03-27-2019 09:18 AM
I try seit a week to publich web server but until moment from internet not accessible.
my internal network hat 2 Gateways 10.0.0.0/16 GW 10.0.0.1(another Route) , 10.0.0.0/16 GW 10.0.19.50(inside interface asa)
web server in DMZ 172.16.0.2/24 GW 172.16.0.1
How i can do?
the config:
ASA Version 9.8(2)
!
hostname CiscoASA
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 82.144.x.x 255.255.255.224
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.0.19.50 255.255.0.0
!
interface GigabitEthernet1/3
shutdown
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.255.0
!
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network vpn-object
subnet 10.0.19.0 255.255.255.0
description vpn-acl-nat
object network obj-inside
subnet 10.0.0.0 255.255.0.0
object network obj-anyconn
subnet 10.0.19.0 255.255.255.0
object network NETWORK_OBJ_10.0.19.0_25
subnet 10.0.19.0 255.255.255.128
object network inside-net
host 10.0.0.10
object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.255.0.0
network-object object vpn-object
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list testacl extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 any inactive
access-list ipsec_splitTunnelAcl standard permit any4
access-list iOS-acl standard permit 172.16.112.0 255.255.255.0
access-list DMZ_access_in_1 extended deny ip any any inactive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-782.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static vpn-object vpn-object no-proxy-arp route-lookup
nat (any,outside) source static any interface unidirectional
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.19.0_25 NETWORK_OBJ_10.0.19.0_25 no-proxy-arp route-lookup
!
object network obj-inside
nat (any,outside) dynamic interface
object network obj-anyconn
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group DMZ_access_in_1 in interface DMZ
route outside 0.0.0.0 0.0.0.0 82.144.X.X 1
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa local authentication attempts max-fail 10
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
default-idle-timeout 21600
anyconnect image disk0:/anyconnect-win-4.5.02036-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
keepout "Service out temporarily."
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-clientless
group-policy GroupPolicyTunnelAll internal
group-policy GroupPolicyTunnelAll attributes
wins-server value 10.0.0.10
dns-server value 10.0.0.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value imc-tm.de
address-pools value testpool
group-policy iOS-Policy internal
group-policy iOS-Policy attributes
dns-server value 10.0.0.10
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1
password-storage enable
re-xauth disable
group-lock value iOS-tunnel
pfs enable
split-tunnel-policy tunnelall
default-domain value imc-tm.de
user-authentication-idle-timeout none
ip-phone-bypass enable
address-pools value iOS-Pool
dynamic-access-policy-record DfltAccessPolicy
username OliverAbendschön password $sha512$5000$D8fgjjINEG4BKiy7ppaQgw==$tf6fDTSwuL+iei5byWjqmw== pbkdf2
username OliverAbendschön attributes
service-type remote-access
username ArneHillenbrand password $sha512$5000$dFTeqI6/zO7yr+eTadtTpg==$xugn/DjqGnJKc031ZsW8Ew== pbkdf2 privilege 15
username ArneHillenbrand attributes
service-type remote-access
username admin password $sha512$5000$HgLLie0rID0FSE/ylKowZQ==$vh5H0Qlr9X3uRLCqUSVg0w== pbkdf2 privilege 15
username NilsBarka password $sha512$5000$dIp1bF1xVKdXYN2005zwJw==$dYYeN4U0yiiZo8mjFWlYwg== pbkdf2
username NilsBarka attributes
service-type remote-access
username MarkusSteinwachs password $sha512$5000$WdiCaKRiANlw1W0z3Z/gjQ==$TnkOgA6tgWKhTyAwbQzZvw== pbkdf2
username MarkusSteinwachs attributes
service-type remote-access
username MaamonAlbattah password $sha512$5000$ZpsC1Lpt4qk7y/Pr6Bp+EA==$L/f0+FftkCMGv37CAy1boA== pbkdf2 privilege 15
tunnel-group TunnelAll type remote-access
tunnel-group TunnelAll general-attributes
address-pool testpool
default-group-policy GroupPolicyTunnelAll
tunnel-group TunnelAll webvpn-attributes
authentication certificate
group-alias IT-IMC enable
tunnel-group iOS-tunnel type remote-access
tunnel-group iOS-tunnel general-attributes
address-pool iOS-Pool
default-group-policy iOS-Policy
tunnel-group iOS-tunnel ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 3
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map glopal_policy
class inspection_default
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c337fbc76e340446cc827f9dd6b266c7
Result of the command: "show run nat"
nat (inside,outside) source static any any destination static vpn-object vpn-object no-proxy-arp route-lookup
nat (any,outside) source static any interface unidirectional
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.19.0_25 NETWORK_OBJ_10.0.19.0_25 no-proxy-arp route-lookup
nat (DMZ,inside) source dynamic any interface
nat (inside,DMZ) source dynamic any interface
!
object network obj-inside
nat (any,outside) dynamic interface
object network obj-anyconn
nat (any,outside) dynamic interface
object network web
nat (outside,DMZ) static ext-ip service tcp 8080 www
Result of the command: "show run object"
object network vpn-object
subnet 10.0.19.0 255.255.255.0
description vpn-acl-nat
object network obj-inside
subnet 10.0.0.0 255.255.0.0
object network obj-anyconn
subnet 10.0.19.0 255.255.255.0
object network NETWORK_OBJ_10.0.19.0_25
subnet 10.0.19.0 255.255.255.128
object network inside-net
host 10.0.0.10
object network ext-ip
host 82.144.33.101
object network web
host 172.16.0.2
Result of the command: "show run access-list"
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list testacl extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 any inactive
access-list ipsec_splitTunnelAcl standard permit any4
access-list iOS-acl standard permit 172.16.112.0 255.255.255.0
access-list DMZ_access_in_1 extended permit ip any any
access-list outserv extended permit tcp any host 10.0.19.59 eq https
access-list global_access extended permit ip any any
access-list dmz-ping extended permit icmp 10.0.0.0 255.255.0.0 172.16.0.0 255.255.255.0 echo
access-list dmz-ping extended permit icmp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.0.0 echo
access-list dmz-ping extended permit icmp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list dmz-ping extended permit ip 172.16.0.0 255.255.255.0 any
access-list outin extended permit tcp any host 10.0.19.55 eq www
access-list web extended permit tcp any any eq www
access-list dmzout extended permit tcp any object web
03-27-2019 10:01 AM
access-group inside_access_in in interface inside access-group DMZ_access_in_1 in interface DMZ
No access group for the outside interface. I am guessing the below is the ACL you wanted to apply
Also, your NAT is confusing, Change it to the following:
object network web
nat (DMZ,outside) static ext-ip service tcp www 8080
Reference:
03-28-2019 02:02 AM
Thank you for your feedback
but it does not work, I did what you wrote to me
Here is the new configurations.
PS: I also use this server for VPN connection.
now the web server is accessible from internal but not yet from external.
and I can not ping with the external ip
Result of the command: "show run access-list"
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list testacl extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 any inactive
access-list ipsec_splitTunnelAcl standard permit any4
access-list iOS-acl standard permit 172.16.112.0 255.255.255.0
access-list DMZ_access_in_1 extended deny ip any any inactive
access-list DMZ_access_in_1 extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outdmz extended permit tcp any object Web eq www
Result of the command: "show run access-group"
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in_1 in interface DMZ
Result of the command: "show run nat"
nat (inside,outside) source static any any destination static vpn-object vpn-object no-proxy-arp route-lookup
nat (any,outside) source static any interface unidirectional
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.19.0_25 NETWORK_OBJ_10.0.19.0_25 no-proxy-arp route-lookup
nat (DMZ,inside) source dynamic any interface
nat (inside,DMZ) source dynamic any interface
!
object network obj-inside
nat (any,outside) dynamic interface
object network obj-anyconn
nat (any,outside) dynamic interface
object network Web
nat (DMZ,outside) static ext-ip service tcp www 8080
03-28-2019 08:32 AM
Run the following packet tracer:
packet-tracer input outside tcp 1.1.1.1 12345 <public-ip-of-server> 8080 detailed.
Also why do you have this NAT statement?
nat (any,outside) source static any interface unidirectional
03-28-2019 08:57 AM
this nat was for dmz to become internet
I deleted and used as an alternative
Object Network dmz-net
subnet 172.16.0.0 255.255.255.0
nat (dmz,outside) dynamic interface
output from Packet tracer:
Result of the command: "packet-tracer input outside tcp 1.1.1.1 12345 82.X.X.X 8080 detailed"
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f0030b6afc0, priority=1, domain=permit, deny=false
hits=231432, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Web
nat (DMZ,outside) static ext-ip service tcp www 8080
Additional Information:
NAT divert to egress interface DMZ
Untranslate 82.144.33.101/8080 to 172.16.0.2/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f0030c4df20, priority=13, domain=permit, deny=false
hits=585, user_data=0x7f002a53b8c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f002fed9fb0, priority=0, domain=nat-per-session, deny=false
hits=8744, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f0030b73480, priority=0, domain=inspect-ip-options, deny=true
hits=3781, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f0030340350, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=737, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Web
nat (DMZ,outside) static ext-ip service tcp www 8080
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f00343b8920, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x7f002fae0150, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=172.16.0.2, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=DMZ
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f002fed9fb0, priority=0, domain=nat-per-session, deny=false
hits=8746, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f0030c27380, priority=0, domain=inspect-ip-options, deny=true
hits=7173, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=DMZ, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8053, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide