Solved: Webservice calls

Liam Dwyer · ‎11-12-2013

Hello,

This has been eating at me all day and I am sure I am probably overlooking something right in front of me.

I have a dmz2 and my inside LAN's. I am adding ACL's to the firewall to allow dmz2 machine to my inside machine on port 8080. they are unable to talk.

the inside machine is listening on port 8080 and I can ping the inside from dmz2 machine but I am unable to hit the web browser URL used to make the call.

here is a snippet -

access-list dmz2_acl line 37 extended permit tcp host 192.168.2.11 host 10.1.1.22 eq www (hitcnt=0) 0x68af75b4

access-list dmz2_acl line 38 extended permit tcp host 192.168.2.11 host 10.1.1.22 eq telnet (hitcnt=0) 0xaa10742f

access-list dmz2_acl line 39 extended permit udp host 192.168.2.11 host 10.1.1.22 eq 8080 (hitcnt=0) 0x4c181596

access-list dmz2_acl line 40 extended permit tcp host 10.1.1.22 host 192.168.2.11 eq 8080 (hitcnt=0) 0x25c68faa

As you can see I have gone as far as adding the reverse ACL.

Any help or thoughts would be appreciated!

thanks

Jouni Forss · ‎11-12-2013

Hi,

Its this configuration line

access-list dmz2_acl extended deny ip any object-group og_ip_nat_dmz2

If you want to allow the traffic then you can use these commands

access-list dmz2_acl line 1 remark Allow traffic from DMZ2 to internal server

access-list dmz2_acl line 2 permit tcp host host eq 8080

This should allow the connection without removing anything from the ACL.

Notice that we enter the ACL rules with line numbers 1 and 2. This means they are at the top of the ACL.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎11-12-2013

Hi,

There are no hitcounts on the ACL you copy/pasted? Is there a previous line in the ACL that blocks the traffic?

Use the "packet-tracer" command to test the ASA configurations.

packet-tracer input dmz2 tcp 12345 8080

Share the output

- Jouni

Liam Dwyer · ‎11-12-2013

Looks as though I have it denied somewhere -

packet-tracer input dmz2 tcp 192.168.2.11 12345 10.1.1.22 8080

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.0.0 255.255.0.0 inside

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network obj-10.1.0.0

nat (inside,dmz2) static 10.1.0.0 no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface inside

Untranslate 10.1.1.22/8080 to 10.1.1.22/8080

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group dmz2_acl in interface dmz2

access-list dmz2_acl extended deny ip any object-group og_ip_nat_dmz2

object-group network og_ip_nat_dmz2

network-object 10.1.0.0 255.255.0.0

Additional Information:

Result:

input-interface: dmz2

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

harrgasa#

Jouni Forss · ‎11-12-2013

Hi,

Its this configuration line

access-list dmz2_acl extended deny ip any object-group og_ip_nat_dmz2

If you want to allow the traffic then you can use these commands

access-list dmz2_acl line 1 remark Allow traffic from DMZ2 to internal server

access-list dmz2_acl line 2 permit tcp host host eq 8080

This should allow the connection without removing anything from the ACL.

Notice that we enter the ACL rules with line numbers 1 and 2. This means they are at the top of the ACL.

Hope this helps

- Jouni

Jouni Forss · ‎11-12-2013

Hi,

Let me know if adding the rule helped or if there is any more problems with connectivity.

Otherwise please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Liam Dwyer · ‎11-12-2013

It seems as though my firewall skills need a lot of brushing up!

thank you for the quick help!