Solved

Cannot communicate with web server on DMZ from inside network.

Posted on 2008-10-24
19
1,923 Views
Last Modified: 2012-05-05
I have set up a web server on 192.168.100.0 subnet on my ASA5510.  From outside internet source I can access the website on the web server, but I am unable to access the website from the internal network, which is on the 192.168.1.0 subnet.  Attached is the config for my firewall.  Any help would be greatly appreciated.  Thanks.  Oh my DMZ is called guest.  Thanks again.
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.178 255.255.255.240 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.6.3 255.255.255.0 
!
interface Ethernet0/2
 nameif guest
 security-level 50
 ip address 192.168.100.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.254.1 255.255.255.0 
 management-only
!
passwd uwdQIX4kuXiD6gGn encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name parmatube.com
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
access-list outside_in extended permit icmp any any echo-reply 
access-list ptcremotevpn standard permit 192.168.6.0 255.255.255.0 
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0 
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0 
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.4 
access-list nonat extended permit ip 192.168.6.0 255.255.255.0 PTCKZ 255.255.255.0 
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0 
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list outside_access_in extended permit gre any host x.x.85.179 
access-list outside_access_in remark Web Server
access-list outside_access_in extended permit tcp any host x.x.85.180 eq www 
access-list outside_access_in remark owa.parmatube.com
access-list outside_access_in extended permit tcp any host x.x.85.185 object-group DM_INLINE_TCP_1 
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0 
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu management 1500
ip local pool VPNPool 192.168.8.1-192.168.8.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location x.x.85.179 255.255.255.255 inside
asdm location PTCKZ 255.255.255.0 inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.6.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
static (inside,outside) udp interface ntp 192.168.1.18 ntp netmask 255.255.255.255 
static (guest,outside) tcp 205.217.85.180 www 192.168.100.10 www netmask 255.255.255.255 
static (inside,outside) x.x.85.185 192.168.1.17 netmask 255.255.255.255 
static (inside,outside) x.x.85.179 192.168.1.119 netmask 255.255.255.255 
static (inside,guest) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 
static (guest,inside) 192.168.100.10 x.x.85.180 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.85.177 1
route inside 192.168.1.0 255.255.255.0 192.168.6.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ptc1208k protocol kerberos
aaa-server ptc1208 protocol kerberos
aaa-server ptc1208 host 192.168.1.17
 kerberos-realm PARMATUBE
aaa-server ptc1208n protocol nt
aaa-server ptc1208n host 192.168.1.17
 nt-auth-domain-controller PTC1208
aaa authentication ssh console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer x.x.45.171 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer 71.82.80.229 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 
crypto isakmp identity hostname 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd address 192.168.100.2-192.168.100.25 guest
dhcpd dns x.x.184.10 x.x.184.15 interface guest
dhcpd update dns override interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics access-list
webvpn
 enable outside
 
 
group-policy ptcremotevpn internal
group-policy ptcremotevpn attributes
 dns-server value 192.168.1.17
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelall
 default-domain value parmatube.com
 webvpn
  url-list value PTC_Workstations
  port-forward enable Parmatube_LAN
username vpnuser password tAtXXvCxpjX0dUEC encrypted privilege 15
username vpnuser attributes
 vpn-group-policy ptcremotevpn
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group ptc1208n
 default-group-policy ptcremotevpn
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 customization PTCWebVPN
tunnel-group ptcremotevpn type remote-access
tunnel-group ptcremotevpn general-attributes
 address-pool VPNPool
 authentication-server-group ptc1208n
 authentication-server-group (inside) ptc1208n
 default-group-policy ptcremotevpn
tunnel-group ptcremotevpn ipsec-attributes
 pre-shared-key *
tunnel-group x.x.45.171 type ipsec-l2l
tunnel-group x.x.45.171 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.80.229 type ipsec-l2l
tunnel-group x.x.80.229 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:2186676a1dfd4abbcbfc8712e39cbd06

Open in new window

0
Comment
Question by:ptcis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
19 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22799495
Just add this:

 global (guest) 1 interface

Done
Access the web server by it's real IP address http://192.168.100.10
0
 

Author Comment

by:ptcis
ID: 22799549
That didn't work...still cannot communicate with the webserver
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22799845
>route inside 192.168.1.0 255.255.255.0 192.168.6.2 1
make sure this other router does not have any alternative/competing routes to 192.168.100.0 and that it points to the asa as its default route
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22799852
You could try not NATting to the DMZ:
Create an access-list:
access-list DMZ_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.6.0 255.255.255.0

nat (DMZ) 0 access-list DMZ_nat0_outbound
0
 

Author Comment

by:ptcis
ID: 22813738
nothing...can you tell what is wrong with my posting...I'm stuck and very frustrated.  Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22813813
Can you post the current config?
The global command should have fixed it.
If it doesn't then it is likely a routing issue.
What kind of router is 192.168.6.2? Can you post the route table from it?
Can you do a traceroute from a PC on 192.168.1.x network to 192.168.100.10?
0
 

Author Comment

by:ptcis
ID: 22813889
192.168.6.2 is a PC that we use to monitor internet traffic.  It has two network adapters 192.168.6.2 which connects from the firewall.  192.168.1.2 which connects to the inside network.  What global command are you talking about?  The NAT(DMZ) 0 access-list DMZ_nat0_outbound?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22815035
This global command:
global (guest) 1 interface

So what is the IP address of the PC that you are using trying to access the web server?
What is that PC's default gateway?
0
 

Author Comment

by:ptcis
ID: 22815334
The PC is 192.168.1.69 and the default gateway is 192.168.1.2 which is the computer that is connected to the firewall.  But not only do I want to just be able to access the server, but I want the clients on the internal network to be able to access the website on the server.  And I thought I allowed all the proper access rules for this.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22817476
On the ASA, yes, but what about on this PC that is acting like a router?
You might want to focus on that system and determine if any application is blocking you. What application(s) do you have running on it, and is it Windows, Linux, other?
0
 

Author Comment

by:ptcis
ID: 22841195
The router computer is running windows 2000.  The only thing it has is monitoring software for our T1 Line.  I does not have any firewall or anything like that. I'm at a loss now.  I cannot guess what is blocking this.
0
 

Author Comment

by:ptcis
ID: 22896372
I'm getting closer now.  The problem I'm having is that when I do a packet tracer from the inside interface at to guest interface I get a 'no valid adjacency'  Can anyone tell me what that means?
0
 

Author Comment

by:ptcis
ID: 22996875
HELLO???
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 23035090
Sorry I havent' gotten back on this one.

>The router computer is running windows 2000.  
Microsoft doesn't sell routers. Windows can route to some degree and can do RIP/OSPF and static routes.
I have no idea how you have this system set up or why it is there or what other software is running on it.
Post result of this from the "router" computer
C:\>route print

Post same output from the "server" computer that you are trying to access.

As far as I can tell, your ASA is configured correctly. You have not posted a fresh config so I can see it as it is today.
0
 

Author Comment

by:ptcis
ID: 23036258
I found an error in my log that looks like it is stopping me from getting to the web server:

 Routing failed to locate next hop for TCP from inside:192.168.1.69/2405 to guest:x.x.85.180/80

I would think I need an extra route but unsure....any help would be greatly appreciated
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 23037843
This is a different issue than what you started with...

Try reversing this
>static (guest,inside) 192.168.100.10 x.x.85.180 netmask 255.255.255.255

To this:
same-security-traffic permit intra-interface
static (inside,inside) x.x.85.180 192.168.100.10  netmask 255.255.255.255

Reference
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2
0
 

Author Comment

by:ptcis
ID: 23120959
This fixed the issue...

no static (inside,guest) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 no static (guest,inside) 192.168.100.10 x.x.85.180 netmask 255.255.255.255
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question