01-07-2011 08:49 AM - edited 03-04-2019 10:59 AM
I have a Cisco ASA 5510 with a 5 block of IP addresses assigned from our ISP. I am having issues with connectivity and routing traffic from the outside interface to the outside interface. I have my outside interface set up with IP address of 24.182.x.146, it allows internet access and also hosts a web server. Any time I have a client using this device for internet access, I am unable to have traffic accepted for my web server. I.E 100.100.x.52 is using this device, it browses to https://24.182.x.146 and it gets an unable to connect. I am able to connect to the web server from any other ISP/Device
Thank You all in advance for looking at this.
Below is my current config
CiscoASA# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname CiscoASA
enable password V2weNZuR0xPieBxK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 24.182.13.146 255.255.255.248
no pim
no igmp
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 100.100.100.136 255.255.252.0
no pim
no igmp
ospf network point-to-point non-broadcast
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group BVCH
name-server 100.100.100.98
dns server-group DefaultDNS
name-server 68.190.192.35
name-server 71.9.127.107
name-server 4.2.2.3
dns-group BVCH
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object service PharmServerRD
service tcp destination eq 6257
object network obj-inside
subnet 100.100.100.0 255.255.252.0
object network obj-avreo
host 100.100.100.4
object network obj-avreord
host 100.100.100.4
object network obj-sqlrd
host 100.100.100.98
object network obj-adp
host 100.100.102.14
object network obj-Avreossl
host 100.100.100.4
object network NETWORK_OBJ_10.1.1.0_24
subnet 10.1.1.0 255.255.255.0
object network NETWORK_OBJ_100.100.100.0_22
subnet 100.100.100.0 255.255.252.0
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network NETWORK_OBJ_100.100.100.0_24
subnet 100.100.100.0 255.255.255.0
object network 100.100.5.0
subnet 100.100.5.0 255.255.255.0
description Voice
object network 100.100.5.4
host 100.100.5.4
description Message Manager
object network obj-Webserver
host 100.100.100.6
object network ext-1
host 24.182.13.147
object network ssl-baracuda
host 100.100.100.97
object-group service RD tcp
description RD
port-object eq 6250
port-object eq 6251
port-object eq 6252
port-object eq 6257
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_in remark Permit Traffic to 100.100.100.6 - HTTP
access-list outside_in extended permit tcp any host 100.100.100.6 eq www
access-list outside_in remark Permit Traffic to 100.100.102.14 - RD
access-list outside_in extended permit tcp any host 100.100.102.14 eq 3389
access-list outside_in remark Permit Traffic to 100.100.100.98 - RD
access-list outside_in extended permit tcp any host 100.100.100.98 eq 6252
access-list outside_in remark Permit Traffic to 100.100.100.4 - HTTPS
access-list outside_in extended permit tcp any host 100.100.100.4 eq https
access-list outside_in remark Permit Traffic to 100.100.100.4 - RD
access-list outside_in extended permit tcp any host 100.100.100.4
access-list outside_in remark Permit Traffic to 100.100.100.20 - RD
access-list outside_in extended permit tcp any host 100.100.100.20
access-list outside_in extended permit tcp any host 100.100.100.97 eq https
access-list to100.5.4 extended permit ip any host 100.100.5.4
access-list rhccomp extended permit ip any 10.10.10.0 255.255.255.224
access-list rhcphone extended permit ip any 10.10.5.0 255.255.255.224
access-list outside_cryptomap extended permit ip 100.100.100.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list CAP extended permit icmp any any
access-list CAP extended permit icmp any 24.182.13.144 255.255.255.248
access-list CAP extended permit tcp any host 24.182.13.147 eq https
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (Inside,outside) source static any any destination static obj-10.1.1.0 obj-10.1.1.0
nat (Inside,outside) source static NETWORK_OBJ_100.100.100.0_24 NETWORK_OBJ_100.100.100.0_24 destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24
!
object network obj-inside
nat (Inside,outside) dynamic interface
object network obj-avreo
nat (Inside,outside) static interface service tcp www www
object network obj-avreord
nat (Inside,outside) static interface service tcp 6256 6256
object network obj-sqlrd
nat (Inside,outside) static interface service tcp 6252 6252
object network obj-adp
nat (Inside,outside) static interface service tcp 3389 9999
object network obj-Avreossl
nat (Inside,outside) static interface service tcp https https
object network ssl-baracuda
nat (Inside,outside) static ext-1
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.182.13.145 1
route Inside 10.5.4.0 255.255.255.0 100.100.100.156 1
route Inside 10.5.5.0 255.255.255.0 100.100.100.156 1
route Inside 10.10.5.0 255.255.255.224 100.100.100.159 1
route Inside 10.10.10.0 255.255.255.224 100.100.100.159 1
route Inside 100.100.5.0 255.255.255.0 100.100.100.159 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 100.100.100.0 255.255.252.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp outside
sysopt noproxyarp Inside
sysopt noproxyarp management
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs
crypto map outside_map1 1 set peer 65.115.125.41
crypto map outside_map1 1 set transform-set ESP-3DES-MD5
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet 100.100.100.0 255.255.252.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
username srogers password zI5NKeqdTq25lLxy encrypted privilege 15
username thagerman password PT28vZviqpU4QZ8k encrypted privilege 15
username mcard password l2OErQyeYqC72NG8 encrypted privilege 15
tunnel-group 65.115.125.41 type ipsec-l2l
tunnel-group 65.115.125.41 ipsec-attributes
pre-shared-key *****
!
class-map rhcphone
match access-list rhcphone
class-map test
match access-list to100.5.4
class-map inspection_default
match default-inspection-traffic
class-map rhc
match access-list rhccomp
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class test
set connection advanced-options tcp-state-bypass
class rhc
set connection advanced-options tcp-state-bypass
class rhcphone
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:01f91fc3183151d23ff656139db40077
: end
CiscoASA#
01-08-2011 09:30 AM
Hi,
If I understand correctly you can access the webserver https://24.182.x.146 from the outside but not from the internal client 100.100.100.x, is this correct?
Can you access the webserver using its private IP from the inside? https://100.100.100.6
If I misunderstood, please clarify.
Federico.
01-08-2011 02:12 PM
I am sorry I wasn't able to correctly address me issue.
I have 3 different internet lines.
Isp1: 24.x.x.146
Isp2: 71.x.x.10
Isp3: 71.x.x.69
Inside address of 100.100.100.6 has a nat translation on isp1
Http://24.x.x.146 is the nat for my webserver.
From any workstation I can access the internal address of 100.100.100.6.
From any workstation using isp1 I am unable to access the outside addess of http://24.x.x.146
From any workstation on isp2 or isp3 I can successfully access http://24.x.x.146
Isp1 is a charter communication line
Isp2 and isp3 are verison lines.
I have a cisco asa 5510 on isp1.
01-08-2011 07:20 PM
Then we know that you can access the server from the internet fine (if using ISP-2 or IPS-3).
What happens with ISP-1 where you have the ASA?
Is the default gateway of the server the ASA?
In other words, if the webserver goes to the Internet, which ISP does it use?
You can have the static NAT on the ASA, but if routing does not send the traffic through, it's not going to work.
So far I understand you have this:
Server ---- ISP-1
ISP-2
ISP-3
According to the configuration, the ASA only handles ISP-1, then what do you have in between the server and the ASA?
I guess the problem is with routing so far...
Federico.
01-08-2011 08:05 PM
Yes everything from isp2 and isp3 works. The servers default gateway is set to the asa. the server connects to a switch and then the asa is on another switch. Routing between the switches works fine. No vlans, no routing between switches. When I use a workstation with the default gateway set to asa(100.x.x.136) and try to use the wan address to access the server I get an unable to connect error. Using the same workstation on the same default gateway, using the internal ip, it connects no problem. Everything internally works fine. My only issue is having traffic from the asa go to the internet and re enter the asa for the nat
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: