Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1216
Views
0
Helpful
4
Replies

Unable To HTTP Inside ASA From Outside

m_schmidt1
Level 1
Level 1

‎01-09-2018 03:16 PM - edited ‎02-21-2020 07:06 AM

I’ve got an ASA5505 Software Version 9.2(4)20. (Running Config attached). For my lab topology I’ve set it up with two laptops, one laptop connected to the outside and one connected to the inside. The outside laptop IP address is 192.168.0.10 and the inside laptop IP address is 10.0.0.10. My aim is to allow the outside to HTTP into the inside (the inside laptop is a web server). I’ve tried using the following commands to get this to happen but it doesn’t work:

 

access-list http-in extended permit tcp host 192.168.0.10 host 10.0.0.10 eq www

access-group http-in in interface outside

 

 

What am I doing wrong?

Labels:
Preview file
3 KB
0 Helpful
4 Replies 4

johnd2310
Level 8
Level 8

‎01-09-2018 04:02 PM

Hi,

 

If you are not using nat, then remove the nat statements below

 

object network obj_any
nat (inside,outside) dynamic interface

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

denilson.mota
Level 1
Level 1

‎01-09-2018 11:44 PM

Have u tried use this command:

 

http server enable

http 192.168.0.10 255.255.255.0 Outside

 

Enable the ACL between this hosts and also enable the traffic from the lower security level to high security level.

 

Hope this help and don't forget to rate the correct answer and the helpful post.

 

Cheers

 

0 Helpful

Ajay Saini
Level 7
Level 7

‎01-10-2018 12:22 AM

Hello,

 

Please attach the packet-tracer output:

 

packet-tracer input outside match tcp host 192.168.0.10 3344 10.0.0.10 80 det

 

For reference:

https://supportforums.cisco.com/t5/security-documents/troubleshooting-access-problems-using-packet-tracer/ta-p/3114976

 

Also, when trying to access the inside host from outside host, collect and attach the logs.

 

-

AJ

0 Helpful

mls577
Level 1
Level 1

‎01-10-2018 02:30 PM

You'll need to handle two things, an acl and a nat. You'll need to an acl because you're going from a untrusted zone (outside security level 0) to a trusted zone (inside security level 100). You'll need the nat, because you have PAT setup right now. 

First simplicity let's also create an object. I'll call mine Web-Server and creating it using the following:

 

 

object network Web-Server
host 10.0.0.10

Create a nat, there's a few ways you can accomplish this. Since we already have the object defined, we might as well take advantage of it by using auto-nat (object nat). While still in the object network configuration, you can add a nat statement for this. If you already got out of it just do the below:

 

 

object network Web-Server
host 10.0.0.10
nat (inside,outside) static interface service tcp 80 80

This nat will say when someone from the outside accesses the outside interface's ip address (192.168.0.1) on port 80, translate that to 10.0.0.10 port 80. 


Create an ACL/ACE, name it whatever you want. I'd probably not call it http-in as you did, because you'll likely be using this for more than that in the future and you want to have a good practice of this. Use something more descriptive like outside_access_in. 

access-list extended outside_access_in permit tcp any object Web-Server eq http

This ACE will allow anyone (notice the any statement) from the outside interface to access the web server on port 80 (http). 

Assign that acl to an interface, in our case outside:

 

access-group outside_access_in in interface outside


That should be about it. In this example you create an ACL and ACE for the public server

 

 

I hope this helps. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card