spencerlake
asked on
Port 80 forwarded thru ASA 5505
I have an ASA 5505, running NAT with Vlan1(inside) and Vlan2(outside). Inside is connected to the LAN, outside is connected to the Internet.
I need to allow port 80 to be forwarded through the ASA to an internal hosts. I thought I had the config correct but I can't get it to work.
Here's my running config:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.236.137.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.106.198.58 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 24.25.5.60
name-server 24.25.5.61
domain-name default.domain.invalid
object-group icmp-type Ping
icmp-object echo
icmp-object echo-reply
object-group service WeNAS tcp-udp
port-object range 20 21
port-object eq www
access-list opans_splitTunnelAcl standard permit 10.236.137.0 255.255.255.0
access-list inside_access_out extended permit icmp any any object-group Ping
access-list outside_access_in extended permit icmp any any object-group Ping
access-list outside_access_in extended permit tcp any host 24.106.198.58 eq www
access-list outside-entry extended permit tcp any host 24.106.198.58 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool opansVpnPool 10.236.137.220-10.236.137.
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.236.137.0 255.255.255.0
static (inside,outside) tcp 24.106.198.58 www 10.236.137.108 www netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.106.198.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:0
timeout uauth 0:05:00 absolute
group-policy opans internal
group-policy opans attributes
dns-server value 10.236.137.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value opans_splitTunnelAcl
username callen password g.MCYL0Fb887xiPA encrypted privilege 0
username callen attributes
vpn-group-policy opans
username klewis password OrQIIHEc3LCcsrkT encrypted privilege 0
username klewis attributes
vpn-group-policy opans
username jsimpkins password 8EfjuqF4DlwnM3Sh encrypted privilege 0
username jsimpkins attributes
vpn-group-policy opans
username kent password p2thsMZqtBBgY1it encrypted privilege 0
username kent attributes
vpn-group-policy opans
http server enable
http 10.236.137.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group opans type ipsec-ra
tunnel-group opans general-attributes
address-pool opansVpnPool
default-group-policy opans
tunnel-group opans ipsec-attributes
pre-shared-key *
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.236.137.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.236.137.110-10.236.137.
dhcpd dns 24.25.5.60 24.25.5.61 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:26e84a8b0cb
: end
I need to allow port 80 to be forwarded through the ASA to an internal hosts. I thought I had the config correct but I can't get it to work.
Here's my running config:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.236.137.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.106.198.58 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 24.25.5.60
name-server 24.25.5.61
domain-name default.domain.invalid
object-group icmp-type Ping
icmp-object echo
icmp-object echo-reply
object-group service WeNAS tcp-udp
port-object range 20 21
port-object eq www
access-list opans_splitTunnelAcl standard permit 10.236.137.0 255.255.255.0
access-list inside_access_out extended permit icmp any any object-group Ping
access-list outside_access_in extended permit icmp any any object-group Ping
access-list outside_access_in extended permit tcp any host 24.106.198.58 eq www
access-list outside-entry extended permit tcp any host 24.106.198.58 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool opansVpnPool 10.236.137.220-10.236.137.
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.236.137.0 255.255.255.0
static (inside,outside) tcp 24.106.198.58 www 10.236.137.108 www netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.106.198.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:0
timeout uauth 0:05:00 absolute
group-policy opans internal
group-policy opans attributes
dns-server value 10.236.137.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value opans_splitTunnelAcl
username callen password g.MCYL0Fb887xiPA encrypted privilege 0
username callen attributes
vpn-group-policy opans
username klewis password OrQIIHEc3LCcsrkT encrypted privilege 0
username klewis attributes
vpn-group-policy opans
username jsimpkins password 8EfjuqF4DlwnM3Sh encrypted privilege 0
username jsimpkins attributes
vpn-group-policy opans
username kent password p2thsMZqtBBgY1it encrypted privilege 0
username kent attributes
vpn-group-policy opans
http server enable
http 10.236.137.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group opans type ipsec-ra
tunnel-group opans general-attributes
address-pool opansVpnPool
default-group-policy opans
tunnel-group opans ipsec-attributes
pre-shared-key *
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.236.137.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.236.137.110-10.236.137.
dhcpd dns 24.25.5.60 24.25.5.61 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:26e84a8b0cb
: end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Remove this
access-group inside_access_out out interface inside
Use "no" to get rid of it
no access-group inside_access_out out interface inside
access-group inside_access_out out interface inside
Use "no" to get rid of it
no access-group inside_access_out out interface inside
I am not very familiar with IOS version 7.
You could try a 'clear xlate' command to reset the translation table.
Did you reapply the access-list to the interface after you changed it? (access-group outside_access_in in interface outside) ?
I think the following command is still valid if the IP address happens to be the nits external interface.
static (inside,outside) tcp 24.106.198.58 www 10.236.137.108 www netmask 255.255.255.255
However you might also wish to try :-
static (inside,outside) tcp interface www 10.236.137.108 www netmask 255.255.255.255
You could try a 'clear xlate' command to reset the translation table.
Did you reapply the access-list to the interface after you changed it? (access-group outside_access_in in interface outside) ?
I think the following command is still valid if the IP address happens to be the nits external interface.
static (inside,outside) tcp 24.106.198.58 www 10.236.137.108 www netmask 255.255.255.255
However you might also wish to try :-
static (inside,outside) tcp interface www 10.236.137.108 www netmask 255.255.255.255
ASKER
If I enter this:
access-list outside_access_in extended permit tcp any outside interface eq www
I get:
Invalid hostname pointing to the "outside" part of the command.
Did I miss anything?
access-list outside_access_in extended permit tcp any outside interface eq www
I get:
Invalid hostname pointing to the "outside" part of the command.
Did I miss anything?
There is no need to modify the access list. Just remove and reapply it as in lrmoore's post above.
My bad, it should be;
access-list outside_access_in extended permit tcp any interface outside eq www
Cheers,
Rajesh
access-list outside_access_in extended permit tcp any interface outside eq www
Cheers,
Rajesh
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agree with lrmoore - typically you don't do ACLs outbound. Do this ...
/* Remove these */
no access-group inside_access_out out interface inside
no access-group outside_access_in in interface outside
/* Add this */
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
Let me know if you still have problems
/* Remove these */
no access-group inside_access_out out interface inside
no access-group outside_access_in in interface outside
/* Add this */
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
Let me know if you still have problems
>/* Add this */
access-group inside_access_out in interface inside
>access-list inside_access_out extended permit icmp any any object-group Ping
No - the acl itself is haywire and will block outgoing connections. The ONLY thing it permits is ICMP Ping.
Please, Spence, just remove the acl from the inside interface completely. If you then want to limit outbound connections we can work on a proper access-list to apply.
access-group inside_access_out in interface inside
>access-list inside_access_out extended permit icmp any any object-group Ping
No - the acl itself is haywire and will block outgoing connections. The ONLY thing it permits is ICMP Ping.
Please, Spence, just remove the acl from the inside interface completely. If you then want to limit outbound connections we can work on a proper access-list to apply.
Agreed - I figured that was just a snippet of the ACL - not the whole thing :) If that's the whole thing then you're correct - just remove the ACL and build one up.
Cheers,
Rajesh