Solved: I can not access my Web_Server, Please help.

Bouki · ‎03-23-2013

Hi guys.

I bought ASA 5510 about a week ago, very basic configuration and my priority was and still to get access list inbound the outside “Security Level 0 “so I can access my web server from the cloud but unfortunately I could not make it work as I tried any possible solution out there to figure out what was the issue

(((TCP access denied by ACL from 92.40.X.X/52511 to outside:81.108.X.X/80))). ••à>> 92.40.X.X is a pc from the cloud that I used to access my web server and the 81.108.X.X is my public ip address

My recent Conf is as follow:

Nat Section:

==================================================================================

Dynamic:

nat (inside,outside) source dynamic any interface <<<To have the PCs that inside the Network to have access to Internet>>>>

nat (DMZ,outside) source dynamic MyServer interface <<<To have the windows server and red hat Linux to get the updates and other server services updates from the Internet>>>>

Auto-nat

(Optional) <<<<I tried to get this static nating to allow access to web server in the DMZ.

object network WAN_LINK

nat (outside,DMZ) static MyServer service tcp www www

Acces list section:

In the outside interface inbound <<<As the traffic coming from the cloud to the DMZ

access-list DMZ_access_in extended permit ip any any<<<This was just to allow ip out from DMZ two servers (Win+RHLinux) for troubleshooting not related to the present issue>>>>>

access-list outside_access_in extended permit tcp any object MyServer eq www

access-list outside_access_in extended permit tcp object WAN_LINK object MyServer eq www

A records:

Wan Link : 86.108.X.X My public ip address

My server : 10.10.50.X /24

=============================================================================================================

PS:

I just want to mention that the ASA is facing the Cloud (THERE IS NO ROUTER ACTING AS DEFAULT GATEWAY, the ASA is)and the public ip address is via DHCP from my ISP and it has not been changed since 2010 (Same ip address).

I used to have an access to all my services (FTP. HTTP, HTTPS, SMTP,RDP….) previously using the router IOS instead the ASA

Thank you.

malshbou · ‎03-24-2013

Hi,

If what you are trying to get is NATing your server in the DMZ to a public IP at the outside, then the following lines are not correct.

object network WAN_LINK

nat (outside,DMZ) static MyServer service tcp www www

they should be :

object network OBJ_PRIVATE_IP

nat (DMZ,outside) static OBJ_PUBLIC_IP service tcp www www

or you can have "interface" instead of OBJ_PUBLIC_IP

Then you apply an ACL that permits incoming traffic to the private IP not the public IP ( as this is 8.3 or later)

Hope this helps

Mashal

------------------ Mashal Shboul

View solution in original post

Javier Portuguez · ‎03-23-2013

Hi Bouki,

The ACL that you added to the outside, allows access to the private or public IP?

Could please try with the private IP address instead of the NATted IP of the server?

Also, use the auto-nat for this scenario.

HTH.

Portu.

Bouki · ‎03-24-2013

Hi Javier;

I appreciate the quick response.

Ok.

•1) access-list outside_access_in extended permit tcp object WAN_LINK object MyServer eq www

Object Names:

WAN_LINK: 81.108.X.X provided by the ISP Dynamically to the ASA 5510 Ethernet 0/0

MyServer: is my Windows server with the following private address 10.10.50..X /24 located at the DMZ behind the 0/2 Ethernet of the ASA 5510 WITH SA SECURITY LEVEL OF 50.

This access list which has been applied on the outside interface inbound (Ethernet 0/0 of the ASA 5510 and configured to get a internet routable ip address “Public” from my ISP dynamically using the mac address of the ASA option) is mainly to allow the access to services provided by the two Servers (Linux and Windows) as mentioned on the previous post, located at the DMZ Zone which both of them are configured with a private addresses statically within the subnet of 10.10.50.0 /24 and as we all know that this is to overrule the Outside implicit rule which is there by default in the device

•2) nat (outside,DMZ) static MyServer service tcp www www

Nating statically the outside public ip address 81.108.X.X witb a random port to the server private ip address 10.10.50.X on port 80 as it is providing a http service (windows server which has the IIS running on it holding my Web site).

I have troid the dynamic nating and still did not work.

I hope that this was informative enough.

Thank you

malshbou · ‎03-24-2013

Hi,

If what you are trying to get is NATing your server in the DMZ to a public IP at the outside, then the following lines are not correct.

object network WAN_LINK

nat (outside,DMZ) static MyServer service tcp www www

they should be :

object network OBJ_PRIVATE_IP

nat (DMZ,outside) static OBJ_PUBLIC_IP service tcp www www

or you can have "interface" instead of OBJ_PUBLIC_IP

Then you apply an ACL that permits incoming traffic to the private IP not the public IP ( as this is 8.3 or later)

Hope this helps

Mashal

------------------ Mashal Shboul

Bouki · ‎03-24-2013

Thanks a lot Mashal for the reply;

Well, when it comes to static NATing it does not matter which direction you are going because literarily you are hard coding the address to be translated to another one based on the following: the transport service and the port number (www).

What I am trying to do, is telling the ASA: if you receive any Frame from the Cloud and which has your ip address on it and as you decapsulate it till you reach the segment that has TCP port 80 then do not even bother reading the data, encapsulate the segment into a packet with destination ip address of 10.10.50.X << My server ip address>>

Thank you.