04-24-2015 08:52 AM - edited 03-11-2019 10:50 PM
Hi all
Have ran into an issue on my ASA 5510.
I have recently added a web server to directly into Ethernet port 2 on the ASA. It will be accessed from the internet so as a result, is on its own dedicated interface, separate from the internal network. I need this web server to listen on ports 2008-2011 and 1957-1960 to pull down feeds from a remote server configured to send on the same ports. I then need my ASA to be clever enough to forward this particular traffic onto the internal web server. Sounds simple enough but running into a brick wall with the NAT statements and Access Rules! If anyone can help, I will post selected config and the results of the packet trace (which show its almost there!).
Thanks :)
Solved! Go to Solution.
04-24-2015 01:15 PM
please add these two lines and let me know
access-list outside_access_in line 1 permit ip any 10.10.100.0 255.255.255.0
access-list HeadEnd line 1 permit ip any 10.10.100.0 255.255.255.0
If it doesn't work, please send me packet-tracer output again with command.
04-24-2015 10:36 AM
NAT and access-list on ASA depends on version on software. Please post software version.
04-24-2015 12:02 PM
04-24-2015 12:02 PM
You have access-list at ingress direction on "outside" and "egress" on Headend
You need to allow traffic on both of them to 10.10.100.0/24 from outside address. Have you verified if correct access-list is configured?
04-24-2015 01:11 PM
Hi Pranay
I have changed it around but still the packet trace fails at same point?
Thanks
N
04-24-2015 01:15 PM
please add these two lines and let me know
access-list outside_access_in line 1 permit ip any 10.10.100.0 255.255.255.0
access-list HeadEnd line 1 permit ip any 10.10.100.0 255.255.255.0
If it doesn't work, please send me packet-tracer output again with command.
04-24-2015 01:57 PM
That worked! Just need to add the rest of the NAT statements.
Many thanks
04-24-2015 12:06 PM
You have access-list at ingress direction on "outside" and "egress" on Headend
You need to allow traffic on both of them to 10.10.100.0/24 from outside address. Have you verified if correct access-list is configured?
04-24-2015 12:13 PM
I think looking at your configuration the acls applied to the HeadEnd interface are the wrong way round.
So the inbound acl on that interface is traffic coming from the web server.
The outbound acl on that interface is traffic going to the web server.
So your source and destination IPs are the wrong way round as far as I can tell.
Whether you actually need either of the acls is debatable.
The inbound acl would be needed if you either -
1) wanted to allow the web server access to higher security interfaces eg. your inside interface
or
2) you wanted to restrict what connections can be initiated from the web server to the outside
and the outbound acl would be needed if you wanted to limit what traffic is allowed to the web server from other interfaces other than the outside because you have an acl already on the outside interface.
So I'm not sure you need either although it's difficult to say.
Most common are inbound acls which you may need depending on the above.
Jon
04-24-2015 12:30 PM
Hi Jon
Thanks for taking the time to read my config and reply.
I had intended to restrict access to the web server to only permit access from the outside to 6 ports so maybe I am going overboard with the ACLs. I have an access group applied to the interface as well.
This interface doesn't need access to the inside network at all, just internet access outbound.
The packet trace does indicate an ACL issue so will swap the source & destination round as suggested.
Thanks
Neill
04-24-2015 01:12 PM
Swapped the source and destination around but still no luck :(
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide