Solved: Re: http traffic issue

patrifick · ‎11-30-2010

Hi,

I wonder whether somebody can help.

we have internal webserver 10.1.4.10 which helds some information which try to access from our external website 62.253.196.182.

However when I try to access it from outside of our network I can connect it without any issue. If I want to access it internally it times out.

internal server name: unicornsvr / 10.1.4.10

external ip: 62.253.196.182

port: 80 / http

thank you in advance

Patrick

manish arora · ‎12-03-2010

YUP , this will allow you to reach that server at the public address from inside the network. If you do not do this then the firewall blocks you and logs errors with ip spoof. you should try reading a little bit on hairpinning on asa for more explanation.

Manish

View solution in original post

patrifick · ‎11-30-2010

forgot the config

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
hostname ch-asa
domain-name chathamhouse.org.uk
names
name 10.1.4.4 ctxsvr01
name 10.1.4.5 itsvr
name 10.1.4.10 unicornsvr
name 10.1.4.12 blbsvr
name 10.1.4.13 exchsvr
name 10.1.5.4 barracuda
name 10.1.5.15 video-conferencing-unit
name 192.168.1.5 ctxdmz
name 62.253.196.178 outside
name 62.253.196.179 remote-outside-179
name 62.253.196.180 webmail-outside-180
name 62.253.196.181 connect-outside-181
name 62.253.196.182 unicorn-outside-182
name 62.253.196.184 sirsi-outside-184
name 62.253.196.185 blb-outside-185
name 62.253.196.188 streaming-outside-188
name 62.253.196.189 video-conferencing-outside-189
name 82.111.186.146 sdt-rdc
name 150.147.68.20 sirsi-1
name 193.110.143.20 sirsi-2
name 10.1.5.16 streaming-unit
name 192.168.1.1 dmz
name 62.253.196.187 Logmein-outside-187
name 10.3.3.10 VPN0
name 10.3.3.11 VPN1
name 10.3.3.12 VPN2
name 10.3.3.13 VPN3
name 10.3.3.14 VPN4
name 10.3.3.15 VPN5
name 90.208.247.40 keats-rdp
name 10.1.4.2 docsvr
name 62.253.196.186 keats-outside-186
name 192.206.158.10 sirsi-3
name 10.1.5.2 webfilter
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.5.1 255.255.0.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address dmz 255.255.255.0
ospf cost 10
!
interface Vlan5
nameif wifi
security-level 49
ip address 172.16.1.1 255.255.255.0
!
interface Vlan6
nameif chit
security-level 48
ip address 192.168.10.1 255.255.255.0
!
interface Vlan12
nameif outside
security-level 0
ip address outside 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 6
!
interface Ethernet0/4
switchport access vlan 5
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup outside
dns server-group DefaultDNS
domain-name chathamhouse.org.uk
same-security-traffic permit intra-interface
object-group network sirsi-support
network-object host sirsi-1
network-object host sirsi-2
network-object host sirsi-3
object-group service backup-exec tcp
port-object eq 10000
port-object eq 3106
port-object eq 3527
port-object eq 6101
port-object eq 6103
port-object eq 6106
object-group service barracuda-8000 tcp
port-object eq 8000
object-group service blackberry-3101 tcp
port-object eq 3101
object-group service citrix-session-reliability-2598 tcp
port-object eq 2598
object-group service rdc-3389 tcp
port-object eq 3389
object-group service sql-1433 tcp
port-object eq 1433
object-group service streaming-1935 tcp
port-object eq 1935
object-group service video-streaming-tcp-udp tcp
port-object eq 3230
port-object eq 3231
port-object eq 3232
port-object eq 3233
port-object eq 3234
port-object eq 3235
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host remote-outside-179
network-object host webmail-outside-180
object-group service DM_INLINE_TCP_1 tcp
port-object eq h323
group-object video-streaming-tcp-udp
group-object streaming-1935
object-group service Reuters udp
port-object eq 10202
port-object eq 10302
port-object eq 9876
object-group network VPN-IP
network-object host VPN0
network-object host VPN1
network-object host VPN2
network-object host VPN3
network-object host VPN4
network-object host VPN5
access-list outside_access_in extended permit tcp any any object-group rdc-3389
access-list outside_access_in extended permit tcp any host blbsvr object-group blackberry-3101
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any host ctxdmz eq ftp
access-list outside_access_in extended permit tcp any host unicorn-outside-182 eq www
access-list outside_access_in extended permit tcp any host outside eq smtp
access-list outside_access_in remark SQL
access-list outside_access_in extended permit tcp any any object-group sql-1433 inactive
access-list outside_access_in extended permit tcp any host video-conferencing-outside-189 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any object-group backup-exec
access-list outside_access_in extended permit udp any any object-group Reuters
access-list outside_access_in extended permit tcp any host streaming-unit eq nntp
access-list outside_access_in extended permit tcp host unicornsvr object-group sirsi-support object-group rdc-3389
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group rdp
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq citrix-ica
access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group citrix-session-reliability-2598
access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.1.0.0 255.255.0.0 eq domain
access-list inside_access_in extended permit tcp host barracuda any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 host ctxdmz
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 object-group VPN-IP
access-list split-acl standard permit 10.1.0.0 255.255.0.0
access-list wifi_access_in extended permit ip any any
access-list chit_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
mtu wifi 1500
mtu chit 1500
ip local pool CH-VPN-IP VPN0-10.3.3.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (wifi) 1 172.16.1.0 255.255.255.0
nat (wifi) 1 0.0.0.0 0.0.0.0
nat (chit) 1 192.168.10.0 255.255.255.0
nat (chit) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255
static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255 dns
static (inside,outside) tcp interface ssh webfilter ssh netmask 255.255.255.255
static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255
static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255 dns
static (inside,outside) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255
static (inside,outside) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255
static (inside,outside) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255
static (inside,outside) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255
static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255 dns
static (inside,outside) tcp keats-outside-186 3389 docsvr 3389 netmask 255.255.255.255
static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) remote-outside-179 ctxdmz netmask 255.255.255.255
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,outside) video-conferencing-outside-189 video-conferencing-unit netmask 255.255.255.255
static (inside,inside) webmail-outside-180 exchsvr netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
access-group wifi_access_in in interface wifi
access-group chit_access_in in interface chit
route outside 0.0.0.0 0.0.0.0 62.253.196.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.0.0 255.255.0.0 inside
http sdt-rdc 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.10.200-192.168.10.225 chit
dhcpd dns 194.168.4.100 194.168.8.100 interface chit
dhcpd lease 86400 interface chit
dhcpd enable chit
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.0217-k9.pkg 1
svc enable
group-policy CH-VPN internal
group-policy CH-VPN attributes
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
group-policy CH-VPN-IP internal
group-policy CH-VPN-IP attributes
dns-server value 10.1.4.9 10.1.4.5
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
default-domain value riia.local
username sdt.support password cdUOkKYGfsyZgwTx encrypted privilege 0
username sdt.support attributes
vpn-group-policy CH-VPN
username leet password 1fJc82CICO2zAFcfTW47KQ== nt-encrypted privilege 0
username leet attributes
vpn-group-policy CH-VPN
tunnel-group CH-VPN type remote-access
tunnel-group CH-VPN general-attributes
address-pool CH-VPN-IP
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
default-group-policy CH-VPN
tunnel-group CH-VPN-IP type remote-access
tunnel-group CH-VPN-IP general-attributes
address-pool CH-VPN-IP
default-group-policy CH-VPN-IP
tunnel-group CH-VPN-IP ipsec-attributes
pre-shared-key *****
radius-sdi-xauth
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
smtp-server 10.1.4.13
prompt hostname context
: end

manish arora · ‎11-30-2010

Sounds Like hairpinning issue. can you do sh logging and paste some part of the output that shows the IP address of the webserver that you are trying to access from Inside the network.

Manish

patrifick · ‎11-30-2010

Hi,

can you please advise on the steps, I don't know cisco much, but can do all the rest

thanks

Patrick

Panos Kampanakis · ‎11-30-2010

Does it work if you try to reach the server using its local ip address from the inside?

PK

patrifick · ‎11-30-2010

hi,

when i use local ip it works without any issues, it also works when I am outside of the network getting in via external IP, but it doesn't work when I use external IP within the house.

I want to avoid using two different source IP and use only one based on our external IP.

thanks

Patrick

Panos Kampanakis · ‎11-30-2010

OK, so as mentioned already, the issue is probably due to the hair-pinning. Let me explain:

You have commands

static (inside,inside) webmail-outside-180 exchsvr netmask 255.255.255.255
same-security permit intra

These will have the ASA receive the packet on the inside and send it to the server. The setup breaks when the server responds to the client. He uses its local ip address and is destined to the client. Though that traffic is not seen by the ASA (it is switched/routed locally) and thus the client rejects it as the source of the return traffic was not from the outside ip of the server. In order to make it work you would need to do a "static (inside,inside) .... for the clients that will be reaching the server, which would make the ASA own their ip addresses and thus see all the flow and translate/untranslate properly.

In general it is not good practice. Usually it is better if users change their DNS server setup to give the local ip for users that are internal trying to reach the server.

I hope it helps.

PK

patrifick · ‎11-30-2010

thanks for the respons, however I cannot use DNS redirection within the house as the external domain is different to the internal and I want to avoind using another zone file for this instance.

We had similar issue with webmail-180 where we were calling exernal IP from inside which was reverting back to inside server, can the same be applied for the unicorn?

thanks

Patrick

patrifick · ‎12-03-2010

Hi,

what if I run this command, could it work?

static (inside,inside) unicorn-outside-182 unicornsvr netmask 255.255.255.255

Patrick

manish arora · ‎12-03-2010

YUP , this will allow you to reach that server at the public address from inside the network. If you do not do this then the firewall blocks you and logs errors with ip spoof. you should try reading a little bit on hairpinning on asa for more explanation.

Manish

patrifick · ‎12-03-2010

HI,

thanks for your comment, however I am not cisco engineer and trying to resolve only a small issue which we have. I appreciate your help.

Patrick