03-09-2013 11:55 AM - edited 03-11-2019 06:11 PM
I have a web server behind my 5505 that I'd like to access from the outside of the 5505 (still within my home network though). Its running on port 3000. I made the changes but I have been unable to access my server from the outside. I do have an Airport Extreme in from of the 5505 and the 5505 is getting its address via dhcp from the airport. So I'm trying to hit 192.168.2.57:3000 from my wireless airport network.
Any help much appreciated.
[code]
genesis# sh running-config
: Saved
:
ASA Version 8.4(4)1
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Wired Network
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description Outside to Airport Extreme
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description Currently Not in Use
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.3.1 255.255.255.0
!
banner motd
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network WEBSERVER
host 192.168.1.11
access-list ACL_IN extended permit ip any any
access-list WAN_IN extended permit udp any eq domain any
access-list outside_access_in extended permit tcp any object WEBSERVER eq
3000
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm informational
logging host inside 192.168.1.11
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (dmz,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network WEBSERVER
nat (inside,outside) static interface service tcp 3000 3000
access-group ACL_IN out interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns xx.xx.xx.xx xx.xx.xx.xx
dhcpd lease 43200
!
dhcpd address 192.168.1.100-192.168.1.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400
average-rate 200
ntp server 24.56.178.140 source inside
webvpn
username me password QHdasgr35fa2Dvc7c encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:ad9282b0e2f32e0dad23cc8b2341d5c8
: end
[/code]
Solved! Go to Solution.
03-09-2013 01:47 PM
Hi,
I did some testing on my own ASA and cant really understand what exactly is happening with the NAT. It seems to me that your connection attempts are probably being blocked by another NAT configuration.
Can you remove these NAT configurations
no nat (dmz,outside) source dynamic any interface
no object network obj_any
Then
clear xlate
Which will clear any translation active. Will also clear connections through the ASA
Then reconfigure the above NATs in different way
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
And then try again connections to the server
EDIT: On a sidenote, I cant see the connection attempting host on the "show arp", all others show.
- Jouni
03-09-2013 12:01 PM
Hi,
You dont atleast have an ACL on the "outside" interface permitting the traffic
You have created the ACL but not attached the ACL to an interface
access-group outside_access_in in interface outside
Othen than that the configuration seems fine regarding this servers firewall rules.
- Jouni
03-09-2013 12:12 PM
I added that access-group line, but I still seem to be unable to reach it. My browser just hangs when trying to access http://192.168.2.53:3000/ ... 2.53 is the outside ip on the 5505 and the machine I'm trying to get to it with is 192.168.2.77.
internet --->airport(192.168.2.1) ---> (192.168.2.53)5505(192.168.1.1) --> 192.168.1.11 (web server)
|
`--->192.168.2.77 (browser)
03-09-2013 12:19 PM
Have you tried to see whats happening on the ASA when your trying to access the server?
Either through the CLI or the ASDM (graphical user interface).
They should tell you if the connections is coming to the ASA, if its getting past the ASA and if the connection is being formed.
You can also use the "packet-tracer" comnand on the CLI to test the functionality of the ASAs rule regarding the server.
For example
packet-tracer input outside tcp 192.168.2.77 12345 192.168.2.53 3000
- Jouni
03-09-2013 01:06 PM
I ran that and here's what I see. I'm guessing the result is not correct?
genesis(config)# packet-tracer input outside tcp 192.168.2.77 12345 192.168.2.$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.53 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
03-09-2013 01:16 PM
Hi,
Just to be sure can you copy/paste
- Jouni
03-09-2013 01:24 PM
Here it all is. Btw, the 2.52 in the "sh arp" below is the new 2.77 (after a reboot).
genesis# sh running-config
: Saved
:
ASA Version 8.4(4)1
!
hostname genesis
enable password 6SEadfadfasdfasfJIA encrypted
passwd 6SEsadfasdfafasdfJIA encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Wired Network
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description Outside to Airport Extreme
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description Currently Not in Use
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.3.1 255.255.255.0
!
banner motd
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network WEBSERVER
host 192.168.1.11
access-list ACL_IN extended permit ip any any
access-list WAN_IN extended permit udp any eq domain any
access-list outside_access_in extended permit tcp any object WEBSERVER eq 3000
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm informational
logging host inside 192.168.1.11
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (dmz,outside) source dynamic any interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network WEBSERVER
nat (inside,outside) static interface service tcp 3000 3000
access-group ACL_IN out interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns xx.xx.xx.xx xx.xx.xx.xx
dhcpd lease 43200
!
dhcpd address 192.168.1.100-192.168.1.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 24.56.178.140 source inside
webvpn
username me password QHdgfasdfasfdasdfasfdaYc encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:6274aaab23efb4f275c28298a2dd490f
: end
---------------------
genesis# sh ip add
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG
Vlan2 outside 192.168.2.53 255.255.255.0 DHCP
Vlan3 dmz 192.168.3.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.1.1 255.255.255.0 CONFIG
Vlan2 outside 192.168.2.53 255.255.255.0 DHCP
Vlan3 dmz 192.168.3.1 255.255.255.0 CONFIG
---------------------
genesis# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.2.1 to network 0.0.0.0
C 192.168.1.0 255.255.255.0 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, outside
d* 0.0.0.0 0.0.0.0 [1/0] via 192.168.2.1, outside
---------------------
genesis# sh arp
inside 192.168.1.11 0000.0000.0001 56
outside 192.168.2.52 58b0.3566.4c6f 302
outside 192.168.2.1 78ca.39fd.1094 630
03-09-2013 01:47 PM
Hi,
I did some testing on my own ASA and cant really understand what exactly is happening with the NAT. It seems to me that your connection attempts are probably being blocked by another NAT configuration.
Can you remove these NAT configurations
no nat (dmz,outside) source dynamic any interface
no object network obj_any
Then
clear xlate
Which will clear any translation active. Will also clear connections through the ASA
Then reconfigure the above NATs in different way
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
And then try again connections to the server
EDIT: On a sidenote, I cant see the connection attempting host on the "show arp", all others show.
- Jouni
03-09-2013 01:57 PM
Jouni,
Though it takes a bit longer than 10 seconds, that actually made it work.In fact, all pages on this site take about that long to load. Thank you for getting me this far.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide