Solved: can not access to internal webserver from outside network

rahulpandit · ‎08-24-2011

Hi,

I am using ASA 5520 with 8.2.4 IOS. I'm new to ASA/Firewall. I'm sorry if I'm not clear about thing that I mention here.

I need to do access webserver from outside network.

From Laptop (192.168.2.51), If I connect to https://192.168.2.50, it should open page from 10.10.10.50.

I also need to ssh to webserver from laptop. If I ssh to 192.168.2.50 from laptop, it should connect to 10.10.10.50.

Laptop: 192.168.2.51

ASA Outside: 192.168.2.50

Outside router: 192.168.2.1

ASA Inside: 10.10.10.50

Webserver: 10.10.10.51

I can't get to webserver from outside network, so now, I connected laptop to directly ASA 5520 outside port with crossover cable.

ASA Inside port connects to L3 switch. Webserver also connects to L3 switch. But still doesn't work.

Please see attached my ASA config file.

I don't know what I am doing wrong. Please help me.

Maykol Rojas · ‎08-24-2011

Hello,

Lets start with some basics, you cannot do an static One to One with the interface IP..... If you dont have an available IP to use for the webserver and you only have the interface IP, you need to do port forwarding. Now the regular NAT to go out to the internet is messed up as well. So here are some configuration changes that I propose:

For accesing the webserver from outside world...

no static (inside,outside) interface 10.10.10.51 netmask 255.255.255.255

static (inside,outside) tcp interface 80 10.10.10.51 80 netmask 255.255.255.255

You will access the webserver using the IP address 192.168.2.50 on port 80 not the real IP

In order to go out to the internet, if your Default gateway does not know how to get to your internal network, you will need to do dynamic NAT to use the IP address of the interface, similar to what you are doing it here...

global (inside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

But with the following change

no global (inside) 1 interface

global (outside) 1 interface

If right now without doing those changes you are able to ping the internet from the ASA just doing ping 4.2.2.2, and if your Internet router is properly configured, after this changes, everything should come up right...

Let me know if you have any troubles

Mike

View solution in original post

Maykol Rojas · ‎08-24-2011

Hi,

I did not read the part where you had the computer directly, i assumed that the firewall was a production box sorry. 4.2.2.2 is a public server on the internet that we use for testing connectivity to the cloud.

Yes basically the statements that you are putting there

static (inside,outside) tcp interface 22 10.10.10.51 22 netmask 255.255.255.255

static (inside,outside) tcp interface 443 10.10.10.51 443 netmask 255.255.255.255

They should work for SSH and por 443... that should do the trick... From the laptop connected to the outside you should be able to ssh/web browse the server on the inside.... using the outside IP of the firewall... Let me know if you are still having problems.

Mike...

Mike

View solution in original post

Maykol Rojas · ‎08-24-2011

Hello,

Lets start with some basics, you cannot do an static One to One with the interface IP..... If you dont have an available IP to use for the webserver and you only have the interface IP, you need to do port forwarding. Now the regular NAT to go out to the internet is messed up as well. So here are some configuration changes that I propose:

For accesing the webserver from outside world...

no static (inside,outside) interface 10.10.10.51 netmask 255.255.255.255

static (inside,outside) tcp interface 80 10.10.10.51 80 netmask 255.255.255.255

You will access the webserver using the IP address 192.168.2.50 on port 80 not the real IP

In order to go out to the internet, if your Default gateway does not know how to get to your internal network, you will need to do dynamic NAT to use the IP address of the interface, similar to what you are doing it here...

global (inside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

But with the following change

no global (inside) 1 interface

global (outside) 1 interface

If right now without doing those changes you are able to ping the internet from the ASA just doing ping 4.2.2.2, and if your Internet router is properly configured, after this changes, everything should come up right...

Let me know if you have any troubles

Mike

rahulpandit · ‎08-24-2011

Hi Mike,

Thanks for reply.

Can you explain me in detail below lines? Sorry, I didn't get it.

"Lets start with some basics, you cannot do an static One to One with the interface IP..... If you dont have an available IP to use for the webserver and you only have the interface IP, you need to do port forwarding."

I suppose to use firewall IP from outside to go to webserver, like, https://192.168.2.50

Do I need extra commad for port forwarding?

I have to use https, so I will change port 80 to 443.

static (inside,outside) tcp interface 443 10.10.10.51 443 netmask 255.255.255.255

I also need to do ssh from outside to 10.10.10.51.

static (inside,outside) tcp interface 22 10.10.10.51 22 netmask 255.255.255.255

Will above commad work for ssh?

Right now, I connected outside laptop to ASA using crossover cable. I am not connecting outside/internet router. Will this setup work for test purpose? Or I have to connect to outside/internet router to ASA?

From ASA, I can ping to 192.168.2.51 and 10.10.10.51. You mentioned to ping 4.2.2.2. what is 4.2.2.2?

Thanks for your reply.

Rahul.

Maykol Rojas · ‎08-24-2011

Hi,

I did not read the part where you had the computer directly, i assumed that the firewall was a production box sorry. 4.2.2.2 is a public server on the internet that we use for testing connectivity to the cloud.

Yes basically the statements that you are putting there

static (inside,outside) tcp interface 22 10.10.10.51 22 netmask 255.255.255.255

static (inside,outside) tcp interface 443 10.10.10.51 443 netmask 255.255.255.255

They should work for SSH and por 443... that should do the trick... From the laptop connected to the outside you should be able to ssh/web browse the server on the inside.... using the outside IP of the firewall... Let me know if you are still having problems.

Mike...

Mike

rahulpandit · ‎08-24-2011

Thanks for reply. I will try your changes tomorrow and let you know.

I forgot to mention that on L3 switch, the port that connect to inside ASA port assigned as access port with vlan 100.

L3 switch has also access port assigned vlan 100 access port for webserver.

I hope, that's how it should be configured.

Thanks.

rahulpandit · ‎08-25-2011

Sorry for late reply. I was working all day trying to figure out the problem.

I'm still having issue. I can't ssh or https to webserver from outside. Both works fine from internal network.

I did tcpdump on webserver. I saw packets coming in from outside laptop to webserver and going out from webserver to outside laptop.

I am not sure what is wrong at this point. It could be my network issue or ASA/Firewall issue.

thanks.

varrao · ‎08-25-2011

Hi Rahul,

Can you provide an output for show run nat, show run global and show run static.

Can you also run this packet-tracer and let me know the results:

packet-tracer input outside tcp 1.1.1.1 22 192.168.2.50 22 detailed

also plz take captures as well;

https://supportforums.cisco.com/docs/DOC-1222

and share the results.

Thanks,

Varun

Thanks,
Varun Rao

Maykol Rojas · ‎08-25-2011

Adding to what Varun requested, send us the tcp dump that you took from the Server, if you could send it on pcap format that would be awesome.

Mike

rahulpandit · ‎08-30-2011

Sorry Guys for late reply.

Problem was on Server side. Server didn't have proper route. After applying proper route, Mike's nat static rules worked fine.

Thank you guys.

Maykol Rojas · ‎08-30-2011

Glad we could help

Mike