10-10-2014 02:22 AM - edited 03-04-2019 11:56 PM
Hallo,
I have a cisco router and ASA. The internet link connects to the router first and then to firewall. I have two internal web servers one of them is HTTPS and one is http. 192.168.11.112 is my HTTPS email server and currently it can be accessed from outside. I have another web application that i want also to be accessed fro outside but i am having challenges. internally it is accessed like : 192.168.11.7:86/application.
My router Configs are :
Router Configs
Router_HQ #sh run
Building configuration...
interface GigabitEthernet0/0
description HQ_LAN
ip address 10.1.1.1 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface GigabitEthernet0/1
description LINK TO ISP
ip address 61.239.128.122 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.11.112 25 61.239.128.122 25 extendable
ip nat inside source static tcp 192.168.11.112 110 61.239.128.122 110 extendable
ip nat inside source static tcp 192.168.11.112 443 61.239.128.122 443 extendable
ip nat inside source static tcp 192.168.11.112 587 61.239.128.122 587 extendable
ip route 0.0.0.0 0.0.0.0 61.239.128.121
ip route 192.168.11.0 255.255.255.0 10.1.1.2 name HQ_Firewall
!
ip access-list extended INTERNET
deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 192.16811.0.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 any
ip access-list extended Vic
permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
ip access-list extended RMcc_TUNNEL
permit ip 192.168.199.0 0.0.0.255 192.168.10.0 0.0.0.255
!
access-list 111 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
route-map INTERNET permit 10
match ip address INTERNET
ASA firewall:
HQ_Firewall# sh run
ASA Version 7.2(3)
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.11.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
access-list mail extended permit tcp any host 192.168.11.112 eq smtp
access-list mail extended permit tcp any host 192.168.11.112 eq pop3
access-list mail extended permit tcp any host 192.168.11.112 eq 3000
access-list mail extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.25 5.255.0
access-list mail extended permit ip 192.168.12.0 255.255.255.0 192.168.11.0 255.25 5.255.0
access-list mail extended permit tcp any host 192.168.11.112 eq https
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group mail in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable 444
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 inside
ssh 10.1.1.1 255.255.255.255 outside
ssh timeout 30
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
10-15-2014 07:48 AM
OK so if you access it via http://192.168.11.7:86/application, then the web service is running on port 86 rather than the standard 80.
So you need a add a NAT to your router:
ip nat inside source static tcp 192.168.11.7 86 61.239.128.122 86 extendable
The allow it through the firewall:
access-list mail extended permit tcp any host 192.168.11.7 eq 86
Just out of interest is there a reason you have both the router and firewall? In the above configuration the firewall really isn't doing much!
If your internet connection is presented via Ethernet which it would appear to be then I would remove the router altogether and just use your ASA for termination and NAT etc etc.
Hope that helps!
Matty
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide