Problem configuration ASA 8.2 With HTTP access OUTDOOR

pierredaridan · ‎08-06-2012

Hello

I have problem i want to access to my http server in my local network from outside

192.168.2.42 : it my server http

195.X.X.X its my internet IP but it was connected in eth 0/4

static (DMZ,Orange) 195.X.X.X 192.168.2.42 netmask 255.255.255.255

access-list outside-acl permit tcp any host 195.X.X.X eq 80

access-group outside-acl in int orange

but its not good why

thanks for your help

Karsten Iwen · ‎08-06-2012

"Orange" is your interface with the default-route to the internet?

You can use the packet-tracer to look at what the ASA would do with a packet:

packet-tracer input Orange tcp 1.2.3.4 1234 195.X.X.X 80

pierredaridan · ‎08-06-2012

Yes

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (DMZ,ORANGE) 195.X.X.X 192.168.2.42 netmask 255.255.255.255

nat-control

match ip DMZ host 192.168.2.42 ORANGE any

static translation to 195.X.X.X

translate_hits = 26, untranslate_hits = 1

Additional Information:

NAT divert to egress interface DMZ

Untranslate 195.X.X.X/0 to 192.168.2.42/0 using netmask 255.255.255.255

Karsten Iwen · ‎08-06-2012

that looks good, but half of the packet-tracer-output is missing ...

pierredaridan · ‎08-06-2012

Sorry

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside-acl in interface ORANGE

access-list outside-acl extended permit tcp any host 195.x.x.x eq www

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (DMZ,ORANGE) 195.x.x.x 192.168.2.42 netmask 255.255.255.255

nat-control

match ip DMZ host 192.168.2.42 ORANGE any

static translation to 195.x.x.x

translate_hits = 0, untranslate_hits = 1

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (DMZ,DMZ) tcp interface www 192.168.2.42 www netmask 255.255.255.255

nat-control

match tcp DMZ host 192.168.2.42 eq 80 DMZ any

static translation to 192.168.2.1/80

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2838450, packet dispatched to next module

Result:

input-interface: ORANGE

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

Karsten Iwen · ‎08-06-2012

Your ASA says it would allow the connection to the Server. So it's likely that the problem is somewhere else.

Local Firewall on the Server or other devices on the path that filter traffic?

pierredaridan · ‎08-06-2012

No i have not other equipement for filter traffic and my server is a debian with just apache

Karsten Iwen · ‎08-06-2012

have you doublechecked the IP-config of the server? Default-gateway pointing to the ASA? Webserver running?

pierredaridan · ‎08-06-2012

yes i can access to my webserver in local

Karsten Iwen · ‎08-06-2012

can the webserver reach the internet through the ASA?

Julio Carvajal · ‎08-06-2012

Hello Piere,

Adding to what Karsten have tell you can you create some captures:

capture capin interface dmz match tcp any host 192.168.2.42. eq 80

capture caporange interface orange match tcp any host 195.xx.xx.xx eq 80.

capture asp type asp-drop all circular-buffer

Then try to connect from the outside world to the 195.xx.xx.xx on port 80. After you have done that please provide me the following information:

Show cap capout

Show cap capin

Show cap asp | inc 192.168.2.42

Regards,

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

pierredaridan · ‎08-07-2012

Hello thanks for your help

This capture don't worked

capture capin interface dmz match tcp any host 192.168.2.42. eq 80

Show cap asp | inc 192.168.2.42

This capture worked

capture caporange interface orange match tcp any host 195.xx.xx.xx eq 80 :

1: 09:13:01.401773 802.1Q vlan#5 P0 195.6.x.x.48991 > 195.X.X.X.80: S 3140373812:3140373812(0) win 8192

2: 09:13:04.405038 802.1Q vlan#5 P0 195.6.x.x.48991 > 195.X.X.X.80: S 3140373812:3140373812(0) win 8192

3: 09:13:10.398477 802.1Q vlan#5 P0 195.6.x.x.48991 > 195.X.X.X.80: S 3140373812:3140373812(0) win 8192

4: 09:13:22.397547 802.1Q vlan#5 P0 195.6.x.x.59070 > 195.X.X.X.80: S 3721082928:3721082928(0) win 8192

5: 09:13:25.405496 802.1Q vlan#5 P0 195.6.x.x.59070 > 195.X.X.X.80: S 3721082928:3721082928(0) win 8192

6: 09:13:31.398920 802.1Q vlan#5 P0 195.6.x.x.59070 > 195.X.X.X.80: S 3721082928:3721082928(0) win 8192

but i think i have problem between my asa 5505 and my Modem

195.6.x.x > 195.X.X.X.80:

Karsten Iwen · ‎08-07-2012

the capture shows that the packets reach the ASA, but no traffic is coming back. If the problem would be the connection Modem-ASA, then the packets couldn't reach the ASA.

What didn't work with the capture "capin"? And can your server reach the internet through the ASA?

pierredaridan · ‎08-07-2012

Yes if i Ping www.google.fr from my webserver is succeed ping from asa to my webserver is succeed

Julio Carvajal · ‎08-07-2012

Hello Pierre,

Do the following

Show cap asp | inc 95.X.X.X and provide us the output you get.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC