can't access my server from outside -TCP http

sultantzahir · ‎11-03-2016

Hi everybody i will like some help , here all the configuration i did .

interface GigabitEthernet0/0

description Internet Circuit

nameif Internet

security-level 0

ip address X.X.X.78 255.255.255.252

interface GigabitEthernet0/1

description DATA VLAN

nameif DATA-LAN

security-level 100

ip address 10.110.0.1 255.255.255.0

route Internet 0.0.0.0 0.0.0.0 X.X.X.87

object network 10.110.0.0

subnet 10.110.0.0 255.255.255.0

nat (DATA-LAN,Internet) source dynamic 10.110.0.0 interface

object service HTTP_Service

service tcp destination eq http

object network INSIDE_IP_SERVER

host 10.110.0.13

nat ( DATA-LAN, Internet) source static INSIDE_IP_SERVER interface service HTTP_Service HTTP_Service

access-list ALLOW_OUT_IN extended permit tcp any object INSIDE_IP_SERVER eq www

access-group ALLOW_OUT_IN in interface Internet

when i try from outside to do http://X.X.X.8 can't access

when i do

packet-tracer input Internet TCP X.X.X.77 80 X.X.X.78 80 ==> pack pass with the NAT i did

packet-tracer input Internet TCP 8.8.8.8 80 X.X.X.78 80 ==> pack pass

packet-tracer input Internet TCP X.XX.8 80 10.110.0.13 80 ==> pack don't pass ( NAT in 10.110.0.0 255.255.255.0 DATA LAN (acl-drop)

my question

1) the ip address that my SP give me X.X.X.78/30 it's my public IP address ?

2) why i can't http:// X.X.X.78 from out side

Milos Megis · ‎11-03-2016

Hi,
I am not familiar with FW configuration but on first look X.X.X.8/30 is subnet, not valid IP address.

So if I am right then you need use IP addresses X.X.X.9/30 and X.X.X.10/30 (only these two are valid IP addresses from that range).

It is strange that FW allow enter that IP address because when I try it on router I get error:
R1(config-if)#ip add 192.168.1.8 255.255.255.252
Bad mask /30 for address 192.168.1.8

Also IP address X.X.X.7/30 is broadcast address from "previous" subnet

sultantzahir · ‎11-04-2016

i m sorry just for privicy :

interface GigabitEthernet0/0

description Internet Circuit

nameif Internet

security-level 0

ip address X.X.X.78 255.255.255.252

the IP address of SP X.X.X.77/30

sultantzahir · ‎11-04-2016

i m sorry just for privicy :

interface GigabitEthernet0/0

description Internet Circuit

nameif Internet

security-level 0

ip address X.X.X.78 255.255.255.252

the IP address of SP X.X.X.77/30

Pawan Raut · ‎11-04-2016

1) the ip address that my SP give me X.X.X.8/30 it's my public IP address ? --> Yes it is Public IP address

2) why i can't http:// X.X.X.8 from out side --> outside interface here Internet has lower security level than inside interface here Data hence tarffic drops you need add below command in Firewall configuration.

same-security-traffic permit inter-interface

sultantzahir · ‎11-04-2016

i did what u told me in Lab GNS 3 and i change HTTP with Telnet

and i did static nat but i coudn't connect to telnet

Marius Gunnerud · ‎11-04-2016

I agree with Milos. The IPs you should be using for the x.x.x.8/30 subnet are .9 or .10. One of these will be used by your ISP So this would be the default route for your ASA. The other would be your ASA public IP.

--
Please remember to select a correct answer and rate helpful posts