The URL's are not working for me. Says they either broken or that I do not have access

Can I get the text on here?

when I apply this config, system remains inaccessible from outside.The system does not get to the internet as well

below is my sho run

ciscoasa(config)# sho run

: Saved

:

ASA Version 8.4(4)5

!

firewall transparent

hostname ciscoasa

enable password msi14F/SlH4ZLjHH encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

!

interface Vlan2

nameif outside

bridge-group 1

security-level 0

!

interface BVI1

description --- For Management only ---

ip address x.x.x.x 255.255.255.252

!

ftp mode passive

object network WWW-SERVER-OBJ

host y.y.y.y

description --- The WEB server ----

object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp

description --- Serices published on WEB server ----

port-object eq www

port-object eq https

access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group OUTSIDE-IN-ACL in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:fdda72841b7b2d386dccbed6b996d2af

: end

You forgot this:

!

interface Vlan1

nameif inside

security-level 100

bridge-group 1

!

Thanks

When I do that, there is a big change but I still cannot access http/https

Also when I ping the station, no luck

I also tried RDP but no luck

Thanks indeed for all the help

Also, you don't have any interface in vlan1

If interface Ethernet0/2 wants to be inside interface (where server is connected) this should belongs to vlan1. (not valn 2)

Run:

     interface e0/2

     switchport access vlan 1

Connect the internet cable to Ethernet0/0

Also by default ICMP will not pass through, you have to allow it.

Also in this configuration only http and https is allowed, if you want to rdp in, you have to allow it.

Thank you

Samuel Petrescu

Thanks.

I made the change. System is plugged into Et0/1 and the internet cable is plugged into Et0/0

When I show Et0/0 I get and show vlan is as below

ciscoasa(config)# show int et0/1

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        Available but not configured via nameif

        MAC address 5475.d0fc.ad1b, MTU not set

        IP address unassigned

        44852 packets input, 4149552 bytes, 0 no buffer

        Received 36135 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        0 switch ingress policy drops

        6939 packets output, 1563776 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 rate limit drops

        0 switch egress policy drops

        0 input reset drops, 0 output reset drops

ciscoasa(config)# show switch vlan

VLAN Name                             Status    Ports

---- -------------------------------- --------- -----------------------------

1    inside                           up        Et0/1, Et0/2, Et0/3, Et0/4

                                                Et0/5, Et0/6, Et0/7

2    outside                          up        Et0/0

ciscoasa(config)#

Now looks good.

To allow icmp from outside (the easy way):

access-list OUTSIDE-IN-ACL extended permit icmp any any

fixup protocol icmp

Thnak you

Sam

Thanks Samuel.

However, I am wondering if this solution is really possible.

I had spoken to many networking people around and they say its only sonicwall that supports that mode.

Strangely, its been more than a week and the nearest to it is your solution above.We had tried a paid approach but most the people simply did not get back because they say its only possible with NAT.

Http/https traffic is still not passing not sure why.

Is there a way to just allow everything without bypassing the firewall?

That way, we can get to know why its not allowing http/https traffic

Thanks indeed for all the help, its given us a ray of hope

From preview e-mails I understood the server has the public IP, and wanted to be in this way.
The solution for this, is transparent firewall, but this will not do NAT and you don’t need NAT in this situation.

To allow everything:
access-list OUTSIDE-IN-ACL extended permit ip any any
access-group OUTSIDE-IN-ACL in interface outside

I don’t know why you want server to have the public IP (maybe is a reason).

The professional solution is to use the firewall in routed mode, and the server to have a private IP.
Instead of server having the public IP, the firewall will have that public IP, and when a  http request is made to that public IP, the firewall will forward traffic inside to the server.
In this situation NAT is needed, and will work.

Or maybe server doesn't really have the public Ip?

Thank you
Sam

Thanks Samuel

You are correct

We have an application that can only work with a public IP address

It does not support NAT

So I deally what we need is where this firewall can protect on the webserver

We open the ports that we need including http and https

If there is a way to make the server see the internet in this configuration, that will do it

Even when we allow everything it still wont allow http traffic.

I strngly think your solution is very close to it.

Unfortunately, I cant seem to be able to open the URL posted in the first reply.

Thanks

Yes that can be done with the ASA. The procedere is specified in the config-guide. First go through the config of transparent firewall:

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/mode_fw.html

Then configure your access-control:

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/access_rules.html

Thanks Samuel.

It works. Strangely I did everything afresh but it allowed http and https, and rdp works. This I am not sure why RDP works.

Sorry, I keep asking. I intend to open some udp ports as well UDP/TCP 1812,1813, 1845,1846,3799, 10100,10200, 10300, 20235

Will let you know how that goes though I am yet to figure out how to block UDP ports.

See access list and see if you can see why RDP works

ciscoasa(config)# show access-list OUTSIDE-IN-ACL

access-list OUTSIDE-IN-ACL; 3 elements; name hash: 0x585e19e6

access-list OUTSIDE-IN-ACL line 1 extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ (hitcnt=16) 0x28efdb7f

  access-list OUTSIDE-IN-ACL line 1 extended permit tcp any host xxx.yy.zzz.mmm eq www (hitcnt=2) 0x6a290a4e

  access-list OUTSIDE-IN-ACL line 1 extended permit tcp any host xxx.yy.zzz.mmm eq https (hitcnt=14) 0x41cdf538

access-list OUTSIDE-IN-ACL line 2 extended permit ip any any (hitcnt=186) 0x74278021