Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2787
Views
0
Helpful
18
Replies

Trying to access web site from behind firewall

davealessi
Level 1
Level 1

‎02-17-2011 05:19 AM - edited ‎03-11-2019 12:52 PM

My web server sits behind an ASA 5500.  When I access the web site from outside, it works fine.  When I try and access it from the server itself, I get "

Internet Explorer cannot display the webpage" error.  I can access other web sites, such as Yahoo.com, Google.com, etc.

I have rules setup to restrict/enable incoming traffic, but I don't have any rules setup to "loop back".  Can someone tell me how to configur this?

Labels:
0 Helpful
18 Replies 18

songl
Cisco Employee
Cisco Employee

‎02-17-2011 05:40 AM

Maybe you can use DNS doctoring to avoide this issue as below:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

SongL

0 Helpful

davealessi
Level 1
Level 1
In response to songl

‎02-18-2011 04:12 AM

I am having trouble understanding the article. First, I don’t have a dmz defined. When I add a static nat rule, DBS iz not an option. How do I set this up?

My inside addresses are 10.1.1.50, and 10.1.1.40. Two web servers on a server farm. The use virtual IP's for a network address translation (NLM). What do the commands (excepted from the article) below do?

0 Helpful

manish arora
Level 6
Level 6
In response to davealessi

‎02-18-2011 09:59 AM

Hi Dave,

what version of IOS are you running ? If it's any version below 8.2 , just use following command to enable hairpinning for that NAT ip :-

asa(config)#static (inside,inside) public_ip Virtual_ip netmask 255.255.255.255

Let me know if you are using 8.3 or above , as commands changes with those versions.

Manish

0 Helpful

davealessi
Level 1
Level 1
In response to manish arora

‎02-18-2011 01:22 PM

This is an ASA 5505. The ASA version is 7.2(4). The ASDM version is 5.2(4). I don’t know what the ios is, or how to find the version.

0 Helpful

manish arora
Level 6
Level 6
In response to davealessi

‎02-18-2011 01:33 PM

yeah, Just try the following command and it will create a hairpin for your static nat :-

if you have :-

asa(config)#static (inside,outside) public_ip Virtual_ip netmask 255.255.255.255

Then you also need following command,  this to avoid the fw to think that it's a ip spoof attach from inside :-

asa(config)#static (inside,inside) public_ip Virtual_ip netmask 255.255.255.255

This is easy way otherwise dns doctoring is also a correct response to your problem.

You should be seeing logs for ip spoof denied, if it is because of Hairpinning.

Manish

0 Helpful

davealessi
Level 1
Level 1
In response to manish arora

‎02-19-2011 03:36 AM

I am a rookie at this.

I entered:

asa(config)#Static (inside, inside) xxx.xxx.249.197 192.168.1.101 netmask 255.255.255.255 (xxx is masked out)

Gets error on the third node of the netmask.

My Vlan is configured as 192.168.1.1 255.255.255.0

I also tried:

asa(config)#Static (inside, inside) xxx.xxx.249.197 192.168.1.101 netmask 255.255.255.0

I am just guessing here.

What now?

Do I need to enter the "If you have..." command?

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to davealessi

‎02-19-2011 06:35 AM

Hi,

Would you please paste the config? Feel free to put x on the IPs if you want.

Mike.

Mike
0 Helpful

davealessi
Level 1
Level 1
In response to Maykol Rojas

‎02-19-2011 11:06 AM

Please tell me the command to use to dump it

0 Helpful

manish arora
Level 6
Level 6

‎02-19-2011 09:21 AM

Hi ,

Please post the nat configuration as requested earlier, makes life easier as everyone can pinpoint the change then. Manish

Sent from Cisco Technical Support iPhone App

0 Helpful

manish arora
Level 6
Level 6
In response to manish arora

‎02-19-2011 02:17 PM

Hi Dave

asa# sh run

copy paste the Nat config.

Manish

0 Helpful

davealessi
Level 1
Level 1
In response to manish arora

‎02-20-2011 03:00 AM

The "asa# sh run" did not work. I found "show running config" which worked. See below (sanitized).

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.249.205 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group service TerminalServices tcp

port-object eq 3389

object-group network NormalGroup

network-object host 192.168.1.100

network-object host 192.168.1.101

network-object host 192.168.1.102

network-object host 192.168.1.103

network-object host 192.168.1.104

network-object host 192.168.1.106

network-object host 192.168.1.109

network-object host 192.168.1.110

network-object host 192.168.1.111

network-object host 192.168.1.112

network-object host 192.168.1.113

network-object host 192.168.1.114

network-object host 192.168.1.115

object-group network SecureGroup

description Used for secure https

network-object host xxx.xxx.235.1

network-object host xxx.xxx.235.2

network-object host xxx.xxx.235.3

network-object host xxx.xxx.235.4

network-object host xxx.xxx.235.5

network-object host xxx.xxx.235.6

network-object host xxx.xxx.235.7

object-group service HttpGroup tcp

port-object eq 1080

port-object eq 2080

port-object eq www

object-group service SecureSiteGroup tcp

description Used for secure sites

port-object eq 1443

port-object eq 2443

port-object eq https

object-group service FTPGroup tcp

description FTP Ports

port-object eq ftp

port-object eq ftp-data

access-list outside_access_in remark SMTP (Mail) to Superglide or Ultraglide

access-list outside_access_in extended permit tcp any host xxx.xxx.249.200 eq smtp

access-list outside_access_in remark Terminal Services to Superglide

access-list outside_access_in extended permit tcp any host xxx.xxx.249.201 object-group TerminalServices

access-list outside_access_in remark Terminal Services Deuce

access-list outside_access_in extended permit tcp any host xxx.xxx.249.202 object-group TerminalServices

access-list outside_access_in remark Terminal Services FatBoy

access-list outside_access_in extended permit tcp any host xxx.xxx.249.203 object-group TerminalServices

access-list outside_access_in remark Terminal Services UltraGlide

access-list outside_access_in extended permit tcp any host xxx.xxx.249.204 object-group TerminalServices

access-list outside_access_in remark Terminal Services WideGlide

access-list outside_access_in extended permit tcp any host xxx.xxx.249.206 object-group TerminalServices

access-list outside_access_in remark Marketing sites http

access-list outside_access_in extended permit tcp any host xxx.xxx.249.196 object-group HttpGroup

access-list outside_access_in remark Customer sites - Http

access-list outside_access_in extended permit tcp any host xxx.xxx.249.197 object-group HttpGroup

access-list outside_access_in remark Http

access-list outside_access_in extended permit tcp any host xxx.xxx.249.198 object-group HttpGroup

access-list outside_access_in remark Personal sites - Http

access-list outside_access_in extended permit tcp any host xxx.xxx.249.199 object-group HttpGroup

access-list outside_access_in remark Https

access-list outside_access_in extended permit tcp any host xxx.xxx.235.1 object-group SecureSiteGroup

access-list outside_access_in remark https

access-list outside_access_in extended permit tcp any host xxx.xxx.235.2 object-group SecureSiteGroup

access-list outside_access_in remark Https

access-list outside_access_in extended permit tcp any host xxx.xxx.235.3 object-group SecureSiteGroup

access-list outside_access_in remark Https

access-list outside_access_in extended permit tcp any host xxx.xxx.235.4 object-group SecureSiteGroup

access-list outside_access_in remark Https

access-list outside_access_in extended permit tcp any host xxx.xxx.235.5 object-group SecureSiteGroup

access-list outside_access_in remark Https

access-list outside_access_in extended permit tcp any host xxx.xxx.235.6 object-group SecureSiteGroup

access-list outside_access_in remark Https

access-list outside_access_in extended permit tcp any host xxx.xxx.235.7 object-group SecureSiteGroup

access-list outside_access_in remark FTP Ports for Wideglide

access-list outside_access_in extended permit tcp any host xxx.xxx.235.13 object-group FTPGroup

access-list outside_access_in remark FTP Ports for Superglide or Ultraglide

access-list outside_access_in extended permit tcp any host xxx.xxx.235.14 object-group FTPGroup

access-list outside_access_in remark Used to access ultraglide

access-list outside_access_in extended permit tcp any host xxx.xxx.235.10 eq www

access-list outside_access_in remark used to access superglide

access-list outside_access_in extended permit tcp any host xxx.xxx.235.11 eq www

access-list Mail extended permit tcp any any eq smtp

access-list Nat1 extended permit tcp host 192.168.1.40 eq 1080 any

access-list Nat2 extended permit tcp host 192.168.1.40 eq 1080 any

access-list Nat3 extended permit tcp host 192.168.1.50 eq 2080 any

access-list Nat4 remark 1

access-list Nat4 extended permit tcp host 192.168.1.50 eq 2080 any

access-list Nat5 extended permit tcp host 192.168.1.40 eq 1080 any

access-list Nat6 extended permit tcp host 192.168.1.50 eq 2080 any

pager lines 24

logging enable

logging asdm informational

logging from-address ciscorouter@xxx.com

logging recipient-address xxx@xxx.com level errors

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 199 xxx.xxx.249.200

nat (inside) 199 access-list Mail

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp xxx.xxx.249.202 3389 192.168.1.10 3389 netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.249.206 3389 192.168.1.20 3389 netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.249.203 3389 192.168.1.30 3389 netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.249.201 3389 192.168.1.40 3389 netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.249.204 3389 192.168.1.50 3389 netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.13 ftp 192.168.1.20 ftp netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.249.200 smtp 192.168.1.119 smtp netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.14 ftp 192.168.1.120 ftp netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.14 ftp-data 192.168.1.120 ftp-data netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.249.196 www 192.168.1.100 www netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.249.197 www 192.168.1.101 www netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.249.198 www 192.168.1.102 www netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.249.199 www 192.168.1.103 www netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.1 https 192.168.1.109 https netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.2 https 192.168.1.110 https netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.3 https 192.168.1.111 https netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.4 https 192.168.1.112 https netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.5 https 192.168.1.113 https netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.6 https 192.168.1.114 https netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.7 https 192.168.1.115 https netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.10 www 192.168.1.50 www netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.235.11 www 192.168.1.40 www netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.249.197 1080 access-list Nat1

static (inside,outside) tcp xxx.xxx.249.198 1080 access-list Nat2

static (inside,outside) tcp xxx.xxx.249.198 2080 access-list Nat4

static (inside,outside) tcp xxx.xxx.249.197 2080 access-list Nat3

static (inside,outside) tcp xxx.xxx.249.199 1080 access-list Nat5

static (inside,outside) tcp xxx.xxx.249.199 2080 access-list Nat6

static (outside,inside) 192.168.1.50 xxx.xxx.249.200 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.249.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.5-192.168.1.9 inside

dhcpd dns xxx.xxx.64.152 xxx.xxx.80.152 interface inside

dhcpd enable inside

!

!

class-map global-class

match default-inspection-traffic

!

!

policy-map global-policy

class global-class

inspect esmtp

inspect ftp

inspect icmp

!

service-policy global-policy global

prompt hostname context

Cryptochecksum:aedfcfd3e2b136d6199a9a193da8f125

: end

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to davealessi

‎02-20-2011 07:13 AM

Hi Dave,

Lets take this one for example

static (inside,outside) tcp xxx.xxx.235.3 https 192.168.1.111 https netmask 255.255.255.255

Do the following:

static (inside,inside) xxx.xxx.235.3 192.168.1.111 https netmask 255.255.255.255

global (inside) 1 interface

Same-security-traffic permit intra-interface

Mike

Mike
0 Helpful

davealessi
Level 1
Level 1
In response to Maykol Rojas

‎02-21-2011 02:47 AM

Here is what I get...What do I make of this? (I hid the ip address with xxx)

Result of the command: "static (inside,inside) xxx.xxx.249.197 192.168.1.101 http netmask 255.255.255.255"

static (inside,inside) xxx.xxx.249.197 192.168.1.101 http netmask 255.255.255.255 ^

ERROR: % Invalid input detected at '^' marker.

There is no ^ marker!

0 Helpful

davealessi
Level 1
Level 1
In response to Maykol Rojas

‎02-21-2011 04:10 AM

Sorry. Having lots of trouble getting this to work through command line.

Result of the command: "static (inside,inside) tcp xxx.xxx.249.197 192.168.1.50 http netmask 255.255.255.255"

static (inside,inside) tcp xxx.xxx.249.197 192.168.1.50 http netmask 255.255.255 ^.255

ERROR: % Invalid Hostname

I think I was able to get this configured through the gui. Still not working though. The server (behind firewall) has multiple IP's that it responds to. I am not certain which IP is used for outgoing traffic. I assume it is the first one in the list, so that is the one I configured.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card