I added that access-group line, but I still seem to be unable to reach it. My browser just hangs when trying to access http://192.168.2.53:3000/ ... 2.53 is the outside ip on the 5505 and the machine I'm trying to get to it with is 192.168.2.77.

internet --->airport(192.168.2.1) ---> (192.168.2.53)5505(192.168.1.1) --> 192.168.1.11 (web server)

                                                          |

                                                          `--->192.168.2.77 (browser)

Have you tried to see whats happening on the ASA when your trying to access the server?

Either through the CLI or the ASDM (graphical user interface).

They should tell you if the connections is coming to the ASA, if its getting past the ASA and if the connection is being formed.

You can also use the "packet-tracer" comnand on the CLI to test the functionality of the ASAs rule regarding the server.

For example

packet-tracer input outside tcp 192.168.2.77 12345 192.168.2.53 3000

- Jouni

I ran that and here's what I see. I'm guessing the result is not correct?

genesis(config)# packet-tracer input outside tcp 192.168.2.77 12345 192.168.2.$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.2.53    255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Just to be sure can you copy/paste

• The current config
• Output of "show ip add"
• Output of "show route"
• Output of "show arp"

- Jouni

Here it all is. Btw, the 2.52 in the "sh arp" below is the new 2.77 (after a reboot).

genesis# sh running-config

: Saved

:

ASA Version 8.4(4)1

!

hostname genesis

enable password 6SEadfadfasdfasfJIA encrypted

passwd 6SEsadfasdfafasdfJIA encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

description Wired Network

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description Outside to Airport Extreme

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

description Currently Not in Use

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.3.1 255.255.255.0

!

banner motd

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server xx.xx.xx.xx

name-server xx.xx.xx.xx

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network WEBSERVER

host 192.168.1.11

access-list ACL_IN extended permit ip any any

access-list WAN_IN extended permit udp any eq domain any

access-list outside_access_in extended permit tcp any object WEBSERVER eq 3000

pager lines 24

logging enable

logging timestamp

logging trap errors

logging asdm informational

logging host inside 192.168.1.11

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (dmz,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network WEBSERVER

nat (inside,outside) static interface service tcp 3000 3000

access-group ACL_IN out interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd dns xx.xx.xx.xx xx.xx.xx.xx

dhcpd lease 43200

!

dhcpd address 192.168.1.100-192.168.1.131 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 24.56.178.140 source inside

webvpn

username me password QHdgfasdfasfdasdfasfdaYc encrypted privilege 15

!   

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:6274aaab23efb4f275c28298a2dd490f

: end

---------------------

genesis#  sh ip add

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

Vlan1                    inside                 192.168.1.1     255.255.255.0   CONFIG

Vlan2                    outside                192.168.2.53    255.255.255.0   DHCP 

Vlan3                    dmz                    192.168.3.1     255.255.255.0   CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

Vlan1                    inside                 192.168.1.1     255.255.255.0   CONFIG

Vlan2                    outside                192.168.2.53    255.255.255.0   DHCP 

Vlan3                    dmz                    192.168.3.1     255.255.255.0   CONFIG

---------------------

genesis# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

C    192.168.1.0 255.255.255.0 is directly connected, inside

C    192.168.2.0 255.255.255.0 is directly connected, outside

d*   0.0.0.0 0.0.0.0 [1/0] via 192.168.2.1, outside

---------------------

genesis# sh arp

        inside 192.168.1.11 0000.0000.0001 56

        outside 192.168.2.52 58b0.3566.4c6f 302

        outside 192.168.2.1 78ca.39fd.1094 630

Jouni,

Though it takes a bit longer than 10 seconds, that actually made it work.In fact, all pages on this site take about that long to load. Thank you for getting me this far.