cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1220
Views
0
Helpful
7
Replies

CISCO ASA5510 help

shalvin_caaf
Level 1
Level 1

My Scenario:

Cisco ASA 5510  directly facing the internet on E0/0 (1 Public IP only) with internal  LAN on E0/1. Exchange 2010 OWA working fine with ACL and NAT rules  configured.

Problem:

  • •1.       Cannot publish internal web servers to outside, have tried PAT.
  • •2.        Have multiple web servers to publish with all on one protocol (HTTP) to  a single public IP which I don’t know if it’s possible on a ASA.
  • •3.        When SSL VPN is configured with Local user database, connecting from  Anyconnect client gives a certificate error. Upon viewing the  certificate it points to the internal mail server.

Help please .

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

1) Can you share the NAT setup and ACL's for that setup

2) It can be possible but on the outside interface you should use another port than 80 as that would be used by another server, this if only one IP is available,

3) What is the certificate that you are using for the Anyconnect clients, is it the self-generated one?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

Please see my config:

ASA Version 8.2(5)

!

hostname xxxciSCOASAXX

enable password encrypted

passwd encrypted

names

name 10.70.75.XX XXXsrvmx01 description Exchange-Server

name 202.62.XXX.XXX mail.caaf.org.fj description ExtInt

name 10.70.75.XX XXcenter description vmware

name 10.70.75.XX DVR description dvr

name 10.70.75.XX ICTA description ICT Laptop

name 10.70.75.XX XXXsrvaqd01 description AQDportal

name 10.70.75.XX XXSS-Int description hrss

name 10.70.75.XX otrs description otrs

dns-guard

!

interface Ethernet0/0

description WAN_Link

nameif outside

security-level 0

ip address XXX.XXX.org.fj 255.255.255.252

!

interface Ethernet0/1

description LAN_Link

nameif inside

security-level 100

ip address 10.70.75.XX 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone FJST 12

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq www

port-object eq https

port-object eq pop3

port-object eq smtp

object-group service DM_INLINE_TCP_2 tcp

port-object eq https

port-object eq smtp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1

access-list outside_access_in_1 extended permit tcp any interface outside object-group DM_INLINE_TCP_2

access-list outside_access_in_1 extended permit tcp any interface outside eq 100

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp XXXsrvmx01 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https XXXsrvmx01 https netmask 255.255.255.255

static (inside,outside) tcp interface 100 DVR 100 netmask 255.255.255.255

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 202.62.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

http authentication-certificate inside

http authentication-certificate management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=xxxCISCOASAxx

crl configure

crypto ca server

shutdown

smtp from-address admin@xxxCISCOASAxx.null

  quit

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point ASDM_TrustPoint0 outside

webvpn

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy remoteVPN internal

group-policy remoteVPN attributes

vpn-tunnel-protocol webvpn

tunnel-group RemoteVPN type remote-access

tunnel-group RemoteVPN general-attributes

address-pool VPN_pool

default-group-policy remoteVPN

!

class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

class global-class

  csc fail-close

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:fd21551

: end

Hello,

What is the Ip address of the internal web server that you are trying to access from the outside

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

its 10.70.75.35 HRSS-Int description hrss

Hello,

I do not see any NAT for that

but it should be

static (inside,outside) tcp interface 8080 10.70.75.35 80

access-list outside_access_in_1 line 1 permit tcp any host interface_ip_address eq 8080

Then connect from an outside client to port 8080 on the IP address of the outside interface of the ASA and that should do it

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

Have tried the commands but am getting the following when trying to connect to the http server.

I have also done binding to port 8080 via IIS but still am facing the same issue.

HTTP Error 404. The requested resource is not found

Hello Shalvindra,

I would say the configuration is the required one,

Can you do a capture on the outside interface and inside interface

cap capout interface outside permit tcp any host x.x.x.x eq 8080 ( outisde ASA ip address)

cap capin interface inside permit tcp any host x.x.x.x eq 80 ( Inside server IP address)

Then try to connect and provide

show cap capout

show cap capin

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card