Internal Web Server Not Reachable By Internal Users

douglasbrantley · ‎04-26-2013

Device Type: ASA5505

ASA Version: 8.2(5)

ASDM Version: 6.4(5)

The web server behind the firewall is unavailable to internal users.

If I connect to the web server, login and run the web browser, the web site is unavailable.

Help greatly appreciated.

Thanks in advance.

Here is the firewall configuration:

!
ASA Version 8.2(5)

!

terminal width 511

hostname asa5505

domain-name nnnn.mmmmmmm.net

enable password QQQQQQQQQQQQ encrypted

passwd QQQQQQQQQQQ encrypted

names

dns-guard

!

interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2
shutdown

!

interface Ethernet0/3
shutdown

!

interface Ethernet0/4
shutdown

!

interface Ethernet0/5
shutdown

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!

interface Vlan2
nameif outside
security-level 0
ip address 208.109.184.27 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS
domain-name nnnn.mmmmmmm.net

access-list outside_access_in extended permit tcp any any eq ftp-data

access-list outside_access_in extended permit tcp any any eq ftp

access-list outside_access_in extended permit tcp any any eq ssh

access-list outside_access_in extended permit tcp any any eq 42

access-list outside_access_in extended permit udp any any eq nameserver

access-list outside_access_in extended permit tcp any any eq domain

access-list outside_access_in extended permit udp any any eq domain

access-list outside_access_in extended permit tcp any any eq www

access-list outside_access_in extended deny tcp any any eq pop3

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in extended permit tcp any any eq 465

access-list outside_access_in extended permit tcp any any eq 587

access-list outside_access_in extended permit tcp any any eq 995

access-list outside_access_in extended permit tcp any any eq 993

access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq 8443

access-list outside_access_in extended permit tcp any any eq 2006
access-list outside_access_in extended permit tcp any any eq 8447

access-list outside_access_in extended permit tcp any any eq 9999

access-list outside_access_in extended permit tcp any any eq 2086

access-list outside_access_in extended permit tcp any any eq 2087

access-list outside_access_in extended permit tcp any any eq 2082

access-list outside_access_in extended permit tcp any any eq 2083

access-list outside_access_in extended permit tcp any any eq 2096

access-list outside_access_in extended permit tcp any any eq 2095

access-list outside_access_in extended permit tcp any any eq 8880
access-list outside_access_in extended deny tcp any any eq telnet

access-list outside_access_in extended deny tcp any any eq smtp

access-list outside_access_in extended deny tcp any any eq imap4

access-list outside_access_in extended deny tcp any any eq 1433

access-list outside_access_in extended deny tcp any any eq 3306

access-list outside_access_in extended deny tcp any any eq 9080

access-list outside_access_in extended deny tcp any any eq 9090

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-list inside_access_in extended permit ip any any

no pager

logging enable

logging timestamp

logging buffered warnings

logging history warnings

logging asdm notifications

logging queue 500

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm history enable
arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) 10.0.0.2 208.109.186.139
netmask 255.255.255.255
static (inside,outside) 208.109.186.139 10.0.0.2
netmask 255.255.255.255
static (outside,inside) 10.0.0.3 208.109.186.154
netmask 255.255.255.255
static (inside,outside) 208.109.186.154 10.0.0.3
netmask 255.255.255.255
static (outside,inside) 10.0.0.1 208.109.184.134
netmask 255.255.255.255
static (inside,outside) 208.109.184.134 10.0.0.1
netmask 255.255.255.255
access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 208.109.184.254 1
route outside 0.0.0.0 255.255.255.0 208.109.184.254 1

route outside 192.168.101.3 255.255.255.255 208.109.184.254 1

route outside 192.168.105.3 255.255.255.255 208.109.184.254 1

route outside 192.168.109.3 255.255.255.255 208.109.184.254 1

route outside 208.109.96.4 255.255.255.255 208.109.184.254 1

route outside 208.109.188.4 255.255.255.255 208.109.184.254 1

route outside 216.69.160.4 255.255.255.255 208.109.184.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record Dflt
AccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5

console timeout 0

management-access outside
d
hcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username XXXXXXXXXXX password QQQQQQQQQQQQ encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context
no call-home
reporting anonymous

sokakkar · ‎05-01-2013

Hi,

First off, static NAT's are bi-directional. So, please modify your static NAT config:

Syntax is:

static (real_int,mapped_int) mapped_ip real_ip netmask x.x.x.x

So, remove following:

no static (outside,inside) 10.0.0.2 208.109.186.139 netmask 255.255.255.255

no static (outside,inside) 10.0.0.3 208.109.186.154 netmask 255.255.255.255

no static (outside,inside) 10.0.0.1 208.109.184.134 netmask 255.255.255.255

You only need these:

static (inside,outside) 208.109.186.139 10.0.0.2 netmask 255.255.255.255

static (inside,outside) 208.109.186.154 10.0.0.3 netmask 255.255.255.255

static (inside,outside) 208.109.184.134 10.0.0.1 netmask 255.255.255.255

Now, if you are able to connect to server and get to login, your static NAT and inbound acl is fine. You might need to get captures on inside and outside interface for traffic flow to web server to further investigate this.

Here is the procedure to do it:

https://supportforums.cisco.com/docs/DOC-1222

Doesn't sound like an ASA issue, but captures should help figure this out.

HTH.

-

Sourav

douglasbrantley · ‎05-08-2013

I fixed the problem but did not use a firewall configuration change to enable the fix.

While the installation of the Cisco ASA 5505 caused the problem,

I decided not to focus on the firewall configuration.

I dug deep into the web application for the failure points.

This pointed me to name resolution and DNS.

I installed the Windows Server 2003 DNS Server.

Created a Zone for the server and A Records.

The DNS only resolves for DNS queries made from within the server.

All of the A Records point to the Inside IP Addresses for the Host names.

. 10.0.0.1

wwww 10.0.0.1

www 10.0.0.1

ww 10.0.0.1

w 10.0.0.1

The web application is working great.

db

sokakkar · ‎05-08-2013

Hi Douglas,

It seems you are accessing the servers from internal users. And now that you've configured your DNS server to resolve the request to internal IP's, thsi traffic will be handled internally and not through ASA (which makes sense as client and server are behind same interface of ASA so it doesn't make sense to send this communication through ASA anyways).

The above information I provided was targetting users from internet accessing your web server. If you wish to allow access to your servers from outside as well, above changes will be needed.

HTH.

-

Sourav