10-10-2006 08:24 AM - edited 02-21-2020 01:13 AM
Hi All,
I have a Cisco ASA 5510.
I have a NT Server hosting a web server setup to use the http port 10300.
How can I configure my pix to allow traffic to this application from other machines in the network?
My NT Server private IP is 10.0.1.25 and I'm able to access it from the other machines in the network, but when I connect to the web application through the url: http:\\<server name>.<domain name>:10300\xxxx
then I receive a "Server Not found error".
I tried multiple config of the access list / nat but could not get it to work.
Here is an extract of my current configuration:
ASA Version 7.0(4)
[...]
interface Ethernet0/0
nameif outside
security-level 0
ip address 67.104.112.162 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list outside-in extended permit icmp any any
access-list outside-in extended permit tcp any eq www host 67.104.112.163 eq 10300
access-list SPLIT-TUNNEL extended permit ip 10.0.1.0 255.255.255.0 192.168.24.0 255.255.255.0
access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 192.168.24.0 255.255.255.0
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit ip any any
[...]
global (outside) 1 interface
nat (outside) 1 192.168.24.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 10.0.1.0 255.255.255.0
static (inside,outside) 67.104.112.163 10.0.1.25 netmask 255.255.255.255
static (inside,outside) 67.104.112.164 10.0.1.26 netmask 255.255.255.255
access-group outside-in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 67.104.112.161 1
[...]
http server enable
http 167.1.162.143 255.255.255.255 outside
http 10.0.1.0 255.255.255.0 inside
http 10.0.1.25 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
[...]
I would really appreciate if you can help me!
Thanks in advance.
10-10-2006 10:36 AM
change this:
static (inside,outside) 67.104.112.163 10.0.1.25 netmask 255.255.255.255
to:
static (inside,outside) 67.104.112.163 10.0.1.25 netmask 255.255.255.255 dns
HTH pls rate!
10-10-2006 11:24 AM
Thanks a lot for your help.
I tried that. I'm wondering if I'm not missing something in the acl because from inside the network (where I am right now), I'm not able to connect to the application on this server (10.0.1.25).
Do you think the acl are correctly defined?
10-11-2006 05:25 AM
If you are behind the pix, using a web browser on a host 10.0.1.x and you cannot connect to your web server on your nonstandard port which you specified, check your web server config. You certainly need to get this working before anyone can be expected to access it through the firewall.
HTH
10-11-2006 02:13 PM
Hi,
thanks for your answer.
I'm able to connect to http:\\10.0.1.25 from a laptop behind the pix, but not to http:\\
Anything else I should be checking?
Sylvain
10-10-2006 11:34 AM
I also tried adding:
access-list inside_access_in extended permit tcp any eq www host 67.104.112.163 eq 10300
but this doesn't seem to improve anything...
10-10-2006 03:43 PM
Maybe I am missing something here...but isn't this NAT on your outside interface?
Thus the ACE you would need to add would need to be on your outside ACL. Also the source port isn't going to be 80 it is going to be random I believe. The destination port is going to be in this case 10300...for normal www traffic it would be 80 of course. Thus I think that eq www statement is blocking this. Are you seeing the deny on the syslog when you test?
So thus it would be something like:
access-list outside-acl(whatever your acl is) permit tcp any host 67.104.112.163 eq 10300
10-10-2006 04:33 PM
Try this, hopefully it helps.
Q: How can I configure my pix to allow traffic to this application from other machines in the network?
My NT Server private IP is 10.0.1.25 and I'm able to access it from the other machines in the network, but when I connect to the
web application through the url: http:\\
A: Disabled the proxyarp on your inside interface,
command: sysopt noproxyarp
To enable it, use "no sysopt noproxyarp interface_name"
In rare circumstances, you might want to disable proxy ARP for global addresses.
When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."
Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the security appliance interface. The only way traffic can reach the hosts is if the security appliance uses proxy ARP to claim that the security appliance MAC address is assigned to destination global addresses.
Before that, pls ensure that your HTTP service via port 10300 is working fine. Otherwise, this could be the primary issue.
Q: How to allow outside/internet clients access your web server via 10300 (TC)
A: Since you're not using standard port 80-www, this might require port redirection.
Change your current static map from :
static (inside,outside) 67.104.112.163 10.0.1.25 netmask 255.255.255.255
to
static (inside,outside) tcp 67.104.112.163 www 10.0.1.25 10300 netmask 255.255.255.255
Changed the ACL as well to:
access-list outside-in extended permit tcp any host 67.104.112.163 eq www
The above will allow outsiders to access your server without having to specify "10300" in their web browser. PIX/ASA will do the redirection automatically to port 10300.
Cheers!
AK
10-11-2006 02:11 PM
Hi, Thanks for your answer.
I ran "sysopt noproxyarp inside" but still wasn't able to connect to http:\
How can I make sure that my HTTP service is working fine for port 10300?
I also ran:
access-list outside-in extended permit tcp any host 67.104.112.163 eq www
static (inside,outside) tcp 67.104.112.163 www 10.0.1.25 10300 netmask 255.255.255.255 dns
I'm not able to check immediately if access from outside is possible since I'm behind the pix, but will do later tonight.
Again, thanks a lot for taking the time to reply. Unfortunately at this point, I am still not able to access to this url...
sylvain
10-11-2006 02:20 PM
Hi,
Thanks for your answer. I agree I had it backward.
I tried this:
access-list outside-in extended permit tcp any host 67.104.112.163 eq 10300
and it did not make any changes.
Thanks
Sylvain
10-11-2006 11:09 PM
To verify your http via port 10300 is working:
a. check your http port setup on the www server or application.
b. run http test from the server itself using web browser. Try any of these:
http://
c. from any pc in the same segment, telnet to the server's IP:
telnet 10.0.1.25 10300
OR telnet from outside firewall to the public IP natted to 10.0.1.25 (which is 67.104.112.163)
telnet 67.104.112.163 10300
Make sure you got some kindly of successful telnet reply, with http keyword...
Hope this helps.
AK
10-11-2006 11:19 PM
Or from Outside/internet, you can do port scan to the public IP of 67.104.112.163. Make sure the port is open or visible from outside.
YOu can download lots of free port scanning tool, i.e yaps..
Cheers!
10-12-2006 08:11 PM
Hi,
Thanks. I tried Yaps which gave me the following results from outside:
67.104.112.163:80 -> www-http (World Wide Web HTTP) -> HTTP/1.1 404 Not Found..
getting this resutls for port 10300 and 10500 was kind of expected, but not for port 80.
when running it for ports 10300 to 10500, it wasn't even giving me any results.
10-12-2006 08:14 PM
Hi,
b:
all tests gave me an error 404 Not Found.
c:
I wasn't able to telnet using 10.0.1.25 from my laptop which was 10.0.1.6.
I received the following results from outside:
C:\>telnet 67.104.112.163 10300
Connecting To 67.104.112.163...Could not open connection to the host, on port 10300: Connect failed
C:\>telnet 67.104.112.163
Connecting To 67.104.112.163...Could not open connection to the host, on port 23: Connect failed
same thing after launching the VPN Client.
10-12-2006 08:42 PM
If you telnet from local subnet or from a PC in same subnet with the server, and if the server port 10300 is up & running, you should be able to get some kind of reply with 'http' keyword, not the "..could not open connection to..". The error indicates service port not running/opened.
Do port scanning from local LAN and outside firewall, and compare the results.
From internal LAN, you should see port 10300 opened. Indirectly, this will also verify that the service port is running fine.
If you can't see this port, check the server itself & verify the port is really working fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide