cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4326
Views
0
Helpful
8
Replies

ASA 5516 to allow http connection from outside

ptoumbas2011
Level 1
Level 1

Hi, 

 

I am trying to allow http/80 connection on my new asa 5516 to access a web server. I am using static nat with port translation to redirect the traffic to the web server.  

 

There are 2 problems: 

1) Http traffic is blocked as soon as it arrives at outside interface (Block by ACL implicit rule) 

2) I only have 1 public ip for my outside interface. Is it fine to use it to access the web server (static nat)? 

 

I am also using AnyConnect (working fine) on https://my-firewall 

8 Replies 8

> 1) Http traffic is blocked as soon as it arrives at outside interface (Block by ACL implicit rule) 

Have you used the real (internal) IP as the destination in the ACL?

> 2) I only have 1 public ip for my outside interface. Is it fine to use it to access the web server (static nat)? 

Why not? At least it's all you can do without additional addresses. Only when you want to deploy TLS on your server you'll have to decide which system gets TCP/443: The ASA for VPN or the server.

Yes, 

 

I have added an inbound rule on the outside interface to allow traffic destined for the server (private ip) and it did not work. This is what i get on the log: 

 

source_ip 53804 destination_ip 80 TCP access denied by ACL from source_ip/53804 to outside:destination_ip/80 

* Destination IP is the real public ip of the asa

Have you assigned the right ACL to the interface? Are there other ACEs in the ACL above your rule that deny access?

This is my configuration, 

 

(config)#object network out_to_in_server 
(config-network-object)#host 10.0.0.11 
(config-network-object)#nat (services_Lan,outside) static interface service tcp 80 80 
(config-network-object)#access-list OutsideToServer permit tcp any host 10.0.0.11 eq www 
(config)# access-group OutsideToServer in interface outside   

 

And this is what the ASA says 

The ASA denied an attempt to connect to the interface service. For example, the ASA received an SNMP request from an unauthorized SNMP management station

 

That part of the config looks good. The problem is probably located in the rest of the config. If you can share your complete config, that could help.

I have included part of my config, just ips are changed from real. Hope it helps. 

Do i have to do something with my policy map? 

> I have included part of my config, just ips are changed from real. Hope it helps. 

at least it shows one mistake in NAT, your dynamic rule has to be the last in the order:

no nat (any,outside) source dynamic any interface
nat (any,outside) after-auto source dynamic any interface

 

 

We have fixed the issue by correcting the NAT statements and by applying the correct global rules 

 

Object service obj_http

Service tcp source eq 80

 

Nat (Services_Lan,outside) source static SRV interface service obj_http obj_http

 

Access-list global_access permit tcp any host 10.0.0.11 eq 80 

 

 

Thank you for your quick and helpful responses 

Review Cisco Networking for a $25 gift card