Solved: Need help making a site available externally

WhiteIsland · ‎07-06-2012

Hi all,

I'm trying to open a hole in the firewall (ASA 5505, v8.2) to allow external access to a Web application. Via ASDM (6.3?), I've added the server as a Public Server, which creates a static NAT entry and an incoming rule "any... server_public_ip... https... allow" but traffic is still not getting through. When I look at the log viewer, it says it's denied by access-group inside_access_out, implicit rule, which is "any any ip deny"

I haven't had much experience with Cisco management. I can't see what I'm missing to allow this connection through, and I'm wondering if there's anything else special I have to add. I tried adding a rule (several variations) within that access-group to allow https to the server, but it never made a difference.

Any ideas? If you need more information, please let me know.

Thanks

Jennifer Halim · ‎07-10-2012

Please remove the following line and that would allow you access to the web server:

access-group inside_access_out out interface inside

To allow only specific access from internal networks towards the outside/internet, the access-list should be applied in the "in" direction on the inside interface.

View solution in original post

Jennifer Halim · ‎07-10-2012

There are 2 types of access-list:

- "in" , which means incoming/inbound towards the interface

- "out", which means outgoing/outbound off the interface

So the access-list is relative to the interface, not relative to whether it is outgoing traffic towards the Internet, or incoming towards the internal subnet.

So to allow access out of the internal network, you just configure the access list "in" towards the inside interface as traffic will hit the inside interface first before going out via the outside interface.

Your currently configured "out" is outgoing the inside interface, ie: it will affect traffic from the outside or any other interfaces outbound off the inside interface.

Removing the line will not open it up for everything since you already have "in" access-list on the outside interface.

View solution in original post

Jennifer Halim · ‎07-06-2012

Can you please share your running config.

WhiteIsland · ‎07-09-2012

Hi Jennifer, so sorry for the delay. I got my access-group name confused. It is inside_access_out that is blocking. Here are my access-list entries and static NAT. Please let me know if this helps. Thanks again!

access-list acl_in extended permit tcp any host PUBLIC_IP eq https
access-list acl_in extended permit icmp CS_WAN_IPs 255.255.255.240 any
access-list acl_in remark Allow Vendor connections to LAN
access-list acl_in extended permit tcp host Vendor any object-group RemoteDesktop
access-list acl_in remark NetworkScanner scan-to-email incoming (from smtp.mail.microsoftonline.com to PCs)
access-list acl_in extended permit object-group TCPUDP any object-group Scan-to-email host NetworkScanner object-group Scan-to-email
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any any
access-list acl_out extended permit udp any any
access-list SSLVPNSplitTunnel standard permit LAN_Subnet 255.255.255.0
access-list nonat extended permit ip VPN_Subnet 255.255.255.0 LAN_Subnet 255.255.255.0
access-list nonat extended permit ip LAN_Subnet 255.255.255.0 VPN_Subnet 255.255.255.0
access-list inside_access_out remark NetworkScanner Scan-to-email outgoing (from scanner to Internet)
access-list inside_access_out extended permit object-group TCPUDP host NetworkScanner object-group Scan-to-email any object-group Scan-to-email
access-list inside_access_out extended permit tcp any interface outside eq https

static (inside,outside) PUBLIC_IP LOCAL_IP[server object] netmask 255.255.255.255

Jennifer Halim · ‎07-09-2012

and can you also share the output of "show run access-group"

WhiteIsland · ‎07-10-2012

access-group inside_access_out out interface inside

access-group acl_in in interface outside

access-group acl_out out interface outside

Jennifer Halim · ‎07-10-2012

Please remove the following line and that would allow you access to the web server:

access-group inside_access_out out interface inside

To allow only specific access from internal networks towards the outside/internet, the access-list should be applied in the "in" direction on the inside interface.

WhiteIsland · ‎07-10-2012

Jennifer Halim wrote:

To allow only specific access from internal networks towards the outside/internet, the access-list should be applied in the "in" direction on the inside interface.

I'm not sure I understand. Regarding allowing only specific access out of the network, does that mean I would need to create outgoing rules for anything outgoing (such as users accessing the Internet)? Since it is currently set to "out," how does that affect access? (Does it block everything?)

Will removing the line open it up for everything outgoing?

Thank you!

Jennifer Halim · ‎07-10-2012

There are 2 types of access-list:

- "in" , which means incoming/inbound towards the interface

- "out", which means outgoing/outbound off the interface

So the access-list is relative to the interface, not relative to whether it is outgoing traffic towards the Internet, or incoming towards the internal subnet.

So to allow access out of the internal network, you just configure the access list "in" towards the inside interface as traffic will hit the inside interface first before going out via the outside interface.

Your currently configured "out" is outgoing the inside interface, ie: it will affect traffic from the outside or any other interfaces outbound off the inside interface.

Removing the line will not open it up for everything since you already have "in" access-list on the outside interface.

WhiteIsland · ‎07-11-2012

Thank you for the clarification. I appreciate the help.