Thank you very much for your quick response;

I followed your instructions exactly, I'm still no luck in either case, the LAN has no internet access and does not display the Web server

Only the LAN have internet access when the OUTSIDE interface obtains the address by DHCP

this is my setup.

ASA Version 8.3 (1)

!

hostname ciscoasa

enable password encrypted tna0ggcckiszs8HE

2KFQnbNIdI.2KYOU encrypted passwd

names

!

VLAN1 interface

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface VLAN2

nameif outside

security-level 0

ip address 186.151.161.26 255 255 255 252

!

VLAN3 interface

no forward interface vlan1

nameif DMZ

security-level 50

ip address 10.30.30.1 255.255.255.0

!

interface Ethernet0 / 0

switchport access vlan 2

!

interface Ethernet0 / 1

switchport access vlan 3

!

interface Ethernet0 / 2

!

interface Ethernet0 / 3

!

interface Ethernet0 / 4

!

interface Ethernet0 / 5

!

interface Ethernet0 / 6

!

interface Ethernet0 / 7

!

ftp passive mode

network object obj_any

subnet 0.0.0.0 0.0.0.0

Web-Server network object

host 10.30.30.30

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.10.0 255.255.255.0

network-object 10.30.30.0 255.255.255.0

access-list OUTSIDE-IN remark Allow Web access to Web server

access-list OUTSIDE-IN extended permit tcp any object eq www WEB-SERVER

pager lines 24

asdm informational logging

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

network object obj_any

nat (inside, outside) dynamic interface

Web-Server network object

nat (DMZ, outside) static interface service tcp www www

!

nat (any, outside) after-auto source dynamic PAT-SOURCE-DEFAULT interface

access-group OUTSIDE-IN in interface outside

timeout xlate 3:00:00

timeout conn 0:10:00 half-closed 1:00:00 udp 0:02:00 icmp 0:00:02

0:10:00 timeout sunrpc 0:05:00 h323 1:00:00 mgcp 0:05:00 mgcp H225-pat 0:05:00

sip_media 0:30:00 timeout sip 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 0:05:00 absolute uauth

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkDown coldStart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

auto_config outside dhcpd

!

192.168.10.5-192.168.10.36 inside dhcpd address

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

WebVPN

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

inspection_default class

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 H225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy overall global_policy

prompt hostname context

Cryptochecksum: 41349d632bcea77042960f9993c68d46

: End

----

I dont know what is up with the above configuration. Have you edited it yourself and not copy/pasted it directly?

There are some configuration lines that are not possible on the ASA even.

You are also missing the default route command

"route outside 0.0.0.0 0.0.0.0 "

- Jouni

thanks for replying

I added this line and I have internet connection from LAN

"route 0.0.0.0 0.0.0.0 186.151.161.25" (Gateway ISP Router)

The other lines that add were these:

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.10.0 255.255.255.0

network-object 10.30.30.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

object network WEB-SERVER

host 10.30.30.30

nat (dmz,outside) static interface service tcp 80 80

access-list OUTSIDE-IN remark Allow Web access to Web server

access-list OUTSIDE-IN permit tcp any object WEB-SERVER eq 80

access-group OUTSIDE-IN in interface outside

---

Hi,

The following configuration wont be needed since you have the Default PAT configuration that I mentioned above

network object obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside, outside) dynamic interface

Is the Web server working now also?

- Jouni

No, not yet visible my web server, where is the problem.

Thank you very much for your help.

Hi,

Well that is strange. Would imagine it should work already

Next I guess we could take the "packet-tracer" command output and see what it tells us.

You could use the command

packet-tracer input outside tcp 1.2.3.4 1234 80

Then copy/paste the output here on the forums

- Jouni

Hello!!

This is the result;

ciscoasa(config)# packet-tracer input outside tcp 1.2.3.4 1234 186.151.161.26 $

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network WEB-SERVER

nat (DMZ,outside) static interface service tcp www www

Additional Information:

NAT divert to egress interface DMZ

Untranslate 186.151.161.26/80 to 10.30.30.30/80

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE-IN in interface outside

access-list OUTSIDE-IN extended permit tcp any object WEB-SERVER eq www

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network WEB-SERVER

nat (DMZ,outside) static interface service tcp www www

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1466, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

Hi,

According to that output it would seem to me that everything is fine with the firewall configurations.

I would suggest going through the Web servers network settings and the servers firewall software

Seem to me that IF the connection from Internet are getting through to your firewall they should reach the Web server just fine if the server itself isnt preventing it.

You can always open the ASDM and from there go to the real time log monitoring. Then test the website connection from the Internet and see what the logs say. If the server doesnt respond to the HTTP connection the connection should be removed by the firewall after 30 seconds with a "Teardown" message that states a reason "SYN Timeout"

- Jouni

Hi !

I took some screenshots of ASDM.

And I disconnected the web server but not shown me any message.

Hi,

Looking at the Log Window in the above post I can see the following things

• Denied ICMP traffic from the "outside" interface but the source IP addresses are private IP addresses?
• The "red" log messages would lead me to believe that you are trying to connect to the Web server from the "inside" using the Public IP address of the server? Do notice that this is not possible. If you want to connect to the server from behind the "inside" interface, you will have to use the actual IP address of the server on the DMZ (10.30.30.30)

Have you tried to connect to the server from the Internet? Atleast someone has since we can see in one of the pictures that there is hits on the ACL rule you configured.

If you have so far only tested the Web server connection by using the public IP address and from your own LAN then the ASA is blocking it. The ASA wont let you connect to the using the public IP address from the LAN. And this would be normal operation from the ASA.

EDIT: There might be a possibility to configure some NAT that would permit the use of the Public IP address even from behind the "inside" interface BUT it would be better to get this working from the Internet first before even trying something like that.

- Jouni

Hello!

you're right, I've tried to do with the public IP, when I put the IP 10.30.30.30 if it works! Now what will happen when the staff in my organization, (which are on the LAN) wish to consult the website? Can view the website?

I tried also accessed from a location outside of my LAN to Public IP, but I can not. And this is what I need most. That outsiders can see if Web site

thank you!

Hi,

At the moment users on the LAN should be able to use the IP 10.30.30.30 to connect to the web server. But as you said we should try to get the site working from the Internet before trying to possibly making some changes to the LAN users.

Can you once more copy/paste the whole configuration in CLI format here so I can go through it. Looking at the old configuration there should be no reason that a user with a public IP address from the Internet shouldnt be able to connect to the Web server unless the web server is blocking the connections.

- Jouni

Hello JouniForss

Thank you very much for all the help.

Everything is running fine, the problem was with the ISP, and the settings you made for me is correct.

My web server is published, and LAN internet access, all I ask is that you help me to achieve that when people want to see the website from the LAN will be allowed.

Again thank you very much.