03-08-2020 01:54 AM
Hello all,
New to the forums and the Cisco ASA 5506-X.
I have tried to create a Public Server using
ASDM --> Configuration --> Firewall --> Public Server
I had no errors in the creation phase.
I then tried to test using the command:
packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed
but i get the following error:
(acl-drop) Flow is denied by configured rule
in detail, the answer was the following:
Result of the command: "packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed" Phase: 1 Type: CP-PUNT Subtype: l2-selective Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f10bb004df0, priority=13, domain=punt, deny=false hits=6744, user_data=0x7f10bb51ea40, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=outside, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7f10ba9e6ab0, priority=1, domain=permit, deny=false hits=6654, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=outside, output_ifc=any Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.0.0.12 using egress ifc inside Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access in interface outside access-list outside_access extended permit tcp any4 object dmz_in eq www Additional Information: Forward Flow based lookup yields rule: in id=0x7f10ba5c9f70, priority=13, domain=permit, deny=false hits=10, user_data=0x7f10b30c64c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f10b9a5d360, priority=0, domain=nat-per-session, deny=false hits=4080, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f10bb516e50, priority=0, domain=inspect-ip-options, deny=true hits=3042, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 7 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access in interface outside access-list outside_access extended permit tcp any4 object dmz_in eq www Additional Information: Forward Flow based lookup yields rule: in id=0x7f10ba5c9f70, priority=13, domain=permit, deny=false hits=11, user_data=0x7f10b30c64c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 8 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f10b9a5d360, priority=0, domain=nat-per-session, deny=false hits=4081, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 9 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f10bb516e50, priority=0, domain=inspect-ip-options, deny=true hits=3043, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 10 Type: NAT Subtype: rpf-check Result: DROP Config: object network dmz_in nat (inside_1,outside) static dmz_out Additional Information: Forward Flow based lookup yields rule: out id=0x7f10bb65a2a0, priority=6, domain=nat-reverse, deny=false hits=6, user_data=0x7f10ba46f9a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=inside_1 Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
the asa configuration is as follows:
Result of the command: "sh run" : Saved : : Serial Number: JAD23491DFL : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.8(2) ! hostname ciscoasa enable password $sha512$5000$YF7WGccVhZL32TZ5JIVyzw==$Ce6xmlZRIG/9w+0h+1LTtg== pbkdf2 names ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100 ! interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100 ! interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100 ! interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100 ! interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100 ! interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100 ! interface Management1/1 management-only no nameif no security-level no ip address ! interface BVI1 nameif inside security-level 100 ip address 10.0.0.1 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 same-security-traffic permit inter-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object network dmz_in host 10.0.0.12 description dmz_in object network dmz_out host 192.168.1.40 description dmz_out access-list outside_access extended permit tcp any4 object dmz_in eq www pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside_1 1500 mtu inside_2 1500 mtu inside_3 1500 mtu inside_4 1500 mtu inside_5 1500 mtu inside_6 1500 mtu inside_7 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network obj_any1 nat (inside_1,outside) dynamic interface object network obj_any2 nat (inside_2,outside) dynamic interface object network obj_any3 nat (inside_3,outside) dynamic interface object network obj_any4 nat (inside_4,outside) dynamic interface object network obj_any5 nat (inside_5,outside) dynamic interface object network obj_any6 nat (inside_6,outside) dynamic interface object network obj_any7 nat (inside_7,outside) dynamic interface object network dmz_in nat (inside_1,outside) static dmz_out access-group outside_access in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history http server enable http 10.0.0.0 255.255.255.0 inside_1 http 10.0.0.0 255.255.255.0 inside_2 http 10.0.0.0 255.255.255.0 inside_3 http 10.0.0.0 255.255.255.0 inside_4 http 10.0.0.0 255.255.255.0 inside_5 http 10.0.0.0 255.255.255.0 inside_6 http 10.0.0.0 255.255.255.0 inside_7 no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca ......... quit telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 10.0.0.5-10.0.0.254 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context service call-home call-home reporting anonymous call-home contact-email-addr aferrara.avvisi@gmail.com profile CiscoTAC-1 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:b11b3962c3121dc7612713d95c49d0af : end
can you help me?
Thanks.
03-08-2020 03:19 AM
try this and change according to your needs.
object network SERVER
host 10.0.0.12
nat (inside,outside) static interface
!
access-list OUT_IN ext permit tcp any host 10.0.0.12 eq https
access-group OUT_IN in interface outside
!
03-08-2020 08:03 AM
Hi,
first of all thank you for your answer.
I have tried your suggestion.
But now I have the following error:
Drop-reason: (no-adjacency) No valid adjacency
the complete answer is as follows:
Result of the command: "packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed" Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.0.0.12 using egress ifc inside Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.0.0.12 using egress ifc inside Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.0.0.12 using egress ifc inside Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop a
while the new configuration is this:
Result of the command: "sh run" : Saved : : Serial Number: JAD23491DFL : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.8(2) ! hostname ciscoasa enable password $sha512$5000$YF7WGccVhZL32TZ5JIVyzw==$Ce6xmlZRIG/9w+0h+1LTtg== pbkdf2 names ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100 ! interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100 ! interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100 ! interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100 ! interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100 ! interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100 ! interface Management1/1 management-only no nameif no security-level no ip address ! interface BVI1 nameif inside security-level 100 ip address 10.0.0.1 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 same-security-traffic permit inter-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object network dmz_in host 10.0.0.12 description dmz_in object network dmz_out host 192.168.1.40 description dmz_out object network SERVER host 10.0.0.12 access-list outside_access extended permit tcp any4 object dmz_in eq www access-list OUT_IN extended permit tcp any host 10.0.0.12 eq https access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside_1 1500 mtu inside_2 1500 mtu inside_3 1500 mtu inside_4 1500 mtu inside_5 1500 mtu inside_6 1500 mtu inside_7 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network obj_any1 nat (inside_1,outside) dynamic interface object network obj_any2 nat (inside_2,outside) dynamic interface object network obj_any3 nat (inside_3,outside) dynamic interface object network obj_any4 nat (inside_4,outside) dynamic interface object network obj_any5 nat (inside_5,outside) dynamic interface object network obj_any6 nat (inside_6,outside) dynamic interface object network obj_any7 nat (inside_7,outside) dynamic interface object network dmz_in nat (inside_1,outside) static dmz_out object network SERVER nat (inside_1,outside) static interface access-group OUT_IN in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history http server enable http 10.0.0.0 255.255.255.0 inside_1 http 10.0.0.0 255.255.255.0 inside_2 http 10.0.0.0 255.255.255.0 inside_3 http 10.0.0.0 255.255.255.0 inside_4 http 10.0.0.0 255.255.255.0 inside_5 http 10.0.0.0 255.255.255.0 inside_6 http 10.0.0.0 255.255.255.0 inside_7 no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca .... quit telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 10.0.0.5-10.0.0.254 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context service call-home call-home reporting anonymous call-home contact-email-addr aferrara.avvisi@gmail.com profile CiscoTAC-1 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:4eb28e5b47bb87948fa7074c886788f1 : end
03-08-2020 08:34 AM
run the packet tracer command again and display the output.
packet-tracer input outside tcp 8.8.8.8 http 192.168.1.16 https detailed
***192.168.1.16 double check your outside firewall ip address and put next to start(*)
03-08-2020 10:00 AM
This is the output at command
packet-tracer input outside tcp 8.8.8.8 http 192.168.1.16 https detailed
Result of the command: "packet-tracer input outside tcp 8.8.8.8 http 192.168.1.16 https detailed" Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.1.16 using egress ifc outside Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7f10ba850210, priority=111, domain=permit, deny=true hits=11, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=outside Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Sorry but I didn't understand what you mean by:
***192.168.1.16 double check your outside firewall ip address and put next to start(*)
Thanks.
03-08-2020 10:41 AM
Hi,
Your config is now good, however i see you're getting the public IP address from DHCP, which means that if you don't get the same IP address, you'll end up into issues if the public service is reachable via FQDN (DNS has to be constantly updated with the new record), while if you access it via IP address, if it changes, users would need to be aware. Just speak with your ISP to lease you the same IP address.
As for the errors, you're getting on the packet tracer:
packet-tracer input outside tcp 8.8.8.8 http 192.168.1.16 https detailed
Drop-reason: (acl-drop) Flow is denied by configured rule
The above is because, you're packets are coming in on the outside and need to be routed out on the outside, and ASA disallows this by default, and while you could fix it, you should not, unless you have VPN users connecting on the outside interface which need Internet access through the VPN.
Result of the command: "packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed"
Drop-reason: (no-adjacency) No valid adjacency
The above is because ASA failed to resolve through ARP, the MAC address of 10.0.0.12, which means the host is not reachable via layer 2. Most probably you're testing the configuration, without the host being present?
Regards,
Cristian Matei.
03-08-2020 11:05 AM - edited 03-08-2020 11:08 AM
Cristian made a good point. but i guess you using this network for testing or this is a production network?
as your outside interface is setup as a dhcp which is not ideal for http/https if you hosting/need access from outside world to reaching your network resources behind firewall. ideally you need to get a public ip address for your outside interface.
now to test these existing configuration. run this command
show ip address | i outside
the result will be like this below
GigabitEthernet1/1 outside 192.168.1.32
and my configuration on outside are like this
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
now run packet-tracer
packet-tracer input outside tcp 8.8.8.8 http 192.168.1.32 https detailed
remember in my packet tracer i get ip address from dhcp server outside interface ip 192.168.1.32 so you have to match what you noted in your configuration. as your configuration are in right order it will work.
03-08-2020 12:19 PM
Sharaz is right I am using a test network and I am not in production.
Now I have put a static IP (192.168.1.27) to the outside interface.
The situation of my test network is now as follows:
o
I ran the command
show ip address | i outside
and I have:
Result of the command: "show ip address | i outside" GigabitEthernet1/1 outside 192.168.1.27 255.255.255.0 CONFIG GigabitEthernet1/1 outside 192.168.1.27 255.255.255.0 CONFIG
the configuration on outside is:
interface GigabitEthernet1/1 nameif outside security-level 0 ip address 192.168.1.27 255.255.255.0 !
and
packet-tracer input outside tcp 8.8.8.8 http 192.168.1.27 https detailed
give me
Result of the command: "packet-tracer input outside tcp 8.8.8.8 http 192.168.1.27 https detailed" Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7fac41083290, priority=1, domain=permit, deny=false hits=75, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=outside, output_ifc=any Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: object network SERVER nat (inside_1,outside) static interface Additional Information: NAT divert to egress interface inside_1 Untranslate 192.168.1.27/443 to 10.0.0.12/443 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group OUT_IN in interface outside access-list OUT_IN extended permit tcp any host 10.0.0.12 eq https Additional Information: Forward Flow based lookup yields rule: in id=0x7fac4106a2a0, priority=13, domain=permit, deny=false hits=0, user_data=0x7fac39ac6500, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=443, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false hits=168, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fac4108b750, priority=0, domain=inspect-ip-options, deny=true hits=38, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 6 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group OUT_IN in interface outside access-list OUT_IN extended permit tcp any host 10.0.0.12 eq https Additional Information: Forward Flow based lookup yields rule: in id=0x7fac4106a2a0, priority=13, domain=permit, deny=false hits=1, user_data=0x7fac39ac6500, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=443, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false hits=169, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fac4108b750, priority=0, domain=inspect-ip-options, deny=true hits=39, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 9 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network SERVER nat (inside_1,outside) static interface Additional Information: Forward Flow based lookup yields rule: out id=0x7fac413d7720, priority=6, domain=nat-reverse, deny=false hits=16, user_data=0x7fac413d62f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=inside_1 Phase: 10 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false hits=171, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 11 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fac41389490, priority=0, domain=inspect-ip-options, deny=true hits=19, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 12 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false hits=172, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7fac410edbc0, priority=0, domain=inspect-ip-options, deny=true hits=283, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside_1, output_ifc=any Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 568, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: outside input-status: up input-line-status: up output-interface: inside_1 output-status: up output-line-status: up Action: allow
but
packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed
give me
Result of the command: "packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed" Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.0.0.12 using egress ifc inside Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group OUT_IN in interface outside access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www Additional Information: Forward Flow based lookup yields rule: in id=0x7fac413d93d0, priority=13, domain=permit, deny=false hits=30, user_data=0x7fac39ac6380, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 3 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false hits=180, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fac4108b750, priority=0, domain=inspect-ip-options, deny=true hits=40, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 5 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group OUT_IN in interface outside access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www Additional Information: Forward Flow based lookup yields rule: in id=0x7fac413d93d0, priority=13, domain=permit, deny=false hits=31, user_data=0x7fac39ac6380, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fac4045d2e0, priority=0, domain=nat-per-session, deny=false hits=181, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fac4108b750, priority=0, domain=inspect-ip-options, deny=true hits=41, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 8 Type: NAT Subtype: rpf-check Result: DROP Config: object network SERVER nat (inside_1,outside) static interface Additional Information: Forward Flow based lookup yields rule: out id=0x7fac413d7720, priority=6, domain=nat-reverse, deny=false hits=17, user_data=0x7fac413d62f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=inside_1 Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
I have still:
Flow is denied by configured rule
03-08-2020 02:02 PM
configuration is working as you wanted them to work.
!
this below command is not going to work. the reason. lets assume you are a packet :) you landed on the outside interface. ASA as a security guard check who you are. now according to our access list if you are a tcp and have any (random) ip address you good to come in but only condition is your source must be https right. now the ASA engine will check for nat configuration. which we did and told ASA (inside,outside) static interface. now where is the catch. interface mean the asa outside interface ip address.
the below command is never going to work. as told earlier you coming from outside ip with random address but you need to put destination as ip address of outside interface. no the inside ip address.
packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed
now you configuration are working. so hopping you can put the mark as solution.
03-08-2020 03:08 PM
Hi Salim,
I thank you for your patience and availability, however I have not solved my problem.
In fact I tried to open a website at http://192.168.1.40 but it doesn't open.
I also tried from the public network doing a "port-mapping" on port 80 from the public address to 192.168.1.40, but it doesn't work either.
What am I still missing?
Is the approach wrong? Do I have to follow a different path?
I hope you want to continue helping me because your suggestions have been precious to me.
Thank you.
03-08-2020 04:14 PM
Do these config please
!
object network WEB_SERVER
host 192.168.1.40
nat (inside_1,outside) static 192.168.1.40
!
access-list OUT_IN extended permit tcp any object WEB_SERVER eq http
access-group OUT_IN in interface outside
!
packet-tracer input outside tcp 8.8.8.8 http 192.168.1.40 http detailed
03-09-2020 10:48 AM
Hi Salim,
I ran the commands you indicated to me
! object network WEB_SERVER host 192.168.1.40 nat (inside_1,outside) static 192.168.1.40 ! access-list OUT_IN extended permit tcp any object WEB_SERVER eq http access-group OUT_IN in interface outside !
I then ran:
packet-tracer input outside tcp 8.8.8.8 http 192.168.1.40 http detailed
this is the result:
Result of the command: "packet-tracer input outside tcp 8.8.8.8 http 192.168.1.40 http detailed" Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: object network dmz_in nat (inside_1,outside) static dmz_out Additional Information: NAT divert to egress interface inside_1 Untranslate 192.168.1.40/80 to 10.0.0.12/80 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group OUT_IN in interface outside access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www Additional Information: Forward Flow based lookup yields rule: in id=0x7f3e43dd6b20, priority=13, domain=permit, deny=false hits=162, user_data=0x7f3e3c4c63c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 3 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f3e42e5d310, priority=0, domain=nat-per-session, deny=false hits=417, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f3e439d39b0, priority=0, domain=inspect-ip-options, deny=true hits=164, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 5 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group OUT_IN in interface outside access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www Additional Information: Forward Flow based lookup yields rule: in id=0x7f3e43dd6b20, priority=13, domain=permit, deny=false hits=163, user_data=0x7f3e3c4c63c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f3e42e5d310, priority=0, domain=nat-per-session, deny=false hits=418, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f3e439d39b0, priority=0, domain=inspect-ip-options, deny=true hits=165, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 8 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network SERVER nat (inside_1,outside) static interface Additional Information: Forward Flow based lookup yields rule: out id=0x7f3e43dd4e70, priority=6, domain=nat-reverse, deny=false hits=82, user_data=0x7f3e43dd3a40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=10.0.0.12, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=inside_1 Phase: 9 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f3e42e5d310, priority=0, domain=nat-per-session, deny=false hits=420, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f3e43d86c20, priority=0, domain=inspect-ip-options, deny=true hits=82, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 11 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f3e42e5d310, priority=0, domain=nat-per-session, deny=false hits=421, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 12 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7f3e43aa8560, priority=0, domain=inspect-ip-options, deny=true hits=679, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside_1, output_ifc=any Phase: 13 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 1396, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: outside input-status: up input-line-status: up output-interface: inside_1 output-status: up output-line-status: up Action: allow
However, I still do not open the web page of my webserver on dmz zone.
I have tried both from 192.168.1.16 and from the public IP after making a portmapping on my modem / router.
I refer you my current configuration of the ASA5506-X
Result of the command: "sh run" : Saved : : Serial Number: JAD23491DFL : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.8(2) ! hostname ciscoasa enable password $sha512$5000$YF7WGccVhZL32TZ5JIVyzw==$Ce6xmlZRIG/9w+0h+1LTtg== pbkdf2 names ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address 192.168.1.27 255.255.255.0 ! interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100 ! interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100 ! interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100 ! interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100 ! interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100 ! interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100 ! interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100 ! interface Management1/1 management-only no nameif no security-level no ip address ! interface BVI1 nameif inside security-level 100 ip address 10.0.0.1 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 outside name-server 4.4.4.4 outside name-server 192.168.1.1 outside same-security-traffic permit inter-interface object network obj_any1 subnet 0.0.0.0 0.0.0.0 object network obj_any2 subnet 0.0.0.0 0.0.0.0 object network obj_any3 subnet 0.0.0.0 0.0.0.0 object network obj_any4 subnet 0.0.0.0 0.0.0.0 object network obj_any5 subnet 0.0.0.0 0.0.0.0 object network obj_any6 subnet 0.0.0.0 0.0.0.0 object network obj_any7 subnet 0.0.0.0 0.0.0.0 object network dmz_in host 10.0.0.12 description dmz_in object network dmz_out host 192.168.1.40 description dmz_out object network SERVER host 10.0.0.12 object network WEB_SERVER host 192.168.1.40 access-list outside_access extended permit tcp any4 object dmz_in eq www access-list OUT_IN extended permit tcp any host 10.0.0.12 eq https access-list OUT_IN extended permit tcp any host 10.0.0.12 eq www access-list OUT_IN extended permit tcp any object WEB_SERVER eq www pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside_1 1500 mtu inside_2 1500 mtu inside_3 1500 mtu inside_4 1500 mtu inside_5 1500 mtu inside_6 1500 mtu inside_7 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network obj_any1 nat (inside_1,outside) dynamic interface object network obj_any2 nat (inside_2,outside) dynamic interface object network obj_any3 nat (inside_3,outside) dynamic interface object network obj_any4 nat (inside_4,outside) dynamic interface object network obj_any5 nat (inside_5,outside) dynamic interface object network obj_any6 nat (inside_6,outside) dynamic interface object network obj_any7 nat (inside_7,outside) dynamic interface object network dmz_in nat (inside_1,outside) static dmz_out object network SERVER nat (inside_1,outside) static interface object network WEB_SERVER nat (inside_1,outside) static 192.168.1.40 access-group OUT_IN in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history http server enable http 10.0.0.0 255.255.255.0 inside_1 http 10.0.0.0 255.255.255.0 inside_2 http 10.0.0.0 255.255.255.0 inside_3 http 10.0.0.0 255.255.255.0 inside_4 http 10.0.0.0 255.255.255.0 inside_5 http 10.0.0.0 255.255.255.0 inside_6 http 10.0.0.0 255.255.255.0 inside_7 no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca ..... quit telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 10.0.0.5-10.0.0.254 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context service call-home call-home reporting anonymous call-home contact-email-addr aferrara.avvisi@gmail.com profile CiscoTAC-1 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:a1948c1568a74d350f44c09eab3a1b46 : end
Thanks.
03-09-2020 11:32 AM
I thought its a test network. now you saying you want to access this
server from internet and you have done the port mapping on your router.
anyways. if you try to access the server from internet than you better
stick with ASA outside interface ip address. as your router did not know
how to forward the packet to 192.168.1.40. therefore. having said that
the configuration we provided with
nat (inside_1,outside) static interface
and
nat (inside_1,outside) static 192.168.1.40
both are correct but in your network best configuration is to use
nat (inside_1,outside) static interface
!
if you cant access the page from internet than you have to figure out
the router/modem configuration. as we tested ASA is doing its job properly.
03-09-2020 11:50 AM
Probably because of my English I didn't explain myself well.
I am using a test environment.
I am trying to open a web server page (192.168.1.40) starting from a position on the test network at the address 192.168.1.16 (see the network drawing that I posted). The page does not open.
As a further test I configured my modem / router by port-mapping the public address to the private address 192.168.1.40. Obviously in this second test I used the public IP to open the web page and even this second test was not successful.
This was however just another attempt.
What I want to achieve is when I have indicated in the diagram that I refer you (see below).
I want to open the web page starting from the host 192.168.1.16 by typing the ip 192.168.1.40.
Sorry for the inconvenience I am giving you, but as you may have guessed I am a beginner with the use of firewalls.
Thanks again for everything.
03-09-2020 12:38 PM
I want to open the web page starting from the host 192.168.1.16 by typing the ip 192.168.1.40.
from ip address 192.168.1.16 you should be able to open the page at ASA ip address 192.168.1.40.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide