07-28-2009 12:34 PM - edited 03-11-2019 09:00 AM
I am installing a ASA 5510 in transparent mode, it's behind a cisco 3745 router that has NAT translation in the configs.
After I set up the ASA 5510, I created access lists for web server access. All traffic inside passes thru fine however, when an outside user tries to access the web site, the page connection will not load.
Do I have to set a NAT rule for outside access? If not what other suggestions does anyone have.
Solved! Go to Solution.
07-29-2009 11:58 AM
Thanks, your suggestions have worked.
Now I need to clean up the configs and fine tune the box.
Thanks again.
07-30-2009 09:26 AM
everything worked except dhcp clients cannot access web or mail in house.
The ranges for each subnet are:
172.21.7.1-172.21.7.254 gw:172.21.4.1
172.21.9.1-172.21.9.254 gw:172.21.8.1
172.21.13.1-172.21.13.254 gw: 172.21.12.1
The static ip clients can:
172.21.4.0, 172.21.8.0 and 172.21.12.0
any suggestions?
07-30-2009 10:28 AM
Can you post the ACL?
07-30-2009 10:44 AM
Here it is:
object-group network internal_group
network-object 172.21.4.0 255.255.252.0
network-object 172.21.8.0 255.255.252.0
network-object 172.21.12.0 255.255.252.0
network-object 172.21.0.0 255.255.252.0
access-list outside_access_in extended permit ip any any
access-list permit extended permit eigrp any host 172.21.0.7
access-list permit extended permit eigrp any host 172.21.0.1
access-list inside extended permit eigrp any any
access-list inside_access_out extended permit ip any any
access-list 112 extended permit tcp any any eq 548
access-list 112 extended permit tcp any any eq domain
access-list 112 extended permit udp any any eq domain
access-list 112 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.78 eq domain
access-list 112 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.78 eq domain
access-list 112 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.78 eq domain
access-list 101 extended permit tcp any any
access-list 120 extended permit tcp any host 172.21.0.78 eq domain
access-list 120 extended permit tcp any host 172.21.0.3 eq domain
access-list 120 extended permit tcp any host 172.21.0.2 eq domain
access-list 125 extended permit tcp any host 172.21.0.9
access-list 125 extended permit tcp any host 172.21.0.11
access-list 125 extended permit tcp any host 172.21.0.5
access-list 110 extended permit udp any any
access-list 111 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.7
access-list 111 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.7
access-list 111 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.7
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp
access-list Outside_WWW extended permit udp any host 172.21.0.14 eq isakmp
access-list Outside_WWW extended permit udp any host 172.21.0.14 eq 4500
access-list Outside_WWW extended permit udp any host 172.21.0.14 eq 1701
access-list Outside_WWW extended permit tcp any 172.21.0.0 255.255.255.0 eq nntp
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq https
access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp-data
access-list Outside_WWW extended permit udp any any eq domain
access-list Outside_WWW extended permit tcp any host 172.21.0.8 eq smtp
access-list Outside_WWW extended permit tcp any host 172.21.0.8 eq pop3
access-list Outside_WWW extended permit ip object-group internal_group object-group internal_group
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address 172.21.0.80 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_WWW in interface outside
route outside 0.0.0.0 0.0.0.0 172.21.0.7 1
route inside 172.21.4.0 255.255.252.0 172.21.0.1 1
route inside 172.21.8.0 255.255.252.0 172.21.0.1 1
route inside 172.21.12.0 255.255.252.0 172.21.0.1 1
07-30-2009 10:50 AM
That looks good (nice job on the object-group). When you do a tracerouter, where does it stop? Does the router of the routes for the subnets that are not working?
07-30-2009 11:01 AM
I did a traceroute and the trace seems to stop at the before the server I trace.
Ping from 172.21.9.173 (DHCP client)
I have traced 172.21.0.2 (webserver), it proceeds to -172.21.8.1- 192.168.1.1 (inside interface to internal router) and stops as it enters the next hop, which would go to 172.21.0.2.
When I take the asa offline, the traceroute makes it to 172.21.0.2.
It is strange that the dhcp clients can go to the web but not access the local web server or access mail.
Do i need to create an access group for the dhcp addresses?
07-30-2009 11:11 AM
I originally thought the ACL was blocking, but it covers them. Can you take a look at the log when you try and hit the web server? You can filter by the source IP.
show log | i 172.21.9.173
07-31-2009 08:55 AM
I'm at a loss, I did the show log and the ip, nothing with that ip showed up.
I did show log | ip addess. Nothing.
It will not allow access to the web server from DHCP clients or file servers on other subnets, but static clients are ok. Go figure.
I played with nat, access-lists, is it a routing issue?
07-31-2009 09:15 AM
If you're not seeing any packets hit the outside ACL, then it is most likely a routing issue. Does your router have all the internal subnets?
07-31-2009 09:30 AM
Yes it does and it's works great without the ASA in line.
07-31-2009 09:34 AM
Can you put this entry in?
access-list Outside_WWW extended deny ip any any log
This will replace the explicit deny at the end and log denied connections. Hopefully we'll see something.
07-31-2009 09:59 AM
07-31-2009 10:02 AM
08-03-2009 05:23 AM
I see the following error-
%ASA-3-305005: No translation group found for udp src outside:172.21.0.75/3283 dst inside:172.21.9.172/3283
I thought the firewall was running in transparent mode?
08-03-2009 05:32 AM
I set it for transparent mode.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide