le 15-05-2023 03:18 AM
Hello,
I have a local network 192.168.1.0/24 and Cisco ASA as Firewall.
Hosts in local network can't reach web server using public IP, However simple ping to public IP works and users from outside network can reach web server perfectly.
Bellow my ASA configuration:
ASA Version 8.2(5)
!
hostname asa-sh
domain-name dom.intra
names
name 192.168.1.13 server
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.1.2 255.255.255.252
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.12
name-server 8.8.8.8
domain-name dom.intra
object-group network Machines-SMTP
description Machines qui ont le droit d'envoyer du trafic SMTP
network-object 192.168.1.0 255.255.255.0
object-group network Machines-POP
description Machines qui ont le droit de recevoir du trafic POP
network-object 192.168.1.0 255.255.255.0
object-group network Serveurs-DNS
description Serveurs qui ont le droit d'envoyer du trafic DNS
network-object host 192.168.1.12
object-group network Machines-Web
description Machines qui ont le droit de naviguer sur le web.
network-object 192.168.1.0 255.255.255.0
object-group network Machines-ALL
description Machines qui ont le droit sur tous les protocoles
network-object 192.168.1.0 255.255.255.0
object-group network Machine-ALL
network-object 192.168.1.0 255.255.255.0
object-group network LocalNetwork
network-object 192.168.1.0 255.255.255.0
object-group network Serveur-SAP
network-object host server
access-list acl-in extended permit tcp object-group Machines-SMTP any eq smtp
access-list acl-in extended permit tcp object-group Machines-Web any eq https
access-list acl-in extended permit udp object-group Serveurs-DNS any eq domain
access-list acl-in extended permit tcp object-group Serveurs-DNS any eq domain
access-list acl-in extended permit icmp any any
access-list acl-in extended permit tcp object-group Machines-POP any eq pop3
access-list acl-in extended permit tcp object-group Machines-Web any eq www
access-list acl-in extended permit ip object-group Machines-ALL any
access-list acl-in extended permit tcp object-group Serveurs-DNS any eq www
access-list acl-in extended permit tcp object-group Serveurs-DNS any eq https
access-list acl-in extended permit tcp object-group Machines-POP any eq 995
access-list acl-in extended permit tcp object-group Machines-POP any eq 993
access-list acl-in extended permit tcp object-group Machines-POP any eq imap4
access-list acl-in extended permit udp object-group Machines-Web any eq domain
access-list acl-in extended permit tcp object-group Machines-Web any eq domain
access-list acl-in extended permit tcp object-group Machines-SMTP any eq domain
access-list acl-in extended permit udp object-group Machines-SMTP any eq domain
access-list acl-in extended permit tcp object-group Machines-SMTP any eq 465
access-list acl-in extended permit ip object-group Machine-ALL any
access-list acl-out extended permit tcp any host 172.16.1.2 eq smtp
access-list acl-out extended permit tcp any host 172.16.1.2 eq pop3
access-list acl-out extended permit icmp any any echo-reply
access-list acl-out extended permit tcp any host 172.16.1.2 eq 995
access-list acl-out extended permit tcp any host 172.16.1.2 eq 993
access-list acl-out extended permit tcp any host 172.16.1.2 eq imap4
access-list acl-out extended permit tcp any host 172.16.1.2 eq 3389
access-list acl-out extended permit tcp any host 172.16.1.2 eq 8080
access-list acl-out extended permit tcp any host 172.16.1.2 eq 8443
access-list acl-out extended permit tcp any host 172.16.1.2 eq 4370
access-list acl-out extended permit udp any host 172.16.1.2 eq 4370
access-list acl-out extended permit tcp any host 172.16.1.2 eq 9540
access-list acl-out extended permit udp any host 172.16.1.2 eq 9540
access-list acl-out extended permit tcp any host 172.16.1.2 eq 70000
access-list acl-out extended permit udp any host 172.16.1.2 eq 70000
access-list acl-out extended permit tcp any host 172.16.1.2 eq 70020
access-list acl-out extended permit udp any host 172.16.1.2 eq 70020
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 4370 192.168.1.201 4370 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 server 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 server 9540 netmask 255.255.255.255
static (inside,outside) tcp interface 40000 server 70000 netmask 255.255.255.255
static (inside,outside) udp interface 8100 server 9540 netmask 255.255.255.255
static (inside,outside) udp interface 40000 server 70000 netmask 255.255.255.255
static (inside,outside) tcp interface 40020 server 70020 netmask 255.255.255.255
static (inside,outside) udp interface 40020 server 70020 netmask 255.255.255.255
access-group acl-in in interface inside
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.210 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.254 inside
dhcpd dns 192.168.1.12 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
asa-sh#
le 15-05-2023 08:06 AM
You need to tell us what is the internal Web Server IP and what port web Server Listening - 80 and 443
bare in mind ASA listening for managmenet on 443, so you may need to use other port or move the manangement port to different port to work as expected.
le 15-05-2023 08:22 AM
Internal Web Server is 192.168.1.13 (server) and listening port in web server is 8100
le 15-05-2023 08:12 AM
https://community.cisco.com/t5/network-security/hairpin-nat-asa5506-x-version-9-8/td-p/3756235
you need hairpin NATing for INside hosts to access Server using it Public IP
Découvrez et enregistrez vos notes préférées. Revenez pour trouver les réponses d'experts, des guides étape par étape, des sujets récents et bien plus encore.
Êtes-vous nouveau ici? Commencez par ces conseils. Comment utiliser la communauté Guide pour les nouveaux membres
Parcourez les liens directs de la Communauté et profitez de contenus personnalisés en français