Solved

Cannot communicate with web server on DMZ from inside network.

Posted on 2008-10-24
19
1,917 Views
Last Modified: 2012-05-05
I have set up a web server on 192.168.100.0 subnet on my ASA5510.  From outside internet source I can access the website on the web server, but I am unable to access the website from the internal network, which is on the 192.168.1.0 subnet.  Attached is the config for my firewall.  Any help would be greatly appreciated.  Thanks.  Oh my DMZ is called guest.  Thanks again.
interface Ethernet0/0

 nameif outside

 security-level 0

 ip address x.x.x.178 255.255.255.240 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.6.3 255.255.255.0 

!

interface Ethernet0/2

 nameif guest

 security-level 50

 ip address 192.168.100.1 255.255.255.0 

!

interface Ethernet0/3

 shutdown

 no nameif

 security-level 0

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.254.1 255.255.255.0 

 management-only

!

passwd uwdQIX4kuXiD6gGn encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name parmatube.com

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

access-list outside_in extended permit icmp any any echo-reply 

access-list ptcremotevpn standard permit 192.168.6.0 255.255.255.0 

access-list nonat extended permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0 

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0 

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.4 

access-list nonat extended permit ip 192.168.6.0 255.255.255.0 PTCKZ 255.255.255.0 

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0 

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 

access-list outside_access_in extended permit gre any host x.x.85.179 

access-list outside_access_in remark Web Server

access-list outside_access_in extended permit tcp any host x.x.85.180 eq www 

access-list outside_access_in remark owa.parmatube.com

access-list outside_access_in extended permit tcp any host x.x.85.185 object-group DM_INLINE_TCP_1 

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0 

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 PTCKZ 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu guest 1500

mtu management 1500

ip local pool VPNPool 192.168.8.1-192.168.8.32 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

asdm location x.x.85.179 255.255.255.255 inside

asdm location PTCKZ 255.255.255.0 inside

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.6.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

nat (guest) 1 0.0.0.0 0.0.0.0

static (inside,outside) udp interface ntp 192.168.1.18 ntp netmask 255.255.255.255 

static (guest,outside) tcp 205.217.85.180 www 192.168.100.10 www netmask 255.255.255.255 

static (inside,outside) x.x.85.185 192.168.1.17 netmask 255.255.255.255 

static (inside,outside) x.x.85.179 192.168.1.119 netmask 255.255.255.255 

static (inside,guest) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 

static (guest,inside) 192.168.100.10 x.x.85.180 netmask 255.255.255.255 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.85.177 1

route inside 192.168.1.0 255.255.255.0 192.168.6.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server ptc1208k protocol kerberos

aaa-server ptc1208 protocol kerberos

aaa-server ptc1208 host 192.168.1.17

 kerberos-realm PARMATUBE

aaa-server ptc1208n protocol nt

aaa-server ptc1208n host 192.168.1.17

 nt-auth-domain-controller PTC1208

aaa authentication ssh console LOCAL 

http server enable

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer x.x.45.171 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs 

crypto map outside_map 2 set peer 71.82.80.229 

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 fqdn ciscoasa

 subject-name CN=ciscoasa

 no client-types

 crl configure

crypto ca certificate chain ASDM_TrustPoint0
 

crypto isakmp identity hostname 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal 10

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 60

console timeout 0

dhcpd address 192.168.100.2-192.168.100.25 guest

dhcpd dns x.x.184.10 x.x.184.15 interface guest

dhcpd update dns override interface guest

dhcpd enable guest

!

threat-detection basic-threat

threat-detection statistics access-list

webvpn

 enable outside
 
 

group-policy ptcremotevpn internal

group-policy ptcremotevpn attributes

 dns-server value 192.168.1.17

 vpn-tunnel-protocol IPSec webvpn

 split-tunnel-policy tunnelall

 default-domain value parmatube.com

 webvpn

  url-list value PTC_Workstations

  port-forward enable Parmatube_LAN

username vpnuser password tAtXXvCxpjX0dUEC encrypted privilege 15

username vpnuser attributes

 vpn-group-policy ptcremotevpn

tunnel-group DefaultWEBVPNGroup general-attributes

 authentication-server-group ptc1208n

 default-group-policy ptcremotevpn

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 customization PTCWebVPN

tunnel-group ptcremotevpn type remote-access

tunnel-group ptcremotevpn general-attributes

 address-pool VPNPool

 authentication-server-group ptc1208n

 authentication-server-group (inside) ptc1208n

 default-group-policy ptcremotevpn

tunnel-group ptcremotevpn ipsec-attributes

 pre-shared-key *

tunnel-group x.x.45.171 type ipsec-l2l

tunnel-group x.x.45.171 ipsec-attributes

 pre-shared-key *

tunnel-group x.x.80.229 type ipsec-l2l

tunnel-group x.x.80.229 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:2186676a1dfd4abbcbfc8712e39cbd06

Open in new window

0
Comment
Question by:ptcis
  • 9
  • 7
19 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22799495
Just add this:

 global (guest) 1 interface

Done
Access the web server by it's real IP address http://192.168.100.10
0
 

Author Comment

by:ptcis
ID: 22799549
That didn't work...still cannot communicate with the webserver
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22799845
>route inside 192.168.1.0 255.255.255.0 192.168.6.2 1
make sure this other router does not have any alternative/competing routes to 192.168.100.0 and that it points to the asa as its default route
0
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22799852
You could try not NATting to the DMZ:
Create an access-list:
access-list DMZ_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.6.0 255.255.255.0

nat (DMZ) 0 access-list DMZ_nat0_outbound
0
 

Author Comment

by:ptcis
ID: 22813738
nothing...can you tell what is wrong with my posting...I'm stuck and very frustrated.  Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22813813
Can you post the current config?
The global command should have fixed it.
If it doesn't then it is likely a routing issue.
What kind of router is 192.168.6.2? Can you post the route table from it?
Can you do a traceroute from a PC on 192.168.1.x network to 192.168.100.10?
0
 

Author Comment

by:ptcis
ID: 22813889
192.168.6.2 is a PC that we use to monitor internet traffic.  It has two network adapters 192.168.6.2 which connects from the firewall.  192.168.1.2 which connects to the inside network.  What global command are you talking about?  The NAT(DMZ) 0 access-list DMZ_nat0_outbound?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22815035
This global command:
global (guest) 1 interface

So what is the IP address of the PC that you are using trying to access the web server?
What is that PC's default gateway?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:ptcis
ID: 22815334
The PC is 192.168.1.69 and the default gateway is 192.168.1.2 which is the computer that is connected to the firewall.  But not only do I want to just be able to access the server, but I want the clients on the internal network to be able to access the website on the server.  And I thought I allowed all the proper access rules for this.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22817476
On the ASA, yes, but what about on this PC that is acting like a router?
You might want to focus on that system and determine if any application is blocking you. What application(s) do you have running on it, and is it Windows, Linux, other?
0
 

Author Comment

by:ptcis
ID: 22841195
The router computer is running windows 2000.  The only thing it has is monitoring software for our T1 Line.  I does not have any firewall or anything like that. I'm at a loss now.  I cannot guess what is blocking this.
0
 

Author Comment

by:ptcis
ID: 22896372
I'm getting closer now.  The problem I'm having is that when I do a packet tracer from the inside interface at to guest interface I get a 'no valid adjacency'  Can anyone tell me what that means?
0
 

Author Comment

by:ptcis
ID: 22996875
HELLO???
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 23035090
Sorry I havent' gotten back on this one.

>The router computer is running windows 2000.  
Microsoft doesn't sell routers. Windows can route to some degree and can do RIP/OSPF and static routes.
I have no idea how you have this system set up or why it is there or what other software is running on it.
Post result of this from the "router" computer
C:\>route print

Post same output from the "server" computer that you are trying to access.

As far as I can tell, your ASA is configured correctly. You have not posted a fresh config so I can see it as it is today.
0
 

Author Comment

by:ptcis
ID: 23036258
I found an error in my log that looks like it is stopping me from getting to the web server:

 Routing failed to locate next hop for TCP from inside:192.168.1.69/2405 to guest:x.x.85.180/80

I would think I need an extra route but unsure....any help would be greatly appreciated
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 23037843
This is a different issue than what you started with...

Try reversing this
>static (guest,inside) 192.168.100.10 x.x.85.180 netmask 255.255.255.255

To this:
same-security-traffic permit intra-interface
static (inside,inside) x.x.85.180 192.168.100.10  netmask 255.255.255.255

Reference
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2
0
 

Author Comment

by:ptcis
ID: 23120959
This fixed the issue...

no static (inside,guest) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 no static (guest,inside) 192.168.100.10 x.x.85.180 netmask 255.255.255.255
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now