Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
0
Helpful
2
Replies

Can't Access Internal Servers From Behind An ASA 5505

Go to solution
b_peacock28
Level 1
Level 1

‎04-04-2013 09:05 AM - edited ‎03-11-2019 06:23 PM

Hi all.

I am having some trouble accessing some backup Email (Outlook Web Access) and Citrix servers located behind an ASA 5505 firewall at a remote datacentre. Simply put, when I go to the specific URL (e.g. https://citrixdr.xxx.co.uk) I do not arrive at the splash page, I just get a message saying that the server took too long to respond in the web browser. I'm wondering whether I have missed something on the configuraiton or the firewall itself is not letting my requests through.

The remote servers are located at a remote Disaster Recovery site and use the subnet 192.168.4.0/24. I am at head office which is connected to the DR site via a VPN using 192.168.1.0/24.

My running configuration is below, if anyone could have a browse through it it would be much appreciated.

LM-DR-ASA5505# show run

: Saved

:

ASA Version 8.2(5)

!

hostname xxx

domain-name xxx.local

enable password 9tc.bMMQOdcEzWlK encrypted

passwd zh5kKKD1zRf47kwr encrypted

names

name 216.82.240.0 MLT1

name 67.219.240.0 MLT2

name 85.158.136.0 MLT3

name 95.131.104.0 MLT4

name 46.226.48.0 MLT5

name 117.120.16.0 MLT6

name 193.109.254.0 MLT7

name 194.106.220.0 MLT8

name 195.245.230.0 MLT9

name 103.3.96.0 MLT10

name xxx.xxx.xxx.xxx citrixdr.xxx.co.uk

name xxx.xxx.xxx.xxx maildr.xxx.co.uk

name xxx.xxx.xxx.xxx webmaildr.xxx.co.uk

name 192.168.4.23 LON-EXCH-03

name 192.168.4.30 Citrix-Access-Gateway

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.4.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

ftp mode passive

dns server-group DefaultDNS

domain-name xxx.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM-INLINE-SERVICE

service-object icmp

service-object tcp eq www

service-object tcp eq https

object-group network VPN-REMOTE

network-object 192.168.1.0 255.255.255.0

object-group protocol PROTOCOL-LIST

protocol-object ip

protocol-object icmp

protocol-object pim

protocol-object pcp

protocol-object snp

protocol-object udp

protocol-object igmp

protocol-object ipinip

protocol-object gre

protocol-object esp

protocol-object ah

protocol-object tcp

protocol-object eigrp

protocol-object ospf

protocol-object igrp

protocol-object nos

object-group service DM-INLINE-TCP-1 tcp

port-object eq https

port-object eq smtp

object-group service DM-INLINE-TCP-2 tcp

port-object eq www

port-object eq https

object-group network MESSAGE-LABS-TOWERS

network-object MLT1 255.255.240.0

network-object MLT2 255.255.240.0

network-object MLT3 255.255.248.0

network-object MLT4 255.255.248.0

network-object MLT5 255.255.248.0

network-object MLT6 255.255.248.0

network-object MLT7 255.255.254.0

network-object MLT8 255.255.254.0

network-object MLT9 255.255.254.0

network-object MLT10 255.255.252.0

access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside-access-in extended permit ip any any

access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 any

access-list inside-access-in extended permit icmp any any

access-list outside-access-in extended permit object-group DM-INLINE-SERVICE any any

access-list outside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside-access-in extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside-access-in extended permit tcp any host webmaildr.xxx.co.uk object-group DM-INLINE-TCP-2

access-list outside-access-in extended permit tcp any host maildr.xxx.co.uk object-group DM-INLINE-TCP-1

access-list outside-access-in extended permit tcp any host citrixdr.xxx.co.uk eq https

access-list outside-access-in extended permit tcp object-group MESSAGE-LABS-TOWERS host LON-EXCH-03 eq smtp

access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 host xxx.xxx.xxx.xxx

access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside-nat0-outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list testcap extended permit icmp host 192.168.1.11 host 192.168.4.1

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside-nat0-outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp citrixdr.xxx.co.uk https Citrix-Access-Gateway https netmask 255.255.255.255

static (inside,outside) tcp maildr.xxx.co.uk smtp LON-EXCH-03 smtp netmask 255.255.255.255

static (inside,outside) tcp webmaildr.xxx.co.uk https LON-EXCH-03 https netmask 255.255.255.255

access-group inside-access-in in interface inside

access-group outside-access-in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route outside 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http xxx.xxx.xxx.xxx 255.255.255.255 outside

http 192.168.4.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside-map 1 match address outside-1-cryptomap

crypto map outside-map 1 set peer xxx.xxx.xxx.xxx

crypto map outside-map 1 set transform-set ESP-3DES-SHA

crypto map outside-map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.4.0 255.255.255.0 inside

telnet 0.0.0.0 0.0.0.0 inside

telnet xxx.xxx.xxx.xxx 255.255.255.255 outside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.4.0 255.255.255.0 inside

ssh xxx.xxx.xxx.xxx 255.255.255.255 outside

ssh xxx.xxx.xxx.xxx 255.255.255.255 outside

ssh xxx.xxx.xxx.xxx 255.255.255.255 outside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username xxx password LUZB8j2zj03xvSeF encrypted

username xxx password RxEDmrZ7KCRzPu4T encrypted

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

!

!

policy-map global_policy

class inspection_default

  inspect icmp

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:61e54b16fb87f1e6fa3b8d520e87ddc0

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-04-2013 09:14 AM

Hi,

I imagine that even though you have a L2L VPN configured between the sites, you are connecting to the remote servers through the Internet (without the VPN)?

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-04-2013 09:14 AM

Hi,

I imagine that even though you have a L2L VPN configured between the sites, you are connecting to the remote servers through the Internet (without the VPN)?

- Jouni

0 Helpful

Go to solution
b_peacock28
Level 1
Level 1
In response to Jouni Forss

‎04-05-2013 02:24 AM

Hi Jouni, thanks for your response.

Turns out that the Citrix Access Gateway wasn't set up until yesterday evening and by then I had stopped trying for the day. It is now set up and external access is available.

Further to this, my colleague forgot to inform me of the change of I.P. address of the Exchange server. This meant that Webmail requests were pointing to an I.P. address that didn't exist.

I have reconfigured the firewall this morning and external access for Webmail is also working correctly.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card