01-12-2010 01:55 AM - edited 03-11-2019 09:56 AM
I have an urgent configuration issue. I have port 80 open and forwarded through my firewall which works great from the outside but does not work from within the network.
Have tried the same-security-traffic permit intra-interface command and everything else I could find online but still get nothing from inside the network.
I really need this to work from the inside for mail etc.
Any Help would be greatly appreciated!
here is my config:
asdm image disk0:/asdm-508.bin no asdm history enable : Saved : ASA Version 7.0(8) ! hostname ciscoasa domain-name default.domain.invalid enable password OTWkIuDnLYMtYMea encrypted passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface Ethernet0/0 nameif WAN1 security-level 0 ip address 64.61.54.114 255.255.255.248 ! interface Ethernet0/1 shutdown no nameif no security-level no ip address ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 10.10.3.1 255.255.255.0 ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list WAN1_access_in extended permit tcp any any eq www access-list WAN1_access_in extended permit icmp any any access-list 1 standard permit 10.10.3.0 255.255.255.0 access-list outside_nat0 extended permit ip 10.10.3.0 255.255.255.0 10.10.3.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu WAN1 1500 mtu management 1500 no failover monitor-interface WAN1 monitor-interface management icmp permit any WAN1 asdm image disk0:/asdm-508.bin no asdm history enable arp timeout 14400 nat-control global (WAN1) 10 interface global (management) 1 interface nat (WAN1) 0 access-list outside_nat0 nat (management) 10 0.0.0.0 0.0.0.0 static (management,WAN1) tcp interface www 10.10.3.60 www netmask 255.255.255.255 static (management,management) tcp interface www 10.10.3.60 www netmask 255.255.255.255 access-group WAN1_access_in in interface WAN1 route WAN1 0.0.0.0 0.0.0.0 64.61.54.113 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value 1 default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions url-entry port-forward-name value Application Access http server enable http 10.10.3.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.10.3.2-10.10.3.254 management dhcpd lease 3600 dhcpd ping_timeout 50 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:5adffc48b154a93b54abf54e2fc59265 : end
01-12-2010 05:58 AM
Change
global (management) 1 interface
to
global (management) 10 interface
01-12-2010 06:03 AM
I tried that already, no luck.
Actually it turns out after much research that this is impossible on software version 7.0.8, it was first allowed in version 7.2
01-12-2010 03:53 PM
Could you please attach a topology. Is the server in a remote INSIDE LAN?
01-12-2010 04:49 PM
U-Turn translation is not a very good idea. Pls. remove this static
static (management,management) tcp interface www 10.10.3.60 www netmask 255.255.255.255
Pls. try to access the inside server using only its inside ip address
10.10.3.60.
http://10.10.3.60
does work from the inside computers right?
The inside computers in 10.10.3/24 network should be able to access other server in the same 10.10.3.0/24 network
and that traffic should not even come to the firewall.
-KS
01-12-2010 04:55 PM
This is a unique environment where using external addresses is necessary.
This is a very standard setup, one inside interface and one external.
I will be doing an upgrade from 7.0.8 to 7.2 tommorrow to see if that fixes the problem
Any one else solve this issue by upgrading?
01-12-2010 06:32 PM
Yes, the command was added only for encrypted traffic in 7.0 as you can read here:
Relese Note 7.0
http://www.cisco.com/en/US/docs/security/asa/asa70/release/notes/asa_rn.html#wp207751
Release Note 7.2
http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn72.html#wp37875
You can now allow any traffic to enter and exit the same interface, and not just VPN traffic.
7.2(1) | The intra-interface keyword now allows all traffic to enter and exit the same interface, and not just IPSec traffic. |
You need to upgrade past 7.2.1 to be able to use same security command for clear traffic.
-KS
01-12-2010 06:50 PM
Thanks for confirming that for me, it was driving me crazy!
01-13-2010 07:37 PM
Jared -
I also had to perform DNS doctoring/rewrite because of the enforcing of HTTP Headers on our IIS server. You may need that as well. The problem for me was that internal users couldn't browse our website using DNS without the rewrite, and they couldn't use the private internal IP of the website due to the header requirement. Using hairpinning with DNS doctoring worked for me.
Regards,
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide