03-23-2013 04:49 PM - edited 03-11-2019 06:18 PM
Hi guys.
I bought ASA 5510 about a week ago, very basic configuration and my priority was and still to get access list inbound the outside “Security Level 0 “so I can access my web server from the cloud but unfortunately I could not make it work as I tried any possible solution out there to figure out what was the issue
(((TCP access denied by ACL from 92.40.X.X/52511 to outside:81.108.X.X/80))). ••à>> 92.40.X.X is a pc from the cloud that I used to access my web server and the 81.108.X.X is my public ip address
My recent Conf is as follow:
Nat Section:
==================================================================================
Dynamic:
nat (inside,outside) source dynamic any interface <<<To have the PCs that inside the Network to have access to Internet>>>>
nat (DMZ,outside) source dynamic MyServer interface <<<To have the windows server and red hat Linux to get the updates and other server services updates from the Internet>>>>
Auto-nat
(Optional) <<<<I tried to get this static nating to allow access to web server in the DMZ.
object network WAN_LINK
nat (outside,DMZ) static MyServer service tcp www www
Acces list section:
In the outside interface inbound <<<As the traffic coming from the cloud to the DMZ
access-list DMZ_access_in extended permit ip any any<<<This was just to allow ip out from DMZ two servers (Win+RHLinux) for troubleshooting not related to the present issue>>>>>
access-list outside_access_in extended permit tcp any object MyServer eq www
access-list outside_access_in extended permit tcp object WAN_LINK object MyServer eq www
A records:
Wan Link : 86.108.X.X My public ip address
My server : 10.10.50.X /24
=============================================================================================================
PS:
I just want to mention that the ASA is facing the Cloud (THERE IS NO ROUTER ACTING AS DEFAULT GATEWAY, the ASA is)and the public ip address is via DHCP from my ISP and it has not been changed since 2010 (Same ip address).
I used to have an access to all my services (FTP. HTTP, HTTPS, SMTP,RDP….) previously using the router IOS instead the ASA
Thank you.
Solved! Go to Solution.
03-24-2013 07:14 AM
Hi,
If what you are trying to get is NATing your server in the DMZ to a public IP at the outside, then the following lines are not correct.
object network WAN_LINK
nat (outside,DMZ) static MyServer service tcp www www
they should be :
object network OBJ_PRIVATE_IP
nat (DMZ,outside) static OBJ_PUBLIC_IP service tcp www www
or you can have "interface" instead of OBJ_PUBLIC_IP
Then you apply an ACL that permits incoming traffic to the private IP not the public IP ( as this is 8.3 or later)
Hope this helps
Mashal
03-23-2013 09:18 PM
Hi Bouki,
The ACL that you added to the outside, allows access to the private or public IP?
Could please try with the private IP address instead of the NATted IP of the server?
Also, use the auto-nat for this scenario.
HTH.
Portu.
03-24-2013 04:59 AM
Hi Javier;
I appreciate the quick response.
Ok.
Object Names:
WAN_LINK: 81.108.X.X provided by the ISP Dynamically to the ASA 5510 Ethernet 0/0
MyServer: is my Windows server with the following private address 10.10.50..X /24 located at the DMZ behind the 0/2 Ethernet of the ASA 5510 WITH SA SECURITY LEVEL OF 50.
This access list which has been applied on the outside interface inbound (Ethernet 0/0 of the ASA 5510 and configured to get a internet routable ip address “Public” from my ISP dynamically using the mac address of the ASA option) is mainly to allow the access to services provided by the two Servers (Linux and Windows) as mentioned on the previous post, located at the DMZ Zone which both of them are configured with a private addresses statically within the subnet of 10.10.50.0 /24 and as we all know that this is to overrule the Outside implicit rule which is there by default in the device
Nating statically the outside public ip address 81.108.X.X witb a random port to the server private ip address 10.10.50.X on port 80 as it is providing a http service (windows server which has the IIS running on it holding my Web site).
I have troid the dynamic nating and still did not work.
I hope that this was informative enough.
Thank you
03-24-2013 07:14 AM
Hi,
If what you are trying to get is NATing your server in the DMZ to a public IP at the outside, then the following lines are not correct.
object network WAN_LINK
nat (outside,DMZ) static MyServer service tcp www www
they should be :
object network OBJ_PRIVATE_IP
nat (DMZ,outside) static OBJ_PUBLIC_IP service tcp www www
or you can have "interface" instead of OBJ_PUBLIC_IP
Then you apply an ACL that permits incoming traffic to the private IP not the public IP ( as this is 8.3 or later)
Hope this helps
Mashal
03-24-2013 08:52 AM
Thanks a lot Mashal for the reply;
Well, when it comes to static NATing it does not matter which direction you are going because literarily you are hard coding the address to be translated to another one based on the following: the transport service and the port number (www).
What I am trying to do, is telling the ASA: if you receive any Frame from the Cloud and which has your ip address on it and as you decapsulate it till you reach the segment that has TCP port 80 then do not even bother reading the data, encapsulate the segment into a packet with destination ip address of 10.10.50.X << My server ip address>>
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide