12-12-2023 08:20 AM - edited 12-12-2023 08:32 AM
Hi All,
I am configuring the Cisco ASA to allow the Internal network to access external web which is run by the router at Cisco B as shown in the diagram below. I run the web server from the router using ip http server.
interface g0/0
ip address 192.168.50.1 255.255.255.0
nameif inside
security-level 100
interface g0/1
ip address 192.168.20.1 255.255.255.252
nameif outside
security-level 0
ip route outside 0.0.0.0 0.0.0.0 192.168.20.2
object-group internal-network
subnet 192.168.50.0 255.255.255.0
nat (inside,outside) static interface
object-group external
subnet 209.170.200.224 255.255.255.252
access-list inside_external extended permit tcp object-group internal-network object-group external eq http
access-group inside_external in interface inside
Router B
ip http server
access-list 12 permit any
ip http access-class 12
ip http authentication local
username cisco privilege 15 secret cisco
I tried running the external IP, 209.170.200.225 on the web browser and it is not showing the web server.
Please kindly assist.
Solved! Go to Solution.
12-12-2023 08:39 AM - edited 12-12-2023 10:24 AM
@Beginnerrr tweak the NAT as below
object network internal-network
subnet 192.168.50.0 255.255.255.0
nat (inside,outside) dynamic interface
If that doesn't work run packet-tracer from the CLI of the ASA to simulate the traffic flow, example:
packet-tacer input inside tcp 192.168.50.5 3000 209.170.200.225 80
12-12-2023 08:26 AM - edited 12-12-2023 08:27 AM
@Beginnerrr ACL 12 on router B is incorrect, traffic will be natted behind the ASA outside interface (192.168.20.1), so traffic will not come from the internal network. For testing remove the ACL and try again, then apply the ACL with the correct network/host.
Also is routing setup on the routers and ASA, so they know how to communicate with each other? Make sure the ASA can ping 209.170.200.225.
12-12-2023 08:33 AM
I have recorrect-ed access-list 12 and allow any host to access.
Yes routing is set up on the routers and ASA. They are configured as 0.0.0.0 0.0.0.0 to the next hop interface.
ASA can ping 209.170.200.225.
Is the NAT configuration wrong?
12-12-2023 08:39 AM - edited 12-12-2023 10:24 AM
@Beginnerrr tweak the NAT as below
object network internal-network
subnet 192.168.50.0 255.255.255.0
nat (inside,outside) dynamic interface
If that doesn't work run packet-tracer from the CLI of the ASA to simulate the traffic flow, example:
packet-tacer input inside tcp 192.168.50.5 3000 209.170.200.225 80
12-12-2023 10:12 AM
It did not work when I accessed the web ip from the browser. 209.170.200.225
the command you provide is not applicable for the NAT
I typed this command, nat (inside,outside) after-auto source dynamic any interface
the output of the packet-tracer is down below.
packet-tacer input inside tcp 192.168.50.5 3000 209.170.200.225 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.20.2 using egress ifc outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_external in interface inside
access-list inside_external extended permit tcp object-group internal-network object-group external eq www
object-group network internal-network
network-object 192.168.50.0 255.255.255.0
object-group network external
network-object 209.170.200.224 255.255.255.252
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:
Dynamic translate 192.168.50.5/3000 to 192.168.20.1/3000
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
12-12-2023 10:31 AM
@Beginnerrr I've amended the command above, regardless the packet-tracer output confirms that traffic should work.
Does the internal PC have the correct default gateway of the ASA?
Run a packet capture on the ASA to confirm the traffic is sent and run a packet capture on the web server to confirm the traffic is received.
Allow ping - run the command fixup protocol icmp on the ASA and ping the web server from the PC to confirm connectivity.
.
12-12-2023 10:49 AM
the access worked. there is some issue in the asa. i have resetted the ASA device and redo the configuration.
it is working.
For the NAT configuration, is there a difference between your and mine?
nat (inside,outside) after-auto source dynamic any interface
12-12-2023 10:55 AM
@Beginnerrr using the after-auto will process those NAT rules last, after the other NAT rules. If you apply both NAT rules, then run "show nat detail" you will see the order of the rules being processed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide