Re: Why can't I reach internal Web Server from outside asa 9.8(2)?

davidzw98 · ‎09-09-2022

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.3 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif dmz
security-level 50
ip address 192.168.101.225 255.255.255.0
!
ftp mode passive
object network WWW-EXT
host x.x.x.7
object network WWW-INT
host 192.168.101.225
access-list OUTSIDE extended permit tcp any object WWW-INT eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network WWW-INT
nat (dmz,outside) static WWW-EXT service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.8 1

Kasun Bandara · ‎09-09-2022

i guess there can be a missing ACLs. check below for sample

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Asmat Sulaiman · ‎09-09-2022

Hi, you can use asa packet tracer tool to understand the packet flow, nat,acl, egress iface. also check "show xlate local 192.168.101.225" if that show correct translation.

if you use ssh, "packet-tracer outside input tcp 1.1.1.1 111 x.x.x.3 443 detail" will provide more info such as NAT, acl. hope this help.

MHM Cisco World · ‎09-10-2022

Sorry I now see it, You already have static NAT.

Just check the NAT order with

Show nat

I think static come after dynamic

If yes

Only add

1 in static nat to push it up.

Rob Ingram · ‎09-10-2022

@davidzw98 you've defined the IP address of the webserver host object WWW-INT used in the ACL and NAT, as the IP address of the DMZ interface IP address.....which would not work.

interface GigabitEthernet1/4
nameif dmz
security-level 50
ip address 192.168.101.225 255.255.255.0
!
object network WWW-INT
host 192.168.101.225

Change the WWW-INT object IP address to the real IP address of the webserver in the DMZ.

davidzw98 · ‎09-10-2022

Thank you for everyone, this is fix, but still not work.
(packet tracer going out from WEB SERVER to internet is ok.)

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.3 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif dmz
security-level 50
ip address 192.168.101.1 255.255.255.0
!
ftp mode passive
object network WWW-EXT
host x.x.x.7
object network WWW-INT
host 192.168.101.225
object network dns-server
host 192.168.1.53
object network inside-subnet
subnet 192.168.1.0 255.255.255.0
access-list OUTSIDE extended permit tcp any object WWW-INT eq www
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
!
object network WWW-INT
nat (dmz,outside) static WWW-EXT service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE in interface outside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.8 1

MHM Cisco World · ‎09-10-2022

there are different between show nat and show run nat
can you share the output of both

davidzw98 · ‎09-10-2022

ciscoasa(config)#

ciscoasa(config)# sh nat

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static WWW-INT WWW-EXT service tcp www www

translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)

1 (inside) to (outside) source dynamic any interface

translate_hits = 726, untranslate_hits = 1

ciscoasa(config)#

ciscoasa(config)# show run nat

!

object network WWW-INT

nat (dmz,outside) static WWW-EXT service tcp www www

!

nat (inside,outside) after-auto source dynamic any interface

ciscoasa(config)#

MHM Cisco World · ‎09-10-2022

ciscoasa(config)# sh nat

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static WWW-INT WWW-EXT service tcp www www

translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)

1 (inside) to (outside) source dynamic any interface

translate_hits = 726, untranslate_hits = 1

the hit is zero for both direction

Rob Ingram · ‎09-10-2022

@davidzw98 you've specified the wrong interface in packet-tracer, the source interface would be "OUTSIDE" not "DMZ" - hence the drop. The DMZ interface is the destination interface. Also use the NAT IP address (WWW-EXT) as the destination in packet-tracer not the real IP address.

davidzw98 · ‎09-10-2022

Ok, thank you for pointing my mistakes. Why can't I open 107.130.54.77 ? if it point to 192.168.101.225, it has APACHE running.

Rob Ingram · ‎09-10-2022

@davidzw98 well that output indicates the ASA configuration is ok, so perhaps check the actual server.

Does the server running apache have a default gateway of the ASA?

Is there a local firewall on the server running apache that could be blocking external access? If so reconfigure it or disable it.

davidzw98 · ‎09-10-2022

It is in 101 zone, so I use 192.168.101.1 as defaultrouter.

do you means use ASA's 192.168.1.1 or ISP's gateway?

I can open Apache from inside zone 192.168.1.* by opening 192.168.101.225

Thank you!

Rob Ingram · ‎09-10-2022

@davidzw98 that sounds fine then, just checking the DMZ interface of 192.168.101.1 would need to be configured as the default gateway of the server.

Why open it from the inside zone/network? You said you want to allow access from the outside.

TCP/80 needs to be open on the server firewall from any IP address if you want to connect to the apache server from the internet.

For testing disable the firewall on the server and test connectivity from the internet to prove the ASA is working.

davidzw98 · ‎09-10-2022

>Why open it from the inside zone/network?

just to check if apache24 is running.

I think server firewall is not an issue, it can host PDF file on internet without ASA.

Thank you!