10-13-2018 02:52 PM - edited 02-21-2020 08:20 AM
We have a new 5506-X with following:
Our small office uses local isp with dynamic ip assigned to outside interface. Some dynamic ip service provides a constant url for access from internet.
I have now spent several hours using wizards for this simple setup. Anyconnect setup works well but have no idea how to get this internal web server published.
I would appreciate specific examples or config tips. I can provide the minor changes we have made to the factory config which set port 1 as outside dhcp client and bridges 7 ports as dhcp server for inside network.
Solved! Go to Solution.
10-15-2018 08:46 PM
10-13-2018 05:12 PM
10-13-2018 05:51 PM
The portal runs on a linux host on inside network. That does have a static IP. So somehow I need to route all browser requests from internet in the form https://some.ddns-service.com/ to https://internal.domain.com/ or https://192.168.1.15/ on inside. That host also does something that updates some.ddns-service.com to current ip issued by isp. That address changes randomly, specially if there is any power failure.
Salespeople use anyconnect to access all resources inside. So they are not affected by this.
10-13-2018 10:20 PM
Yes you can do a nat even if your firewall has only 1 DHCP IP. Just take in mind that if your server needs to be accessed from outside on port 443, you'll need to change anyconnect port.
Let's assume your server has IP 192.168.1.200 and need to be accessed on port tcp 443.
The Nat command will be:
object network SRV
nat (inside,outside) static interface service tcp 443 443
For changing anyconnect port, when you're in webvpn config, just do "port 8443" (any port you want, here it's just an example).
For anyconnect, you have 2 license by default and you can purchase others if needed or just go with standard ipsec vpn.
The config is standard and on client side you'll connect using dyndns fqdn.
To configure ssl vpn, take a look here:
For standard ipsec:
You can also configured ddns on your asa to update it:
I dropped all links because there are lot of commands. Follow the guides and if you have any issues, let us know.
10-15-2018 05:28 PM
Thank you for your help. After making the change, the server is still not responding from outside.
To make problem simple,
Here is the current config:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.7(1)4 ! hostname ciscoasa enable password $sha512$5000$+ZENXGDeI6bSXYM2Zjftcw==$Zwaf1LtQvIA6v2VE9LEO5w== pbkdf2 names ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100 ! interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100 ! interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100 ! interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100 ! interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100 ! interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100 ! interface Management1/1 management-only no nameif no security-level no ip address ! interface BVI1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive same-security-traffic permit inter-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object network inside-host-https host 192.168.1.15 description Public web server object-group network inside-any description Any physical ports on inside network-object object obj_any1 network-object object obj_any2 network-object object obj_any3 network-object object obj_any4 network-object object obj_any5 network-object object obj_any6 network-object object obj_any7 access-list outside-https extended permit tcp any eq https object inside-host-https pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside_1 1500 mtu inside_2 1500 mtu inside_3 1500 mtu inside_4 1500 mtu inside_5 1500 mtu inside_6 1500 mtu inside_7 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network obj_any1 nat (inside_1,outside) dynamic interface object network obj_any2 nat (inside_2,outside) dynamic interface object network obj_any3 nat (inside_3,outside) dynamic interface object network obj_any4 nat (inside_4,outside) dynamic interface object network obj_any5 nat (inside_5,outside) dynamic interface object network obj_any6 nat (inside_6,outside) dynamic interface object network obj_any7 nat (inside_7,outside) dynamic interface object network inside-host-https nat (inside_1,outside) static interface service tcp https https access-group outside-https in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL http server enable 4433 http 192.168.1.0 255.255.255.0 inside_1 http 192.168.1.0 255.255.255.0 inside_2 http 192.168.1.0 255.255.255.0 inside_3 http 192.168.1.0 255.255.255.0 inside_4 http 192.168.1.0 255.255.255.0 inside_5 http 192.168.1.0 255.255.255.0 inside_6 http 192.168.1.0 255.255.255.0 inside_7 no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcp-client client-id interface outside dhcpd auto_config outside ! dhcpd address 192.168.1.51-192.168.1.100 inside dhcpd dns 192.168.1.15 188.8.131.52 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:a9c621c36113260d2d193b5b413e49b0 : end no asdm history enable
Obviously I am missing something. But not sure how to track inbound https requests.
I appreciate your help.
10-15-2018 06:01 PM
I guess I did not understand packet tracer well. When looking at real time log output, I see this for my lab/test outside IP of 192.168.29.31:
|4||Oct 15 2018||17:41:15||106023||192.168.29.31||63513||192.168.1.15||443||Deny tcp src outside:192.168.29.31/63513 dst inside_1:192.168.1.15/443 by access-group "outside-https" [0x0, 0x0]|
So although user enters https, is ASA getting it as port 63513 which is causing the access to be denied?
10-15-2018 08:46 PM
10-15-2018 09:53 PM
Progress! No response from web server but now the real time log shows
Teardown TCP connection 2002 for outside:192.168.29.31/64502 to inside_1:192.168.1.15/443 duration 0:00:30 bytes 0 SYN Timeout
SYN Timeout help says 30 seconds of three way handshake timed out. Does that mean web server is not responding? It does from inside. Do I need to have server admin check apache logs?
10-16-2018 03:23 PM
Wireshark shows the inside host (192.168.1.15) broadcasting ARP for original source IP (192.168.29.31 from outside interface) which never replies. So looks like the current config is stuck since inside web server should be replying to natted ip as source. Does that make sense?
10-17-2018 06:17 AM
Can you run a packet-tracer please first and then following the result, we will go with a packet capture.
Let's assume your public IP is 184.108.40.206
run the following command please:
packet-tracer input outside tcp 220.127.116.11 12345 18.104.22.168 443 detail
10-17-2018 01:27 PM - edited 10-17-2018 01:37 PM
Attaching the packet trace for following:
packet-tracer input outside tcp 192.168.29.222 443 192.168.29.34 443 detail
In my test setup, 192.168.29.0 is outside network with 192.168.29.34 is outside ip simulating isp assigned address.
Also attaching the current config in case needed.
Random source port (following) also creates flow
packet-tracer input outside tcp 192.168.29.222 11443 192.168.29.34 443 detail
Sorry, missed that you were asking 22.214.171.124 to be replaced by asa's outside address...
Thank you for your help.
10-17-2018 09:16 PM
10-18-2018 03:21 PM - edited 10-18-2018 05:02 PM
192.168.1.15 can access internet - just installed tshark. But ping 126.96.36.199 from inside fails. Also on the ASA, I notice route to 192.168.29.31(outside) from interface group inside also fails. While wait, I will see if fixing that will make any difference.
Attaching the capture file (added .txt so it is accepted as attachment) until the browser shows error at source.
Packets show getting the request(tcp) but no http traffic established.
1 0.000000000 192.168.29.31 → 192.168.1.15 TCP 66 58768 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1380 WS=4 SACK_PERM=1 2 0.000054386 IntelCor_cf:c7:53 → Broadcast ARP 42 Who has 192.168.29.31? Tell 192.168.1.15 3 0.246706330 192.168.29.31 → 192.168.1.15 TCP 66 58769 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1380 WS=4 SACK_PERM=1 4 0.384446021 192.168.1.15 → 192.168.1.255 BROWSER 271 Local Master Announcement UBUS1, Workstation, Server, Print Queue Server, Xenix Server, NT Workstation, NT Server, Master Browser, DFS server 5 0.384470574 192.168.1.15 → 192.168.1.255 BROWSER 248 Domain/Workgroup Announcement WORKGROUP, NT Workstation, Domain Enum 6 1.024676864 IntelCor_cf:c7:53 → Broadcast ARP 42 Who has 192.168.29.31? Tell 192.168.1.15 7 2.048675146 IntelCor_cf:c7:53 → Broadcast ARP 42 Who has 192.168.29.31? Tell 192.168.1.15 8 2.996776743 192.168.29.31 → 192.168.1.15 TCP 66 [TCP Retransmission] 58768 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1380 WS=4 SACK_PERM=1 9 3.246634517 192.168.29.31 → 192.168.1.15 TCP 66 [TCP Retransmission] 58769 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1380 WS=4 SACK_PERM=1 10 3.246655880 IntelCor_cf:c7:53 → Broadcast ARP 42 Who has 192.168.29.31? Tell 192.168.1.15 11 4.256679376 IntelCor_cf:c7:53 → Broadcast ARP 42 Who has 192.168.29.31? Tell 192.168.1.15 12 5.280676143 IntelCor_cf:c7:53 → Broadcast ARP 42 Who has 192.168.29.31? Tell 192.168.1.15 13 8.996895050 192.168.29.31 → 192.168.1.15 TCP 62 [TCP Retransmission] 58768 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1380 SACK_PERM=1 14 8.996927059 IntelCor_cf:c7:53 → Broadcast ARP 42 Who has 192.168.29.31? Tell 192.168.1.15 15 9.246898417 192.168.29.31 → 192.168.1.15 TCP 62 [TCP Retransmission] 58769 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1380 SACK_PERM=1 16 10.016677460 IntelCor_cf:c7:53 → Broadcast ARP 42 Who has 192.168.29.31? Tell 192.168.1.15 17 11.040677575 IntelCor_cf:c7:53 → Broadcast ARP 42 Who has 192.168.29.31? Tell 192.168.1.15
10-19-2018 08:18 PM
10-21-2018 10:13 AM
ASA2 is a backup we are testing config changes until the server can be published securely through ASA1.
192.168.1.15 <-> ASA2 <-> 192.168.29.0 <-> ASA1 <-> ISP
Thanks to your directions to diagnose the issue, I had the server admin show me network config on the server. Turns out when she moved the server, they added 192.168.1.15 to original IP address 192.168.29.15 on same adapter. We removed that and the SYN issue got resolved.
I accepted your earlier post since that should have been end of this week long saga. I am still concerned about opening this server to cloud. If you have any tips on hardening (apart from current limit on only 443 traffic), please let me know.
Thx again for your help and patience.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: