cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7543
Views
5
Helpful
15
Replies

ASA 5506-X Web Server

Lost Packet
Level 1
Level 1

We have a new 5506-X with following:

ASA 9.7(1)4

ASDM 7.9(2)152

 

Our small office uses local isp with dynamic ip assigned to outside interface.  Some dynamic ip service provides a constant url for access from internet.  

Requirements:

  1. They have a customer portal / single webserver that needs to be accessible from internet with https.  
  2. We also need to be able to use anyconnect for remote support on inside hosts.
  3. It would be good if ASA can be maintained after anyconnect connection.
  4. I noticed 2 clientless vpn licenses.  I am not sure how complicated it is to do clientless vpn and regular https web server.  So 3&4 are optional if req 1&2 are satisfied.

I have now spent several hours using wizards for this simple setup.  Anyconnect setup works well but have no idea how to get this internal web server published. 

 

I would appreciate specific examples or config tips.  I can provide the minor changes we have made to the factory config which set port 1 as outside dhcp client and bridges 7 ports as dhcp server for inside network.

 

1 Accepted Solution

Accepted Solutions

Your acl is wrong:
access-list outside-https extended permit tcp any eq https object inside-host-https

You want to authorize any host outside to access your host on its https port then the acl would be:
access-list outside-https extended permit tcp any object inside-host-https eq https

Try again again changing the acl please.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

15 Replies 15

Alex Pfeil
Level 7
Level 7
Is the customer portal a website hosted on the internet or on a local server that needs to be accessible from the Internet?

The portal runs on a linux host on inside network. That does have a static IP.  So somehow I need to route all browser requests from internet in the form https://some.ddns-service.com/ to https://internal.domain.com/ or https://192.168.1.15/ on inside.  That host also does something that updates some.ddns-service.com to current ip issued by isp.  That address changes randomly, specially if there is any power failure.

 

Salespeople use anyconnect to access all resources inside.  So they are not affected by this.

 

Thx.

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Yes you can do a nat even if your firewall has only 1 DHCP IP. Just take in mind that if your server needs to be accessed from outside on port 443, you'll need to change anyconnect port.

Let's assume your server has IP 192.168.1.200 and need to be accessed on port tcp 443.

The Nat command will be:

object network SRV

 host 192.168.1.200

 nat (inside,outside) static interface service tcp 443 443

 

 

For changing anyconnect port, when you're in webvpn config, just do "port 8443" (any port you want, here it's just an example).

For anyconnect, you have 2 license by default and you can purchase others if needed or just go with standard ipsec vpn.

The config is standard and on client side you'll connect using dyndns fqdn.

To configure ssl vpn, take a look here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-anyconnect.html#ID-2438-000000a3

For standard ipsec: 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-remote-access.html

 

You can also configured ddns on your asa to update it:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/basic_ddns.html

 

I dropped all links because there are lot of commands. Follow the guides and if you have any issues, let us know.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Francesco,

Thank you for your help.  After making the change, the server is still not responding from outside.

To make problem simple,

  1. I reset the problematic config to factory setting.
  2. Added the nat.  Since this is 5506-X which uses 7 inside ports in bridged mode, it would not accept (inside, outside) but accepted (obj_any1, outside) where obj_any1 is any ip on port 2.
  3. Tried packet trace that showed dropped packet - may be priority issue?
  4. So added access list that on asdm is showing route to the server.

Here is the current config:

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.7(1)4 
!
hostname ciscoasa
enable password $sha512$5000$+ZENXGDeI6bSXYM2Zjftcw==$Zwaf1LtQvIA6v2VE9LEO5w== pbkdf2
names
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network inside-host-https
 host 192.168.1.15
 description Public web server
object-group network inside-any
 description Any physical ports on inside
 network-object object obj_any1
 network-object object obj_any2
 network-object object obj_any3
 network-object object obj_any4
 network-object object obj_any5
 network-object object obj_any6
 network-object object obj_any7
access-list outside-https extended permit tcp any eq https object inside-host-https 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
object network inside-host-https
 nat (inside_1,outside) static interface service tcp https https 
access-group outside-https in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable 4433
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.51-192.168.1.100 inside
dhcpd dns 192.168.1.15 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:a9c621c36113260d2d193b5b413e49b0
: end
no asdm history enable

 

Obviously I am missing something.  But not sure how to track inbound https requests.

 

I appreciate your help.

I guess I did not understand packet tracer well.  When looking at real time log output, I see this for my lab/test outside IP of 192.168.29.31:

 

4 Oct 15 2018 17:41:15 106023 192.168.29.31 63513 192.168.1.15 443 Deny tcp src outside:192.168.29.31/63513 dst inside_1:192.168.1.15/443 by access-group "outside-https" [0x0, 0x0]

 

So although user enters https, is ASA getting it as port 63513 which is causing the access to be denied?

Your acl is wrong:
access-list outside-https extended permit tcp any eq https object inside-host-https

You want to authorize any host outside to access your host on its https port then the acl would be:
access-list outside-https extended permit tcp any object inside-host-https eq https

Try again again changing the acl please.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Progress!  No response from web server but now the real time log shows

Teardown TCP connection 2002 for outside:192.168.29.31/64502 to inside_1:192.168.1.15/443 duration 0:00:30 bytes 0 SYN Timeout

SYN Timeout help says 30 seconds of three way handshake timed out.  Does that mean web server is not responding?  It does from inside.  Do I need to have server admin check apache logs?

 

Thx.

Wireshark shows the inside host (192.168.1.15) broadcasting ARP for original source IP (192.168.29.31 from outside interface) which never replies.  So looks like the current config is stuck since inside web server should be replying to natted ip as source.  Does that make sense?

Can you run a packet-tracer please first and then following the result, we will go with a packet capture.

 

Let's assume your public IP is 1.1.1.1

run the following command please:

packet-tracer input outside tcp 8.8.8.8 12345 1.1.1.1 443 detail

 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Attaching the packet trace for following:

 

packet-tracer input outside tcp 192.168.29.222 443 192.168.29.34 443 detail

 

In my test setup, 192.168.29.0 is outside network with 192.168.29.34 is outside ip simulating isp assigned address.

 

Also attaching the current config in case needed.

 

ps:

Random source port (following) also creates flow

packet-tracer input outside tcp 192.168.29.222 11443 192.168.29.34 443 detail

 

Sorry, missed that you were asking 1.1.1.1 to be replaced by asa's outside address...

 

Thank you for your help.

 

Packet-tracer shows that everything is ok and this traffic is forwarded to your server.
If you run a Wireshark on your server, you should see traffic coming in.
Does your server can access Internet? Try a ping to validate.
Share the wireshark please from the server.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

192.168.1.15 can access internet - just installed tshark.  But ping 8.8.8.8 from inside fails.  Also on the ASA, I notice route to 192.168.29.31(outside) from interface group inside also fails.  While wait, I will see if fixing that will make any difference.

 

Attaching the capture file (added .txt so it is accepted as attachment) until the browser shows error at source.

Packets show getting the request(tcp) but no http traffic established.

    1 0.000000000 192.168.29.31 → 192.168.1.15 TCP 66 58768 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1380 WS=4 SACK_PERM=1
    2 0.000054386 IntelCor_cf:c7:53 → Broadcast    ARP 42 Who has 192.168.29.31? Tell 192.168.1.15
    3 0.246706330 192.168.29.31 → 192.168.1.15 TCP 66 58769 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1380 WS=4 SACK_PERM=1
    4 0.384446021 192.168.1.15 → 192.168.1.255 BROWSER 271 Local Master Announcement UBUS1, Workstation, Server, Print Queue Server, Xenix Server, NT Workstation, NT Server, Master Browser, DFS server
    5 0.384470574 192.168.1.15 → 192.168.1.255 BROWSER 248 Domain/Workgroup Announcement WORKGROUP, NT Workstation, Domain Enum
    6 1.024676864 IntelCor_cf:c7:53 → Broadcast    ARP 42 Who has 192.168.29.31? Tell 192.168.1.15
    7 2.048675146 IntelCor_cf:c7:53 → Broadcast    ARP 42 Who has 192.168.29.31? Tell 192.168.1.15
    8 2.996776743 192.168.29.31 → 192.168.1.15 TCP 66 [TCP Retransmission] 58768 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1380 WS=4 SACK_PERM=1
    9 3.246634517 192.168.29.31 → 192.168.1.15 TCP 66 [TCP Retransmission] 58769 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1380 WS=4 SACK_PERM=1
   10 3.246655880 IntelCor_cf:c7:53 → Broadcast    ARP 42 Who has 192.168.29.31? Tell 192.168.1.15
   11 4.256679376 IntelCor_cf:c7:53 → Broadcast    ARP 42 Who has 192.168.29.31? Tell 192.168.1.15
   12 5.280676143 IntelCor_cf:c7:53 → Broadcast    ARP 42 Who has 192.168.29.31? Tell 192.168.1.15
   13 8.996895050 192.168.29.31 → 192.168.1.15 TCP 62 [TCP Retransmission] 58768 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1380 SACK_PERM=1
   14 8.996927059 IntelCor_cf:c7:53 → Broadcast    ARP 42 Who has 192.168.29.31? Tell 192.168.1.15
   15 9.246898417 192.168.29.31 → 192.168.1.15 TCP 62 [TCP Retransmission] 58769 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1380 SACK_PERM=1
   16 10.016677460 IntelCor_cf:c7:53 → Broadcast    ARP 42 Who has 192.168.29.31? Tell 192.168.1.15
   17 11.040677575 IntelCor_cf:c7:53 → Broadcast    ARP 42 Who has 192.168.29.31? Tell 192.168.1.15

 

 

Can you share a design of how everything is connected together?
We see syn packet from your asa outside to your server but never see your server replying to ASA.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

ASA2 is a backup we are testing config changes until the server can be published securely through ASA1.

192.168.1.15  <-> ASA2 <-> 192.168.29.0  <-> ASA1 <-> ISP

 

 

Thanks to your directions to diagnose the issue, I had the server admin show me network config on the server.  Turns out when she moved the server, they added 192.168.1.15 to original IP address 192.168.29.15 on same adapter.  We removed that and the SYN issue got resolved.

 

I accepted your earlier post since that should have been end of this week long saga.  I am still concerned about opening this server to cloud.  If you have any tips on hardening (apart from current limit on only 443 traffic), please let me know.

 

Thx again for your help and patience.

Review Cisco Networking for a $25 gift card