cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2156
Views
0
Helpful
38
Replies

Transparent mode and web server

opsmaster
Level 1
Level 1

I am installing a ASA 5510 in transparent mode, it's behind a cisco 3745 router that has NAT translation in the configs.

After I set up the ASA 5510, I created access lists for web server access. All traffic inside passes thru fine however, when an outside user tries to access the web site, the page connection will not load.

Do I have to set a NAT rule for outside access? If not what other suggestions does anyone have.

38 Replies 38

Thanks, your suggestions have worked.

Now I need to clean up the configs and fine tune the box.

Thanks again.

everything worked except dhcp clients cannot access web or mail in house.

The ranges for each subnet are:

172.21.7.1-172.21.7.254 gw:172.21.4.1

172.21.9.1-172.21.9.254 gw:172.21.8.1

172.21.13.1-172.21.13.254 gw: 172.21.12.1

The static ip clients can:

172.21.4.0, 172.21.8.0 and 172.21.12.0

any suggestions?

Can you post the ACL?

Here it is:

object-group network internal_group

network-object 172.21.4.0 255.255.252.0

network-object 172.21.8.0 255.255.252.0

network-object 172.21.12.0 255.255.252.0

network-object 172.21.0.0 255.255.252.0

access-list outside_access_in extended permit ip any any

access-list permit extended permit eigrp any host 172.21.0.7

access-list permit extended permit eigrp any host 172.21.0.1

access-list inside extended permit eigrp any any

access-list inside_access_out extended permit ip any any

access-list 112 extended permit tcp any any eq 548

access-list 112 extended permit tcp any any eq domain

access-list 112 extended permit udp any any eq domain

access-list 112 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.78 eq domain

access-list 112 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.78 eq domain

access-list 112 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.78 eq domain

access-list 101 extended permit tcp any any

access-list 120 extended permit tcp any host 172.21.0.78 eq domain

access-list 120 extended permit tcp any host 172.21.0.3 eq domain

access-list 120 extended permit tcp any host 172.21.0.2 eq domain

access-list 125 extended permit tcp any host 172.21.0.9

access-list 125 extended permit tcp any host 172.21.0.11

access-list 125 extended permit tcp any host 172.21.0.5

access-list 110 extended permit udp any any

access-list 111 extended permit tcp 172.21.4.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.8.0 255.255.252.0 host 172.21.0.7

access-list 111 extended permit tcp 172.21.12.0 255.255.252.0 host 172.21.0.7

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq www

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq pop3

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp

access-list Outside_WWW extended permit udp any host 172.21.0.14 eq isakmp

access-list Outside_WWW extended permit udp any host 172.21.0.14 eq 4500

access-list Outside_WWW extended permit udp any host 172.21.0.14 eq 1701

access-list Outside_WWW extended permit tcp any 172.21.0.0 255.255.255.0 eq nntp

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq https

access-list Outside_WWW extended permit tcp any host 172.21.0.2 eq ftp-data

access-list Outside_WWW extended permit udp any any eq domain

access-list Outside_WWW extended permit tcp any host 172.21.0.8 eq smtp

access-list Outside_WWW extended permit tcp any host 172.21.0.8 eq pop3

access-list Outside_WWW extended permit ip object-group internal_group object-group internal_group

pager lines 24

logging enable

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address 172.21.0.80 255.255.252.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group Outside_WWW in interface outside

route outside 0.0.0.0 0.0.0.0 172.21.0.7 1

route inside 172.21.4.0 255.255.252.0 172.21.0.1 1

route inside 172.21.8.0 255.255.252.0 172.21.0.1 1

route inside 172.21.12.0 255.255.252.0 172.21.0.1 1

That looks good (nice job on the object-group). When you do a tracerouter, where does it stop? Does the router of the routes for the subnets that are not working?

I did a traceroute and the trace seems to stop at the before the server I trace.

Ping from 172.21.9.173 (DHCP client)

I have traced 172.21.0.2 (webserver), it proceeds to -172.21.8.1- 192.168.1.1 (inside interface to internal router) and stops as it enters the next hop, which would go to 172.21.0.2.

When I take the asa offline, the traceroute makes it to 172.21.0.2.

It is strange that the dhcp clients can go to the web but not access the local web server or access mail.

Do i need to create an access group for the dhcp addresses?

I originally thought the ACL was blocking, but it covers them. Can you take a look at the log when you try and hit the web server? You can filter by the source IP.

show log | i 172.21.9.173

I'm at a loss, I did the show log and the ip, nothing with that ip showed up.

I did show log | ip addess. Nothing.

It will not allow access to the web server from DHCP clients or file servers on other subnets, but static clients are ok. Go figure.

I played with nat, access-lists, is it a routing issue?

If you're not seeing any packets hit the outside ACL, then it is most likely a routing issue. Does your router have all the internal subnets?

Yes it does and it's works great without the ASA in line.

Can you put this entry in?

access-list Outside_WWW extended deny ip any any log

This will replace the explicit deny at the end and log denied connections. Hopefully we'll see something.

Nothing seen, here is the configs of the router with all networks connected, this is before the ASA, the ASA is connected to the external router with the 172.21.0.7 gateway.

The traceroutes stop at this router with the asa in line.

Here is the show log list.

I see the following error-

%ASA-3-305005: No translation group found for udp src outside:172.21.0.75/3283 dst inside:172.21.9.172/3283

I thought the firewall was running in transparent mode?

I set it for transparent mode.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: