12-20-2022 09:51 AM - edited 12-20-2022 10:23 AM
Hello Cisco Community,
I am trying to allow port 80 through a ASA 5506 firewall from my DMZ to a INTERNAL zone for a HTTP server. I am having a problem with the access list, and have encountered a strange problem.
The ip address of my HTTP server is 192.168.2.1. When i use the access list command:
access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any gt www
It works fine, however when i use the command equal to www:
access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any eq www
It drops the HTTP packets, and doesn't allow it through the firewall. Does anyone know why?
I'm applying the access list to the DMZ 'in' interface.
access-group WEB-INSIDE in interface DMZ
I have attached two packet tracer files to demonstrate a working and non-working configuration. I may be doing something wrong. Thank you.
12-20-2022 10:31 AM - edited 12-20-2022 10:32 AM
Hi Rob, thank you for your reply.
From what you're describing it sounds like I have it set up correctly. (I think).
I have added the access list to the DMZ in interface with this command.
access-group WEB-INSIDE in interface DMZ
and i'm using the 'eq www' in the access list.
access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any eq www
12-20-2022 12:26 PM
@Tom101 are you actually trying to allow traffic from the INSIDE network to the HTTP server (192.168.2.1) on port tcp/80 in the DMZ? If so, remove the access-group from the DMZ - "no access-group WEB-INSIDE in interface DMZ"
Your question reads the other way around (traffic initiated from DMZ to INSIDE) and your ACL implies communication is initiated from DMZ to INSIDE.
12-20-2022 12:30 PM
Oo i see, ok thank you Rob. I'm trying to allow my PC from the INSIDE network to access the HTTP website on the server in the DMZ.
12-20-2022 12:34 PM
@Tom101 then you ACL is incorrect, you don't need to apply the ACL to the DMZ interface. Remove it.
no access-group WEB-INSIDE in interface DMZ
no access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any eq www
Traffic will be permitted from INSIDE to DMZ as default as the INSIDE interface has a higher security-level than the DMZ interface.
12-20-2022 01:20 PM
Hi Rob, am i right in saying that the default security-level rule will only work when there is no other access list bound to an interface? So if I was to extend the network and add additional access list rules, would that stop working? What access-list rule would I need if that was the case?
Also, I deleted the access-group and access-list and I still cannot get it to work. The ICMP ping will reach the HTTP web server, but the firewall will not allow it back into the inside network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide