parlay_user
asked on
Cisco ASA 5505 Config help
Hi, I just purchased a Cisco ASA 5505 and built a config I thought would work but I'm running into some issues. I think the nating may be wrong but i'm not sure. It may be the Access rules as well. Basically I have 3 servers behind this firewall that are being hosted at a Co-lo. I have an internal network of 192.168.10.0 and each server has a 1 to 1 nat with the external addresses I was provided. 72.14.x.x/29. Right now, I want the servers to be able to access anything, and I want the servers to be accessible on port 80, 22, and a few others. Right now with my current config, I can ssh in to all of them, access 2 of them on 80 but thats about it. I built the config with the ASDM but I will paste the running config here:
: Saved
:
ASA Version 8.0(2)
!
hostname blink-fw
domain-name parlaygroup.com
enable password HDuCyYUaf0COvX1Y encrypted
names
name 72.14.x.x appserver-ext description External Add
name 192.168.10.5 appserver_int description Parlay Games
name 72.14.x.x oracle_db-ext description External Add
name 192.168.10.3 oracle_db_int description Oracle / MySql
name 72.14.x.x webserver-ext description External Add
name 192.168.10.4 webserver_int description Apache / PHP
name 24.141.18.88 Trent_Sschwartz description Trent Home IP
name 72.14.x.x Lotto_Site-ext
name 192.168.10.6 Lotto_Site-int
!
interface Vlan1
nameif inside
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.14.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name parlaygroup.com
object-group network Blink_Servers_int
network-object host oracle_db_int
network-object host webserver_int
network-object host appserver_int
network-object host Lotto_Site-int
object-group network My_Sql
network-object host Parlay_Network
network-object host Trent_Sschwartz
object-group network SSH
network-object host Parlay_Network
network-object host Trent_Sschwartz
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service MySql tcp
port-object eq 3306
object-group service Parlay_Chat tcp
port-object eq 2156
object-group service Tomcat tcp
port-object eq 8080
object-group service Parlay_Services tcp
group-object Parlay_Chat
group-object Tomcat
port-object eq www
port-object eq https
object-group network Blink_Servers_ext
network-object host oracle_db-ext
network-object host webserver-ext
network-object host appserver-ext
network-object host Lotto_Site-ext
access-list inside_access_in extended permit ip object-group Blink_Servers_int any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group TCPUDP any object-group Blink_Servers_ext eq www
access-list outside_access_in extended permit tcp object-group SSH object-group Blink_Servers_ext eq ssh
access-list outside_access_in extended permit tcp object-group My_Sql host oracle_db-ext object-group MySql
access-list outside_access_in extended permit tcp any host appserver-ext object-group Parlay_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) oracle_db-ext oracle_db_int netmask 255.255.255.255
static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) appserver-ext appserver_int netmask 255.255.255.255
static (outside,inside) webserver_int webserver-ext netmask 255.255.255.255
static (outside,inside) oracle_db_int oracle_db-ext netmask 255.255.255.255
static (outside,inside) appserver_int appserver-ext netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.14.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http Parlay_Network 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ddc6c2ffba8
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
: Saved
:
ASA Version 8.0(2)
!
hostname blink-fw
domain-name parlaygroup.com
enable password HDuCyYUaf0COvX1Y encrypted
names
name 72.14.x.x appserver-ext description External Add
name 192.168.10.5 appserver_int description Parlay Games
name 72.14.x.x oracle_db-ext description External Add
name 192.168.10.3 oracle_db_int description Oracle / MySql
name 72.14.x.x webserver-ext description External Add
name 192.168.10.4 webserver_int description Apache / PHP
name 24.141.18.88 Trent_Sschwartz description Trent Home IP
name 72.14.x.x Lotto_Site-ext
name 192.168.10.6 Lotto_Site-int
!
interface Vlan1
nameif inside
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.14.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name parlaygroup.com
object-group network Blink_Servers_int
network-object host oracle_db_int
network-object host webserver_int
network-object host appserver_int
network-object host Lotto_Site-int
object-group network My_Sql
network-object host Parlay_Network
network-object host Trent_Sschwartz
object-group network SSH
network-object host Parlay_Network
network-object host Trent_Sschwartz
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service MySql tcp
port-object eq 3306
object-group service Parlay_Chat tcp
port-object eq 2156
object-group service Tomcat tcp
port-object eq 8080
object-group service Parlay_Services tcp
group-object Parlay_Chat
group-object Tomcat
port-object eq www
port-object eq https
object-group network Blink_Servers_ext
network-object host oracle_db-ext
network-object host webserver-ext
network-object host appserver-ext
network-object host Lotto_Site-ext
access-list inside_access_in extended permit ip object-group Blink_Servers_int any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group TCPUDP any object-group Blink_Servers_ext eq www
access-list outside_access_in extended permit tcp object-group SSH object-group Blink_Servers_ext eq ssh
access-list outside_access_in extended permit tcp object-group My_Sql host oracle_db-ext object-group MySql
access-list outside_access_in extended permit tcp any host appserver-ext object-group Parlay_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) oracle_db-ext oracle_db_int netmask 255.255.255.255
static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) appserver-ext appserver_int netmask 255.255.255.255
static (outside,inside) webserver_int webserver-ext netmask 255.255.255.255
static (outside,inside) oracle_db_int oracle_db-ext netmask 255.255.255.255
static (outside,inside) appserver_int appserver-ext netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.14.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http Parlay_Network 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ddc6c2ffba8
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
ASKER
Thanks for the response, I can't try it out right now but as soon as I do I will update on progress.
Ian
Ian
ASKER
With regards to Access list rules, should all rules be using the internal addresses since I have the NAT in place or do I have to use the external address still? Meaning should this rule look like this:
access-list outside_access_in extended permit tcp any object-group Blink_Servers_EXT eq www
or
access-list outside_access_in extended permit tcp any object-group Blink_Servers_INT eq www
access-list outside_access_in extended permit tcp any object-group Blink_Servers_EXT eq www
or
access-list outside_access_in extended permit tcp any object-group Blink_Servers_INT eq www
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok I am still having major problems. Like I said, I can ssh into all the servers just fine, however I cannot hit them on Port 80. And none of the servers can get out on any port! Please help.
: Saved
:
ASA Version 8.0(2)
!
hostname blink-fw
domain-name parlaygroup.com
enable password HDuCyYUaf0COvX1Y encrypted
names
name 72.14.x.x appserver-ext description External Add
name 192.168.10.5 appserver_int description Parlay Games
name 72.14.x.x oracle_db-ext description External Add
name 192.168.10.3 oracle_db_int description Oracle / MySql
name 72.14.x.x webserver-ext description External Add
name 192.168.10.4 webserver_int description Apache / PHP
name 24.141.18.88 Trent_Sschwartz description Trent Home IP
name 72.14.x.x Lotto_Site-ext
name 192.168.10.6 Lotto_Site-int
!
interface Vlan1
nameif inside
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.14.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name parlaygroup.com
object-group network Blink_Servers_int
network-object host oracle_db_int
network-object host webserver_int
network-object host appserver_int
network-object host Lotto_Site-int
object-group network My_Sql
network-object host Parlay_Network
network-object host Trent_Sschwartz
object-group network SSH
network-object host Parlay_Network
network-object host Trent_Sschwartz
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service MySql tcp
port-object eq 3306
object-group service Parlay_Chat tcp
port-object eq 2156
object-group service Tomcat tcp
port-object eq 8080
object-group service Parlay_Services tcp
group-object Parlay_Chat
group-object Tomcat
port-object eq www
port-object eq https
object-group network Blink_Servers_ext
network-object host oracle_db-ext
network-object host webserver-ext
network-object host appserver-ext
network-object host Lotto_Site-ext
access-list inside_access_in extended permit ip object-group Blink_Servers_int any
access-list outside_access_in extended permit tcp any object-group Blink_Servers_ext eq www
access-list outside_access_in extended permit tcp object-group SSH object-group Blink_Servers_ext eq ssh
access-list outside_access_in extended permit tcp object-group My_Sql host oracle_db-ext object-group MySql
access-list outside_access_in extended permit tcp any host appserver-ext object-group Parlay_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) oracle_db-ext oracle_db_int netmask 255.255.255.255
static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) appserver-ext appserver_int netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.14.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.168.10.0 255.255.255.0 inside
http Parlay_Network 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:69611d70bb9
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
: Saved
:
ASA Version 8.0(2)
!
hostname blink-fw
domain-name parlaygroup.com
enable password HDuCyYUaf0COvX1Y encrypted
names
name 72.14.x.x appserver-ext description External Add
name 192.168.10.5 appserver_int description Parlay Games
name 72.14.x.x oracle_db-ext description External Add
name 192.168.10.3 oracle_db_int description Oracle / MySql
name 72.14.x.x webserver-ext description External Add
name 192.168.10.4 webserver_int description Apache / PHP
name 24.141.18.88 Trent_Sschwartz description Trent Home IP
name 72.14.x.x Lotto_Site-ext
name 192.168.10.6 Lotto_Site-int
!
interface Vlan1
nameif inside
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.14.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name parlaygroup.com
object-group network Blink_Servers_int
network-object host oracle_db_int
network-object host webserver_int
network-object host appserver_int
network-object host Lotto_Site-int
object-group network My_Sql
network-object host Parlay_Network
network-object host Trent_Sschwartz
object-group network SSH
network-object host Parlay_Network
network-object host Trent_Sschwartz
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service MySql tcp
port-object eq 3306
object-group service Parlay_Chat tcp
port-object eq 2156
object-group service Tomcat tcp
port-object eq 8080
object-group service Parlay_Services tcp
group-object Parlay_Chat
group-object Tomcat
port-object eq www
port-object eq https
object-group network Blink_Servers_ext
network-object host oracle_db-ext
network-object host webserver-ext
network-object host appserver-ext
network-object host Lotto_Site-ext
access-list inside_access_in extended permit ip object-group Blink_Servers_int any
access-list outside_access_in extended permit tcp any object-group Blink_Servers_ext eq www
access-list outside_access_in extended permit tcp object-group SSH object-group Blink_Servers_ext eq ssh
access-list outside_access_in extended permit tcp object-group My_Sql host oracle_db-ext object-group MySql
access-list outside_access_in extended permit tcp any host appserver-ext object-group Parlay_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) oracle_db-ext oracle_db_int netmask 255.255.255.255
static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) appserver-ext appserver_int netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.14.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.168.10.0 255.255.255.0 inside
http Parlay_Network 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:69611d70bb9
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
>access-group inside_access_in in interface inside
Start by removing the acl from the inside interface. Later we can lock down outbound traffic is you desire.
no access-group inside_access_in in interface inside
Also, try adding this:
policy-map global_policy
class inspection_default
inspect icmp
inspect http
Check the default gateway on all servers. Make sure it points to the inside interface of this ASA..
What are these servers using for DNS? An external DNS server?
Start by removing the acl from the inside interface. Later we can lock down outbound traffic is you desire.
no access-group inside_access_in in interface inside
Also, try adding this:
policy-map global_policy
class inspection_default
inspect icmp
inspect http
Check the default gateway on all servers. Make sure it points to the inside interface of this ASA..
What are these servers using for DNS? An external DNS server?
ASKER
ok, really sorry about the last post. actually was a problem with my own firewall going out. I'm basically good to go now except some internal stuff which I will have to figure out.
I do have a question about port forwarding however. Is it possible to make a rule that states, anything coming in on port 80 hitting appserver-ext, be forwarded to port 2156 on webserver_int ?
I do have a question about port forwarding however. Is it possible to make a rule that states, anything coming in on port 80 hitting appserver-ext, be forwarded to port 2156 on webserver_int ?
Only if you use port xlates. Example:
no static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) tcp webserver-ext 80 webserver_int 2156 netmask 255.255.255.255
no static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) tcp webserver-ext 80 webserver_int 2156 netmask 255.255.255.255
ASKER
so would that be the exact cmd I use?
Yes, copy and paste even if you want
ASKER
Thanks, that helped.
For some reson, each server cannot hit each other from there external ip? so if I try and telnet to each other on the ext ip on 80 it doesnt work?
For some reson, each server cannot hit each other from there external ip? so if I try and telnet to each other on the ext ip on 80 it doesnt work?
ASKER
Here is 1 of the error msg's:
6 Oct 05 2007 12:33:45 302014 appserver-ext oracle_db_int Teardown TCP connection 3014 for outside:appserver-ext/80 to inside:oracle_db_int/51541
6 Oct 05 2007 12:33:45 302014 appserver-ext oracle_db_int Teardown TCP connection 3014 for outside:appserver-ext/80 to inside:oracle_db_int/51541
No way. You cannot ever get to the external IP from another internal host.
ASKER
Ok understood, but I should be able to get from External to Internal correct? Here is the sequence of problems I'm having. I'm trying to hit an app for my network which succeeds
6 Oct 05 2007 13:06:40 302013 Parlay_Network appserver_int Built inbound TCP connection 3151 for outside:Parlay_Network/331
Then when I try to login it timesout
6 Oct 05 2007 13:06:44 302013 appserver-ext appserver_int Built outbound TCP connection 3152 for outside:appserver-ext/80 (appserver-ext/80) to inside:appserver_int/47961
6 Oct 05 2007 13:07:14 302014 appserver-ext appserver_int Teardown TCP connection 3152 for outside:appserver-ext/80 to inside:appserver_int/47961
6 Oct 05 2007 13:06:40 302013 Parlay_Network appserver_int Built inbound TCP connection 3151 for outside:Parlay_Network/331
Then when I try to login it timesout
6 Oct 05 2007 13:06:44 302013 appserver-ext appserver_int Built outbound TCP connection 3152 for outside:appserver-ext/80 (appserver-ext/80) to inside:appserver_int/47961
6 Oct 05 2007 13:07:14 302014 appserver-ext appserver_int Teardown TCP connection 3152 for outside:appserver-ext/80 to inside:appserver_int/47961
>302013 appserver-ext => appserver_int Built outbound TCP connection
From itself, to itself? This will definately break down.
From itself, to itself? This will definately break down.
ASKER
Normally I would say yes but all this worked fine with my other Firewall Astaro 120. And I was able to connect from server to server using external ip's. I need this to work.
With the old firewall i could run a wget server ext ip and get
Connecting to server ext ip... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8132 (7.9K) [text/html]
Saving to: `index.html.1'
100%[=====================
14:28:28 (447 MB/s) - `index.html.1' saved [8132/8132]
With the old firewall i could run a wget server ext ip and get
Connecting to server ext ip... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8132 (7.9K) [text/html]
Saving to: `index.html.1'
100%[=====================
14:28:28 (447 MB/s) - `index.html.1' saved [8132/8132]
The Astaro firewall did not run the Adaptive Security Algorithm that the ASA uses in place of basic stateful inspection.
You can try this, but I can't guarantee it will work: add these entries back in that we took out earlier:
static (outside,inside) appserver_int appserver-ext netmask 255.255.255.255
You can try this, but I can't guarantee it will work: add these entries back in that we took out earlier:
static (outside,inside) appserver_int appserver-ext netmask 255.255.255.255
ASKER
Now I just get:
3 Oct 05 200715:49:05 305005 appserver-ext No translation group found for tcp src inside:appserver_int/33095
Anything else I could try? I would think there must be away to do this?
3 Oct 05 200715:49:05 305005 appserver-ext No translation group found for tcp src inside:appserver_int/33095
Anything else I could try? I would think there must be away to do this?
I don't know what to tell you. The ASA is not meant to do what you are trying to do and this is a design "feature" of the firewall.
no static (outside,inside) webserver_int webserver-ext netmask 255.255.255.255
no static (outside,inside) oracle_db_int oracle_db-ext netmask 255.255.255.255
no static (outside,inside) appserver_int appserver-ext netmask 255.255.255.255
clear xlate
>access-list outside_access_in extended permit ip any any
With this entry, you should have full access to any server on any port.
I would remove that line, and let the ones below it allow only specified ports.
>access-list outside_access_in extended permit object-group TCPUDP any object-group Blink_Servers_ext eq www
The object group TCPUDP is incorrectly used.
This entry should read simply:
access-list outside_access_in extended permit tcp any object-group Blink_Servers_ext eq www
SSH works, because your SSH object group includes hosts, not protocols.