06-20-2008 11:19 AM - edited 03-09-2019 08:56 PM
Test environment. Trying to publish a web server on the LAN to the internet (not testing DMZ yet..but I'm assuming it'll be the same). I can browse the web server on the LAN internally using http://172.17.193.101. I tried this on my ASA 5510:
static (inside,outside) publicip 172.17.193.101 netmask 255.255.255.255 dns
access-list outside_access_in permit tcp any host publicip eq www
access-group outside_access_in in interface outside
I'm getting:
TCP access denied by ACL from internetip/29453 to Outside:publicip/80.
This is my config:
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password xxx
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address publicip 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.17.193.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0
access-list outside_access_in extended permit tcp any host publicip eq www
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu management 1500
ip local pool Addr_Pool_1 192.168.10.101-192.168.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.17.193.0 255.255.255.0
static (inside,Outside) publicip 172.17.193.101 netmask 255.255.255.255 dns
access-group outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 gatewayip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.17.193.101-172.17.193.254 inside
dhcpd dns dnsserver1 dnsserver2 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable Outside
svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
address-pools value Addr_Pool_1
username user1 password tJsDL6po9m1UFs.h encrypted
prompt hostname context
Cryptochecksum:xxx
: end
06-20-2008 11:32 AM
Change the static to point to an address other than one assigned to the interface and change the ACL to use the new IP
OR
change the ACL to (off the top of my head, it might be slightly different)
access-list outside_access_in extended permit tcp any interface Outside eq www
Hope that helps
06-20-2008 11:35 AM
Or, if you are using the same address as the interface you can do this...
static (inside,Outside) interface 172.17.193.101 netmask 255.255.255.255
06-23-2008 08:37 AM
I did the following:
static (inside,outside) publicip 172.17.193.101 netmask 255.255.255.255 dns
access-list outside_access_in extended permit tcp any interface outside eq www
access-group outside_access_in in interface outside
Website doesn't work from Internet. I get:
TCP access denied by ACL from someinternetip/22353 to Outside:publicip/80
I also did this:
static (inside,Outside) interface 172.17.193.101 netmask 255.255.255.255
access-list outside_access_in permit tcp any host publicip eq www
access-group outside_access_in in interface outside
The website is now accessible from the Internet BUT ASDM/SSH management stopped working. I get:
Deny tcp src Outside:someinternetip/19721 dst inside:publicip/443 by access-group "outside_access_in" [0x0, 0x0]
Any ideas?
06-23-2008 08:41 AM
My config:
ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password xxx
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address publicip 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.17.193.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu management 1500
ip local pool Addr_Pool_1 192.168.10.101-192.168.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.17.193.0 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 gatewayip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http someinternetip 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh scopy enable
ssh someinternetip 255.255.255.255 Outside
ssh timeout 60
console timeout 0
dhcpd address 172.17.193.101-172.17.193.254 inside
dhcpd dns publicdns1 publicdns2 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable Outside
svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
address-pools value Addr_Pool_1
username admin password xxx encrypted privilege 15
username user1 password xxx encrypted
prompt hostname context
Cryptochecksum:xxx
: end
ciscoasa#
06-23-2008 08:47 AM
It stopped working because your translating the whole IP. Try this (NATs a port only)
static (inside,Outside) tcp interface 80 172.17.193.101 80 netmask 255.255.255.255
Now 80 should go to your web server, 443 to ASDM and SSH to the ASA.
The first static has a typo.
static (inside,outside) publicip 172.17.193.101 netmask 255.255.255.255 dns
should be
static (inside,Outside) publicip 172.17.193.101 netmask 255.255.255.255 dns
and do you want dns? Do you have the name set correctly?
06-23-2008 09:00 AM
I did what you told me to do:
static (inside,Outside) tcp interface 80 172.17.193.101 80 netmask 255.255.255.255
access-list outside_access_in permit tcp any host publicip eq www
access-group outside_access_in in interface outside
Works now...for both asdm/http and the website.
If you're asking about dns name for the publicip address of the website, no, we haven't register one yet. I know in ISA, for a web server publishing rule, I have to specify the public dns name (ie www.webserver.com) of our internal web server. How would you go about specifying that on ASA?
And also, I didn't realize case-senstivity counts. I tried to change "Outside" to "outside" but it still reverts back to "Outside". Is there a work-around?
Thanks for your help so far.
06-23-2008 09:08 AM
Here's the info on DNS and NAT, I just wanted to make sure that is what you wanted to do.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042753
The interface names (nameif) are case sensitive! There is no work around, just make sure you put the right one in. We usually make all interface names lower case so we don't make any typos.
06-26-2008 08:45 AM
static (inside,outside) tcp publicip 80 172.17.193.100 80 netmask 255.255.255.255
access-list outside_access_in permit tcp any host publicip eq 80
access-group outside_access_in in interface outside
static (inside,outside) tcp interface 80 172.17.193.100 80 netmask 255.255.255.255
access-list outside_access_in permit tcp any host publicip eq 80
access-group outside_access_in in interface outside
Why would putting in "interface" work but putting in the real publicip doesn't work?
06-26-2008 12:39 PM
if your "publicip" is equal to outside interface ip address.
So it's by design you must use "interface" instead of "publicip"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide