

!

route outside 0.0.0.0 0.0.0.0 78.72.29.173 1

route inside 10.10.10.4 255.255.255.255 10.15.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TAD-AD protocol nt

aaa-server TAD-AD (inside) host 10.10.10.1

aaa authentication ssh console LOCAL

http server enable 444

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 2

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 20

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

no anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

tunnel-group-list enable

internal-password enable

group-policy sslvpn internal

group-policy sslvpn attributes

wins-server none

dns-server none

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value tadrees.com

group-policy DfltGrpPolicy attributes

webvpn

svc ask enable default webvpn timeout 30

username asad password GxozRbsh8Rp9vCkf encrypted privilege 15

username cisco password HWFflA1bzYiq7Uut encrypted privilege 15

username naveed password d8KsovrcdE3to7qt encrypted privilege 15

tunnel-group TAD-SSLV type remote-access

tunnel-group TAD-SSLV general-attributes

address-pool sslvpnpool

authentication-server-group TAD-AD LOCAL

default-group-policy sslvpn

tunnel-group TAD-SSLV webvpn-attributes

group-alias ssl enable

group-url https://78.93.29.174/ssl enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect http

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:cec976b762f5e1d9d9856eeb4dea4019

: end

Jon Marshall · ‎11-20-2013

From your config -

static (inside,outside) tcp 78.722..232.66 www 10.10.10.4 www netmask 255.255.255.255

the second octet is 722 which is obviously not a valid octet. Should it be 72 instead ?

Jon

jumora · ‎11-20-2013

Please check the subnet that you put on the outside interface of the ASA.

interface Ethernet0/0

description Connected to TAD-Router G0/1

nameif outside

security-level 0

ip address 78.72.29.174 255.255.255.252

The static is on another network scheme:

static (inside,outside) tcp 78.72..232.66 www 10.10.10.4 www netmask 255.255.255.255

Are you routing this network to the firewall external interface?

Value our effort and rate the assistance!

jumora · ‎11-20-2013

You specified that the address for the static PAT is your gateway?????

Value our effort and rate the assistance!

mohammed abdul naveed · ‎11-20-2013

dear jumora,john

THE ISSUE is that isp provided public ip as that i assign to the interface outside,(78.93.29.174),NOW when i requested for the new public ip for hosting one of my web server isp gave me this public ip (78.93.232.66),and ISP even say that they enabble routing between the 78.96.29.174 and 78.93.232.66,and mine connection adsl connection,so now coming to the issue i must assign the new public ip to outside interface where already i have the public existing or i can directly use the new public ip for hosting the web server.

please help in this regard i am confused to what to do.

Jon Marshall · ‎11-20-2013

You do not need to assign the new public IP to an interface. As long as the ISP is routing that IP to your firewall then it should work with a simple static statment.

I haven't used ASAs for a while. Can you see my first post. Is 722 just a typo ie. i don't even know whether the ASA would let you enter this but if it would you need to change it.

Jon

jumora · ‎11-20-2013

If they say that it is routing to the ASA all you can do is setup captures to see if traffic is getting to the ASA and review logs.

If you post your number we can talk.

Value our effort and rate the assistance!

Jon Marshall · ‎11-20-2013

Jumora

It's been a while since i used the ASA. Would the ASA allow you to enter an invalid IP in the static statement as it appears in the original config posted or would it complain and not allow it ?

Jon

jumora · ‎11-20-2013

No it would not, I saw the same thing thinking that he just put a typo

Value our effort and rate the assistance!

mohammed abdul naveed · ‎11-20-2013

I am confused now I am nt getting what to do

do someone hve solution friends for this issue

Jon Marshall · ‎11-20-2013

From your config -

route inside 10.10.10.4 255.255.255.255 10.15.1.1 1

10.15.1.1 is the inside interface of the ASA which doesn't make sense especially as you say you can ping 10.10.10.4. Surely the next hop should a different 10.15.1.x address. I'm jus wondering if there is a routing issue within your internal network. When the packets arrive at the web server the source IP will be an internet address so what is the default gateway for the web server ie. a router or L3 switch and does that device know where to send the packets ?

If your'e not sure pick an internet IP and do a traceroute from the web server and see if it gets to the inside interface of the ASA.

Jon

jumora · ‎11-20-2013

Solution, give me your number so we can talk about or setup captures on the ASA to confirm that traffic from the Internet is being routed correctly to the ASA and also review logs.

capture out interface outside match ip any host 78.93.232.66

capture in interface inside match ip any host 10.10.10.4

After you try to access the server via the public IP from an Internet client check the captures:

show capture

If you see packets in the capture, download them:

https://10.15.1.1/capture/in/pcap

https://10.15.1.1/capture/out/pcap

It will ask you for your credentials to be able to download the file.

Check logs via ASDM:

Log into ASDM > Monitoring > logging > Real Time log viewer

Type in the external IP address of the server and run another test, if you see logs post them

Value our effort and rate the assistance!

jumora · ‎11-20-2013

Well he has RIP

router rip

network 10.0.0.0

version 2

He should be able to forward a show route to us to check and run this packet tracer.

packet-tracer input outside tcp 4.2.2.2 1025 78.93.232.66 80 detail

show route

Value our effort and rate the assistance!

jumora · ‎11-20-2013

Just post your number or give me access to the device and I will tell you if it works or not.

Value our effort and rate the assistance!