Need help configuring http port on Cisco ASA 5510 - Page 2

sylvainnguyen · ‎10-10-2006

Hi All,

I have a Cisco ASA 5510.

I have a NT Server hosting a web server setup to use the http port 10300.

How can I configure my pix to allow traffic to this application from other machines in the network?

My NT Server private IP is 10.0.1.25 and I'm able to access it from the other machines in the network, but when I connect to the web application through the url: http:\\<server name>.<domain name>:10300\xxxx

then I receive a "Server Not found error".

I tried multiple config of the access list / nat but could not get it to work.

Here is an extract of my current configuration:

ASA Version 7.0(4)

[...]

interface Ethernet0/0

nameif outside

security-level 0

ip address 67.104.112.162 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.0.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

nameif DMZ

security-level 50

ip address 172.16.1.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

access-list outside-in extended permit icmp any any

access-list outside-in extended permit tcp any eq www host 67.104.112.163 eq 10300

access-list SPLIT-TUNNEL extended permit ip 10.0.1.0 255.255.255.0 192.168.24.0 255.255.255.0

access-list NONAT extended permit ip 10.0.1.0 255.255.255.0 192.168.24.0 255.255.255.0

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit ip any any

[...]

global (outside) 1 interface

nat (outside) 1 192.168.24.0 255.255.255.0

nat (inside) 0 access-list NONAT

nat (inside) 1 10.0.1.0 255.255.255.0

static (inside,outside) 67.104.112.163 10.0.1.25 netmask 255.255.255.255

static (inside,outside) 67.104.112.164 10.0.1.26 netmask 255.255.255.255

access-group outside-in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 67.104.112.161 1

[...]

http server enable

http 167.1.162.143 255.255.255.255 outside

http 10.0.1.0 255.255.255.0 inside

http 10.0.1.25 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 management

[...]

I would really appreciate if you can help me!

Thanks in advance.

sylvainnguyen · ‎10-13-2006

Hi,

From inside the LAN I ran Yaps which gave me the following results:

Started scan

10.0.1.25:10300

Stopping scan

I assume it means 10300 is configured properly on the server. But in this case, why wouldn't I be able to access it when I type in the url http?

I tried something different with Yaps. I entered the name of the server in the IP address and it returned 10.0.1.6 which is a dynamic IP used by the same server but on a different ethernet card (this server has 3 cards). Could that be the problem?

Thanks

sylvainnguyen · ‎10-13-2006

For example, the results of Yaps while resolving name are:

Started scan

10.0.1.6:10300 ->

10.0.1.25:10300

Stopping scan

a.kiprawih · ‎10-14-2006

Interesting additional info. So, your server actually has 3 NICs, in which 2 of it bearing 10.0.1.6 and 10.0.1.25.

What's the gateway for each IPs:

ip: 10.0.1.6, gw: ??

ip: 10.0.1.25, gw: ??

Do you point both to inside interface IP (10.0.1.1) as gateway, or only one?

Also, can you run "http://10.0.1.6:10300/" and check what's the result looks like? IF this is ok, try to eliminate/isolate the problem by disabling/disconnect the card with 10.0.1.6 IP, and let it run on the 10.0.1.25.

The port scan result show the http using tcp 10300 was running fine.

sylvainnguyen · ‎10-16-2006

Hi,

Thanks for your reply.

So I disabled all cards but the one configured as a static IP 10.0.1.25.

I ran:

C:\>ping

Ping request could not find host . Please check the name and try again.

C:\>ping 10.0.1.25

Pinging 10.0.1.25 with 32 bytes of data:

Reply from 10.0.1.25: bytes=32 time<1ms TTL=128

The weird thing is that after disabling the 2 NICs on the server, I am not able to connect to the web application from the server itself (which I'm able to do when the NICS are enabled).

So the server name is recognized only for the IP 10.0.1.6. Not sure how this could be changed...

FYI: both IP use the same default gateway 10.0.1.1

Thanks