Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
0
Helpful
2
Replies

web access from inside

a.e.wiggin
Level 1
Level 1

‎01-26-2008 01:50 PM - edited ‎03-11-2019 04:54 AM

I'm trying to get www, https, svn(3690), and ssh from one of my inside networks to get outside access, but this isn't working for me yet. Can anyone provide some insight as to what I've got wrong on my 5510 configuration? I'm sure it's probably my static's, but I'm having trouble with those.

---

name 192.168.3.0 DEV_NET

name 199.199.xxx.14 MY_WAN_IP

interface Ethernet0/0

nameif outside

security-level 0

ip address MY_WAN_IP 255.255.255.0

interface Ethernet0/3

nameif development

security-level 80

ip address 192.168.3.1 255.255.255.0

object-group service ALL_SERVICES tcp

port-object eq www

port-object eq https

port-object eq 3690

port-object eq ssh

access-list ALL_ACCESS extended permit tcp any any object-group ALL_SERVICES

global (outside) 1 interface

nat (development) 1 DEV_NET 255.255.255.0

static (development,dmz) DEV_NET DEV_NET netmask 255.255.255.0

access-group ALL_ACCESS in interface outside

access-group ALL_ACCESS out interface outside

access-group ALL_ACCESS in interface development

access-group ALL_ACCESS out interface development

route outside 0.0.0.0 0.0.0.0 199.199.xxx.1 1

Labels:
0 Helpful
2 Replies 2

lisajoseph1970
Level 1
Level 1

‎01-26-2008 02:58 PM

What is the IP Address that you are trying to access through the ASA. I see that you have PATTing to the outside interface for DEV_NET when going to the outside interface and also have access-group applied in/out on both the interfaces. Can you remove the access-group and see if you are able to access the web, ssh, etc.

Since, you have Access-Group in/out, look at the traffic flow and define different ACL's accordingly. For example, when you initiate a TCP Connection from inside, the source port would be a randomly generated port while the detination is 80 and the return traffic will have source port 80 and destination of the port that you used. So, I would remove the ACL and give it a shot.

Regards,

Lisa

0 Helpful

a.e.wiggin
Level 1
Level 1
In response to lisajoseph1970

‎01-28-2008 09:37 AM

I guess I'm not following here. I want to have the traffic of ALL_SERVICES accessable from the outside as well as use them from the inside, so that's why I put it on both interfaces in both directions.

I made a small change so the following is what I'm working with ...

name 192.168.3.0 DEV_NET

name 199.199.xxx.14 MY_WAN_IP

interface Ethernet0/0

nameif outside

security-level 0

ip address MY_WAN_IP 255.255.255.0

interface Ethernet0/3

nameif development

security-level 80

ip address 192.168.3.1 255.255.255.0

object-group service ALL_SERVICES tcp

port-object eq www

port-object eq https

port-object eq 3690

port-object eq ssh

access-list ALL_ACCESS extended permit tcp any any object-group ALL_SERVICES

nat-control

global (outside) 1 interface

nat (development) 1 DEV_NET 255.255.255.0

static (development,outside) DEV_NET DEV_NET netmask 255.255.255.0

access-group ALL_ACCESS in interface outside

access-group ALL_ACCESS out interface outside

access-group ALL_ACCESS in interface development

access-group ALL_ACCESS out interface development

route outside 0.0.0.0 0.0.0.0 199.199.xxx.1 1

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card