11-16-2011 04:23 AM - edited 03-11-2019 02:51 PM
Hello,
i have trouble setting up nat and access rule for webserver located in inside network.
I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
What am i doing wrong?
Solved! Go to Solution.
11-16-2011 11:52 PM
Hi,
Two problems, the packet tracer on the destination should have the public IP instead of the private, that in regards of the packet tracer And the source port on the acl configurationshould be blank, as TCP source port is whatever up from 1023 to 65535, so your access list should look like
access-list
Hope it helps.
Mike.
11-16-2011 04:51 AM
Hi,
in your ACL you must use the outside interface IP not the inside IP.
Regards.
Alain
11-16-2011 05:08 AM
Hi,
no help from changing outside ip to access rule.
If i try to browse to our public ip from local machine (behind asa, and webserver is in same subnet behind asa also), i can browse it with local ip but not with public (188.x.x.213), and i get error in syslog:
TCP access denied by ACL from 192.168.123.3/58499 to inside:188.x.x.213/80
11-16-2011 05:49 AM
Hi,
if you want to access the server with outside IP from inside , there are 2 ways:
-hairpinning
-dns doctoring
here is a link for the config:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Regards.
Alain
11-16-2011 09:49 AM
Major problem is that i cannot access webserver from outside network, syslog does not say anything when i try. VPN is working okay.
11-16-2011 10:19 AM
Hi,
can you do a packet-tracer for traffic going to the server and post output.
Regards.
Alain
11-16-2011 11:06 PM
Command:
packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.123.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x35418d8, priority=500, domain=permit, deny=true
hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=188.x.x.213, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
11-16-2011 11:52 PM
Hi,
Two problems, the packet tracer on the destination should have the public IP instead of the private, that in regards of the packet tracer And the source port on the acl configurationshould be blank, as TCP source port is whatever up from 1023 to 65535, so your access list should look like
access-list
Hope it helps.
Mike.
11-16-2011 11:58 PM
Maykol Rojas,
Changing the access list did the trick, thanks problem solved.
11-17-2011 12:00 AM
Glad I was able to help
Cheers,
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide