Why can't I reach internal Web Server from outside asa 9.8(2)? - Page 2

davidzw98 · ‎09-09-2022

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.3 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif dmz
security-level 50
ip address 192.168.101.225 255.255.255.0
!
ftp mode passive
object network WWW-EXT
host x.x.x.7
object network WWW-INT
host 192.168.101.225
access-list OUTSIDE extended permit tcp any object WWW-INT eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network WWW-INT
nat (dmz,outside) static WWW-EXT service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.8 1

Rob Ingram · ‎09-10-2022

@davidzw98 The packet-tracer confirms it should work now, so what else do you have in your environment that could be causing an issue?

Regardless if you don't think disabling the local server firewall will be an issue, test it to confirm.

Take a packet capture on the server to confirm whether packets even reach the server from the internet.

davidzw98 · ‎09-10-2022

This is what I got:

ciscoasa#

ciscoasa# packet-tracer input outside tcp 204.79.197.212 12345 107.130.54.77 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network WWW-INT

nat (dmz,outside) static WWW-EXT service tcp www www

Additional Information:

NAT divert to egress interface dmz

Untranslate 107.130.54.77/80 to 192.168.101.225/80

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE in interface outside

access-list OUTSIDE extended permit tcp any object WWW-INT eq www

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network WWW-INT

nat (dmz,outside) static WWW-EXT service tcp www www

Additional Information:

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3637, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: allow

ciscoasa# packet-tracer input outside tcp 204.79.197.212 12345 192.168.101.225 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.101.225 using egress ifc dmz

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE in interface outside

access-list OUTSIDE extended permit tcp any object WWW-INT eq www

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network WWW-INT

nat (dmz,outside) static WWW-EXT service tcp www www

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#

Rob Ingram · ‎09-10-2022

@davidzw98 thats a packet tracer output not the requested packet capture. Regardless, the first packet-tracer you using the correct destination IP address and therefore the result is allow, but the second packet-tracer you are using incorrect destination IP address. In packet-tracer you don't specify the destination as the real IP address if using NAT.

davidzw98 · ‎09-10-2022

OK. Thank you! I will try to see if I can figure out.

At mean time, just let you know ,

I bought this ASA5508 from ebay brand new. Is it something internally not allow me to use it?

Haven't registered PAK and PIN, don't know how to do it.

eBay item number:193807253089

New message from: cnedirect
Hello

Unfortunately this is not something we could help with,
I will mention we have sold roughly 500 of these and never had any issues
with the buyers having problems with this. Unfortunately we do not have
any Cisco experts on staff and don't specialize in Cisco,
we get Cisco overstock product from time to time.

Thank You