Re: Firepower 2120 with ASA Code - Web Services Hosting Failed

Boon Keat Gan · ‎03-28-2018

Hi All,

We recently purchase Firepower 2120 with ASA Code 9.9.1. We managed to setup the AnyConnect and can be connected from internet.

When we try to host a public server. We have the access rules and NAT in place. Just that from the log, it always throw SYN Timeout. Is the Firepower 2120 come with some security features that need to turn it off?

My Setup as follow.

Interface 1/1 - Internet - Security-Level 0

1.1.1.1

Interface 1/2 - Internal- Security-Level 1

10.152.55.254

Interface 1/3 - Services - Security-Level 1

192.168.7.254

My internal server located at Services zone with IP Addr 192.168.7.55.

Access rule and NAT as follow:-

access-list Internet_access extended permit tcp any4 object 192.168.7.55 eq www

object network obj_any
nat (Internal,Internet) dynamic interface
object network test_Services
nat (Services,Internet) static 1.1.1.5

When i access http://1.1.1.5 from public internet. It will just get SYN Timeout.

Anyone can advise?

I have attached the full config

Bogdan Nita · ‎03-29-2018

Configuration seems to be ok regarding the nat.

Following command:

route Internet 0.0.0.0 0.0.0.0 10.152.55.254 tunneled, I believe should be:

route Internal 0.0.0.0 0.0.0.0 10.152.55.254 tunneled, but do not think is the problem with the nat.

Can you post the output from packet-tracer ?

packet-tracer input Internet tcp 2.2.2.2 1025 1.1.1.5 80

Boon Keat Gan · ‎04-05-2018

Hi,

Sorry for late reply. End up the configuration is fine. The problem is due to the server did not set gw in ip addr setting. Haha.

Thanks!