09-05-2013 05:19 PM - edited 03-11-2019 07:34 PM
I have an internal web server (172.18.80.99) that I need to access from the outside. I've created the necessary access-rule and static translation but I'm not sure if the configuration is correct. I'm unable to view the webserver from outside. Site is up because I can browse it internally on port 80. Any help is appreciated.
access-list outside_access_in extended permit tcp any host pu.bl.ic.ip eq 4526 log debugging
access-group outside_access_in in interface outside
static (inside,outside) tcp pu.bl.ic.ip 4526 172.18.80.99 www netmask 255.255.255.255
When I do a sh xlate, I can see the translation but the site doesnt come up. It times out after about 30 seconds.
PAT Global pu.bl.ic.ip(4526) Local 172.18.80.99(80)
How can I tell if the firewall is blocking the connection?
Solved! Go to Solution.
09-05-2013 08:26 PM
Hello Troy,
Do the following
cap capout interface outside match tcp any host Public_Ip eq 4526
cap capin interface Inside match tcp any host 172.18.80.99 eq 4526
cap asp type asp-drop all circular-buffer
Then try to connect (once) and provide the output after it timed out (Again after you set the captures only access the server once for ease of troubleshooting)
show cap capout
show cap capin
show cap asp | include 172.168.80.99
show cap asp | include Public_IP
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-05-2013 08:26 PM
Hello Troy,
Do the following
cap capout interface outside match tcp any host Public_Ip eq 4526
cap capin interface Inside match tcp any host 172.18.80.99 eq 4526
cap asp type asp-drop all circular-buffer
Then try to connect (once) and provide the output after it timed out (Again after you set the captures only access the server once for ease of troubleshooting)
show cap capout
show cap capin
show cap asp | include 172.168.80.99
show cap asp | include Public_IP
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
09-06-2013 10:31 AM
Thank you Julio, it looks like my asa config was correct, I just needed to open port 80 on the webserver. Silly mistake on my part. But here is the capture anyways. What does the F S P R represent?
1: 09:49:53.206211 ou.ts.id.host.1226 > pu.bl.ic.ip.4526: F 412879764:412879764(0) ack 4209187011 win 65535
2: 09:49:53.206486 pu.bl.ic.ip.4526 > ou.ts.id.host.1226: . ack 412879765 win 65533
3: 09:49:54.281754 pu.bl.ic.ip.4526 > ou.ts.id.host.1226: F 4209187011:4209187011(0) ack 412879765 win 65533
4: 09:49:59.206852 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535
5: 09:50:02.218464 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535
6: 09:50:08.250444 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535
7: 09:50:15.128426 ou.ts.id.host.1226 > pu.bl.ic.ip.4526: F 412879764:412879764(0) ack 4209187011 win 65535
8: 09:50:15.128762 pu.bl.ic.ip.4526 > ou.ts.id.host.1226: . ack 412879765 win 65533
9: 09:50:18.175222 pu.bl.ic.ip.4526 > ou.ts.id.host.1226: F 4209187011:4209187011(0) ack 412879765 win 65533
10: 09:50:18.291229 ou.ts.id.host.1226 > pu.bl.ic.ip.4526: . ack 4209187012 win 65535
11: 09:50:20.264070 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535
12: 09:50:45.547853 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535
13: 09:51:40.709435 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: S 3599978992:3599978992(0) win 65535
14: 09:51:40.709954 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: S 255423373:255423373(0) ack 3599978993 win 65535
15: 09:51:41.009963 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: . ack 255423374 win 65535
16: 09:51:41.534731 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: P 3599978993:3599979655(662) ack 255423374 win 65535
17: 09:51:41.535754 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: P 255423374:255423590(216) ack 3599979655 win 64873
18: 09:51:41.920499 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: P 3599979655:3599979929(274) ack 255423590 win 65319
19: 09:51:41.921567 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: . 255423590:255424838(1248) ack 3599979929 win 64599
20: 09:51:41.921659 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: . 255424838:255426086(1248) ack 3599979929 win 64599
21: 09:51:41.921766 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: . 255426086:255427334(1248) ack 3599979929 win 64599
22: 09:51:41.921812 pu.bl.ic.ip.4526 > ou.ts.id.host.1243: . 255427334:255427370(36) ack 3599979929 win 64599
23: 09:51:42.020567 ou.ts.id.host.1243 > pu.bl.ic.ip.4526: R 3599979929:3599979929(0) ack 255424838 win 0
09-06-2013 11:25 AM
Hello Troy,
Nice you did it man
S : SYN
R: Reset
F: FIN
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide