cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


212
Views
5
Helpful
13
Replies

dear friends i am facing an issue in the hosting of my server from ASA publicly

i have already assing a public ip addd to the outside interface of the ASA ,My requirement is to configure firewall to host my web server publicly using the public ip not assign to  the outside interface but different subnet,i make every configuration is i have done but i cant ping or connect my web server i can ping the web server from my ASA,but from outside i  cannot reach my webserver.Could anyone help me in this because i am facing problem.

Below is the configuration of the firewall

server ip add 10.10.10.4(local,reachable)

public ip add-78.72.232.66(default gateway)

sho run configuration of the firewall

:

ASA Version 8.2(5)

!

hostname TAD-FW

domain-name tadrees.com

enable password lpW.MGeEHg0ISQZq encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description Connected to TAD-Router G0/1

nameif outside

security-level 0

ip address 78.72.29.174 255.255.255.252

!

interface Ethernet0/1

description Connected to Cisco SMB Switch G1

nameif inside

security-level 100

ip address 10.15.1.1 255.255.255.248

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

banner login ********  TADREES FIREWALL ********

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 84.22.224.11

name-server 84.22.224.12

domain-name tadrees.com

access-list split-tunnel standard permit 10.10.0.0 255.255.0.0

access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.10.0.0 255.255.0.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.1.1.0 255.255.255.0

access-list Mename-Access extended permit tcp any host78.72.232.66 eq https

access-list Mename-Access extended permit tcp any host 78.72.232.66 eq www

pager lines 24

logging enable

logging buffered debugging

logging asdm debugging

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool sslvpnpool 10.1.1.1-10.1.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-702.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 78.722..232.66 www 10.10.10.4 www netmask 255.255.255.255

access-group Mename-Access in interface outside

!

router rip

network 10.0.0.0

version 2

!

route outside 0.0.0.0 0.0.0.0 78.72.29.173 1

route inside 10.10.10.4 255.255.255.255 10.15.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TAD-AD protocol nt

aaa-server TAD-AD (inside) host 10.10.10.1

aaa authentication ssh console LOCAL

http server enable 444

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 2

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 20

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

no anyconnect-essentials

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

tunnel-group-list enable

internal-password enable

group-policy sslvpn internal

group-policy sslvpn attributes

wins-server none

dns-server none

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value tadrees.com

group-policy DfltGrpPolicy attributes

webvpn

  svc ask enable default webvpn timeout 30

username asad password GxozRbsh8Rp9vCkf encrypted privilege 15

username cisco password HWFflA1bzYiq7Uut encrypted privilege 15

username naveed password d8KsovrcdE3to7qt encrypted privilege 15

tunnel-group TAD-SSLV type remote-access

tunnel-group TAD-SSLV general-attributes

address-pool sslvpnpool

authentication-server-group TAD-AD LOCAL

default-group-policy sslvpn

tunnel-group TAD-SSLV webvpn-attributes

group-alias ssl enable

group-url https://78.93.29.174/ssl enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect http

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:cec976b762f5e1d9d9856eeb4dea4019

: end

13 REPLIES 13
Hall of Fame Guru

Re: dear friends i am facing an issue in the hosting of my serve

From your config -

static (inside,outside) tcp 78.722..232.66 www 10.10.10.4 www netmask 255.255.255.255

the second octet is 722 which is obviously not a valid octet. Should it be 72 instead ?

Jon

Rising star

dear friends i am facing an issue in the hosting of my server fr

Please check the subnet that you put on the outside interface of the ASA.

interface Ethernet0/0

description Connected to TAD-Router G0/1

nameif outside

security-level 0

ip address 78.72.29.174 255.255.255.252

The static is on another network scheme:

static (inside,outside) tcp 78.72..232.66 www 10.10.10.4 www netmask 255.255.255.255

Are you routing this network to the firewall external interface?

Value our effort and rate the assistance!
Rising star

dear friends i am facing an issue in the hosting of my server fr

You specified that the address for the static PAT is your gateway?????

Value our effort and rate the assistance!

dear friends i am facing an issue in the hosting of my server fr

dear jumora,john

THE ISSUE is that isp provided public ip as that i assign to the interface outside,(78.93.29.174),NOW when i requested for the new public ip for hosting one of my web server isp gave me this public ip (78.93.232.66),and ISP even say that they enabble routing between the 78.96.29.174 and 78.93.232.66,and mine connection adsl connection,so now coming to the issue i must assign the new public ip to outside interface where already i have the public existing or i can directly use the new public ip for hosting the web server.

please help in this regard i am confused to what to do.

Hall of Fame Guru

dear friends i am facing an issue in the hosting of my server fr

You do not need to assign the new public IP to an interface. As long as the ISP is routing that IP to your firewall then it should work with a simple static statment.

I haven't used ASAs for a while. Can you see my first post. Is 722 just a typo ie. i don't even know whether the ASA would let you enter this but if it would you need to change it.

Jon

Rising star

dear friends i am facing an issue in the hosting of my server fr

If they say that it is routing to the ASA all you can do is setup captures to see if traffic is getting to the ASA and review logs.

If you post your number we can talk.

Value our effort and rate the assistance!
Hall of Fame Guru

dear friends i am facing an issue in the hosting of my server fr

Jumora

It's been a while since i used the ASA. Would the ASA allow you to enter an invalid IP in the static statement as it appears in the original config posted or would it complain and not allow it ?

Jon

Highlighted
Rising star

dear friends i am facing an issue in the hosting of my server fr

No it would not, I saw the same thing thinking that he just put a typo

Value our effort and rate the assistance!

dear friends i am facing an issue in the hosting of my server fr

I am confused now I am nt getting what  to do

do someone hve solution friends for this issue

Hall of Fame Guru

dear friends i am facing an issue in the hosting of my server fr

From your config -

route inside 10.10.10.4 255.255.255.255 10.15.1.1 1

10.15.1.1 is the inside interface of the ASA which doesn't make sense especially as you say you can ping 10.10.10.4. Surely the next hop should a different 10.15.1.x address. I'm jus wondering if there is a routing issue within your internal network. When the packets arrive at the web server the source IP will be an internet address so what is the default gateway for the web server ie. a router or L3 switch and does that device know where to send the packets ?

If your'e not sure pick an internet IP and do a traceroute from the web server and see if it gets to the inside interface of the ASA.

Jon

Rising star

dear friends i am facing an issue in the hosting of my server fr

Solution, give me your number so we can talk about or setup captures on the ASA to confirm that traffic from the Internet is being routed correctly to the ASA and also review logs.

capture out interface outside match ip any host 78.93.232.66

capture in interface inside match ip any host  10.10.10.4

After you try to access the server via the public IP from an Internet client check the captures:

show capture

If you see packets in the capture, download them:

https://10.15.1.1/capture/in/pcap

https://10.15.1.1/capture/out/pcap

It will ask you for your credentials to be able to download the file.

Check logs via ASDM:

Log into ASDM > Monitoring > logging > Real Time log viewer

Type in the external IP address of the server and run another test, if you see logs post them

Value our effort and rate the assistance!
Rising star

dear friends i am facing an issue in the hosting of my server fr

Well he has RIP

router rip

network 10.0.0.0

version 2

He should be able to forward a show route to us to check and run this packet tracer.

packet-tracer input outside tcp 4.2.2.2 1025  78.93.232.66 80 detail

show route

Value our effort and rate the assistance!
Rising star

dear friends i am facing an issue in the hosting of my server fr

Just post your number or give me access to the device and I will tell you if it works or not.

Value our effort and rate the assistance!
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here