10-10-2006 08:24 AM - edited 02-21-2020 01:13 AM
Hi All,
I have a Cisco ASA 5510.
I have a NT Server hosting a web server setup to use the http port 10300.
How can I configure my pix to allow traffic to this application from other machines in the network?
My NT Server private IP is 10.0.1.25 and I'm able to access it from the other machines in the network, but when I connect to the web application through the url: http:\\<server name>.<domain name>:10300\xxxx
then I receive a "Server Not found error".
I tried multiple config of the access list / nat but could not get it to work.
Here is an extract of my current configuration:
ASA Version 7.0(4)
[...]
interface Ethernet0/0
nameif outside
security-level 0
ip address 67.104.112.162 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list outside-in extended permit icmp any any
access-list outside-in extended permit tcp any eq www host 67.104.112.163 eq 10300
access-list SPLIT-TUNNEL extended permit ip 10.0.1.0 255.255.255.0 192.168.24.0 255.255.255.0
access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 192.168.24.0 255.255.255.0
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit ip any any
[...]
global (outside) 1 interface
nat (outside) 1 192.168.24.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 10.0.1.0 255.255.255.0
static (inside,outside) 67.104.112.163 10.0.1.25 netmask 255.255.255.255
static (inside,outside) 67.104.112.164 10.0.1.26 netmask 255.255.255.255
access-group outside-in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 67.104.112.161 1
[...]
http server enable
http 167.1.162.143 255.255.255.255 outside
http 10.0.1.0 255.255.255.0 inside
http 10.0.1.25 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
[...]
I would really appreciate if you can help me!
Thanks in advance.
10-13-2006 02:25 PM
Hi,
From inside the LAN I ran Yaps which gave me the following results:
Started scan
10.0.1.25:10300
Stopping scan
I assume it means 10300 is configured properly on the server. But in this case, why wouldn't I be able to access it when I type in the url http?
I tried something different with Yaps. I entered the name of the server in the IP address and it returned 10.0.1.6 which is a dynamic IP used by the same server but on a different ethernet card (this server has 3 cards). Could that be the problem?
Thanks
10-13-2006 02:29 PM
For example, the results of Yaps while resolving name are:
Started scan
10.0.1.6:10300 ->
10.0.1.25:10300
Stopping scan
10-14-2006 11:03 AM
Interesting additional info. So, your server actually has 3 NICs, in which 2 of it bearing 10.0.1.6 and 10.0.1.25.
What's the gateway for each IPs:
ip: 10.0.1.6, gw: ??
ip: 10.0.1.25, gw: ??
Do you point both to inside interface IP (10.0.1.1) as gateway, or only one?
Also, can you run "http://10.0.1.6:10300/" and check what's the result looks like? IF this is ok, try to eliminate/isolate the problem by disabling/disconnect the card with 10.0.1.6 IP, and let it run on the 10.0.1.25.
The port scan result show the http using tcp 10300 was running fine.
10-16-2006 09:50 AM
Hi,
Thanks for your reply.
So I disabled all cards but the one configured as a static IP 10.0.1.25.
I ran:
C:\>ping
Ping request could not find host
C:\>ping 10.0.1.25
Pinging 10.0.1.25 with 32 bytes of data:
Reply from 10.0.1.25: bytes=32 time<1ms TTL=128
The weird thing is that after disabling the 2 NICs on the server, I am not able to connect to the web application from the server itself (which I'm able to do when the NICS are enabled).
So the server name is recognized only for the IP 10.0.1.6. Not sure how this could be changed...
FYI: both IP use the same default gateway 10.0.1.1
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide