01-09-2018 03:16 PM - edited 02-21-2020 07:06 AM
I’ve got an ASA5505 Software Version 9.2(4)20. (Running Config attached). For my lab topology I’ve set it up with two laptops, one laptop connected to the outside and one connected to the inside. The outside laptop IP address is 192.168.0.10 and the inside laptop IP address is 10.0.0.10. My aim is to allow the outside to HTTP into the inside (the inside laptop is a web server). I’ve tried using the following commands to get this to happen but it doesn’t work:
access-list http-in extended permit tcp host 192.168.0.10 host 10.0.0.10 eq www
access-group http-in in interface outside
What am I doing wrong?
01-09-2018 04:02 PM
Hi,
If you are not using nat, then remove the nat statements below
object network obj_any
nat (inside,outside) dynamic interface
Thanks
John
01-09-2018 11:44 PM
Have u tried use this command:
http server enable
http 192.168.0.10 255.255.255.0 Outside
Enable the ACL between this hosts and also enable the traffic from the lower security level to high security level.
Hope this help and don't forget to rate the correct answer and the helpful post.
Cheers
01-10-2018 12:22 AM
Hello,
Please attach the packet-tracer output:
packet-tracer input outside match tcp host 192.168.0.10 3344 10.0.0.10 80 det
For reference:
Also, when trying to access the inside host from outside host, collect and attach the logs.
-
AJ
01-10-2018 02:30 PM
You'll need to handle two things, an acl and a nat. You'll need to an acl because you're going from a untrusted zone (outside security level 0) to a trusted zone (inside security level 100). You'll need the nat, because you have PAT setup right now.
First simplicity let's also create an object. I'll call mine Web-Server and creating it using the following:
object network Web-Server
host 10.0.0.10
Create a nat, there's a few ways you can accomplish this. Since we already have the object defined, we might as well take advantage of it by using auto-nat (object nat). While still in the object network configuration, you can add a nat statement for this. If you already got out of it just do the below:
object network Web-Server host 10.0.0.10
nat (inside,outside) static interface service tcp 80 80
This nat will say when someone from the outside accesses the outside interface's ip address (192.168.0.1) on port 80, translate that to 10.0.0.10 port 80.
Create an ACL/ACE, name it whatever you want. I'd probably not call it http-in as you did, because you'll likely be using this for more than that in the future and you want to have a good practice of this. Use something more descriptive like outside_access_in.
access-list extended outside_access_in permit tcp any object Web-Server eq http
This ACE will allow anyone (notice the any statement) from the outside interface to access the web server on port 80 (http).
Assign that acl to an interface, in our case outside:
access-group outside_access_in in interface outside
That should be about it. In this example you create an ACL and ACE for the public server
I hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide