Solved

Simple Port forward TCP 80 and 443

Posted on 2008-10-30
32
3,681 Views
Last Modified: 2013-11-16
Hello Experts,

I have a firewall configured with a public ip on the outside interface and it forwards port 80,443 amongst others to an inside ip.

Now there is need to forward the same ports to another internal server, i have a list of public ip's that i can use.

I checked the configuration on the firewall and copied a few rows that i think would work, but it seems like i need to something more.

Here are the rows that i added.

What i think i need to do is maybe bind the new public ip to the outside interface, i do not want to use another physical interface on the firewall if i don't need to.

Any help would be nice.
access-list outside extended permit tcp any host 62.92.x.x eq 80
access-list outside extended permit tcp any host 62.92.x.x eq 443
 
static (inside,outside) tcp 62.92.x.x 80 10.47.1.15 80 netmask 255.255.255.255
static (inside,outside) tcp 62.92.x.x 443 10.47.1.15 443 netmask 255.255.255.255

Open in new window

0
Comment
Question by:RudiR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 18
  • 14
32 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22844567
This should do it:

access-list outside extended permit tcp any host 62.92.x.y eq 80
access-list outside extended permit tcp any host 62.92.x.y eq 443
 
static (inside,outside) tcp 62.92.x.y 80 10.47.1.y 80 netmask 255.255.255.255
static (inside,outside) tcp 62.92.x.y 443 10.47.1.y 443 netmask 255.255.255.255

Where 62.92.x.y is the new public IP and 10.47.1.y is the internal server.  You don't need to bind the other address to an interface.
0
 

Author Comment

by:RudiR
ID: 22845009
Yes i have added those rows but it does not seem to work.

I even ended with a wr mem ^^
0
 

Author Comment

by:RudiR
ID: 22845617
Just adding this for reference.

Does it matter if the access-list i added is AFTER the following line?
If so how do i move the lines up above the deny line?

access-list outside extended deny ip any any log
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 22845643
Yes, it matters.  You need to remove the deny and then add it back which will put it at the bottom of the list.

no access-list outside extended deny ip any any log
access-list outside extended deny ip any any log
0
 

Author Comment

by:RudiR
ID: 22845917
Ok, i get a ping response on the port now and that is progress, i will look into the application that should access the server tomorrow to see if it works.

But it looks like you earned yourself 500 points :D

Thanks for the help.
0
 

Author Comment

by:RudiR
ID: 23068127
Sorry for late reply but i just got word back from the other customer that shall use the server and they could not connect on 443 or 80.

So now it's obvious that i have missed something...but what?

Should i post a code snippet from the configuration so that you can see if i missed something?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068160
Yes, please post configuration.
0
 

Author Comment

by:RudiR
ID: 23068367
Ok here is the config from the firewall.

The only thing i want to do is to forward traffic on ports 80 and 443 to the internal server, though it's not the same external ip as listed on the ext interface.

We have a range of external ip's and i took x.x.x.78 to use for the server i want to forward traffic to.

Please help me ^^
enable password xxx encrypted
names
no dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 62.92.36.74 255.255.255.248
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.47.1.4 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd xxx encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns timeout 30
dns domain-lookup inside
dns name-server 10.47.1.10
same-security-traffic permit intra-interface
access-list inside extended permit ip 10.47.0.0 255.255.0.0 10.46.10.0 255.255.255.0
access-list inside extended permit ip 10.47.0.0 255.255.0.0 10.47.101.0 255.255.255.0
access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq h323 inactive
access-list inside extended permit udp 10.47.0.0 255.255.0.0 any eq tftp inactive
access-list inside extended permit udp 10.47.0.0 255.255.0.0 range 32000 32512 any range 32000 32512 inactive
access-list inside extended permit udp 10.47.0.0 255.255.0.0 eq 7775 any range 5000 5099 inactive
access-list inside extended permit udp 10.47.0.0 255.255.0.0 any range bootps bootpc inactive
access-list inside extended permit icmp 10.47.0.0 255.255.0.0 any echo
access-list inside extended permit icmp 10.47.0.0 255.255.0.0 10.46.10.0 255.255.255.0 echo-reply
access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any range ftp-data telnet
access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq smtp
access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq pop3
access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq www
access-list inside extended permit udp 10.47.0.0 255.255.0.0 any eq ntp
access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq https
access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq citrix-ica
access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq 3389
access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq 8080
access-list inside extended permit udp 10.47.0.0 255.255.0.0 any eq domain
access-list inside extended permit udp 10.47.0.0 255.255.0.0 any eq isakmp
access-list inside extended permit udp 10.47.0.0 255.255.0.0 any eq 4500
access-list inside extended deny ip any any log
access-list inside extended permit ip 10.255.255.248 255.255.255.248 10.46.10.0 255.255.255.0
access-list outside extended permit tcp any host 62.92.36.77 eq smtp
access-list outside extended permit tcp any host 62.92.36.77 eq 995
access-list outside extended permit tcp any host 62.92.36.77 eq 993
access-list outside extended permit tcp any host 62.92.36.77 eq www
access-list outside extended permit tcp any host 62.92.36.77 eq https
access-list outside extended permit icmp any 62.92.36.72 255.255.255.248 echo-reply
access-list outside extended permit icmp any 62.92.36.72 255.255.255.248 time-exceeded
access-list outside extended permit icmp any 62.92.36.72 255.255.255.248 traceroute
access-list outside extended permit icmp any 62.92.36.72 255.255.255.248 unreachable
access-list outside extended permit tcp any host 62.92.36.78 eq www
access-list outside extended permit tcp any host 62.92.36.78 eq https
access-list outside extended deny ip any any log
access-list no_nat extended permit ip 10.47.1.0 255.255.255.0 10.255.255.248 255.255.255.248
access-list no_nat extended permit ip host 10.47.1.11 host 192.168.255.1
access-list no_nat extended permit ip 10.47.10.0 255.255.255.0 10.255.255.248 255.255.255.248
access-list no_nat extended permit ip 10.46.10.0 255.255.255.0 10.255.255.248 255.255.255.248
access-list no_nat extended permit ip 10.47.1.0 255.255.255.0 10.46.10.0 255.255.255.0
access-list no_nat extended permit ip 10.47.10.0 255.255.255.0 10.46.10.0 255.255.255.0
access-list no_nat extended permit ip 10.47.20.0 255.255.255.0 10.46.10.0 255.255.255.0
access-list no_nat extended permit ip 10.47.30.0 255.255.255.0 10.46.10.0 255.255.255.0
access-list no_nat extended permit ip 10.255.255.248 255.255.255.248 10.46.10.0 255.255.255.0
access-list no_nat extended permit ip 10.47.1.0 255.255.255.0 10.47.101.0 255.255.255.0
access-list no_nat extended permit ip 10.47.10.0 255.255.255.0 10.47.101.0 255.255.255.0
access-list no_nat extended permit ip 10.47.20.0 255.255.255.0 10.47.101.0 255.255.255.0
access-list no_nat extended permit ip 10.47.30.0 255.255.255.0 10.47.101.0 255.255.255.0
access-list ipsec_tunnel_Sverige extended permit ip 10.47.1.0 255.255.255.0 10.46.10.0 255.255.255.0
access-list ipsec_tunnel_Sverige extended permit ip 10.47.10.0 255.255.255.0 10.46.10.0 255.255.255.0
access-list ipsec_tunnel_Sverige extended permit ip 10.47.20.0 255.255.255.0 10.46.10.0 255.255.255.0
access-list ipsec_tunnel_Sverige extended permit ip 10.47.30.0 255.255.255.0 10.46.10.0 255.255.255.0
access-list ipsec_tunnel_Sverige extended permit ip 10.255.255.248 255.255.255.248 10.46.10.0 255.255.255.0
access-list ipsec_tunnel_Tone extended permit ip 10.47.1.0 255.255.255.0 10.47.101.0 255.255.255.0
access-list ipsec_tunnel_Tone extended permit ip 10.47.10.0 255.255.255.0 10.47.101.0 255.255.255.0
access-list ipsec_tunnel_Tone extended permit ip 10.47.20.0 255.255.255.0 10.47.101.0 255.255.255.0
access-list ipsec_tunnel_Tone extended permit ip 10.47.30.0 255.255.255.0 10.47.101.0 255.255.255.0
pager lines 24
logging asdm informational
logging from-address asa5510@dekkpartner.no
logging recipient-address xxx level errors
mtu outside 1500
mtu inside 1500
ip local pool vpn_pool 10.255.255.249-10.255.255.254 mask 255.255.255.248
ip local pool vpn_okonomibistand_pool 192.168.255.1 mask 255.255.255.255
ip verify reverse-path interface outside
asdm image disk0:/asdm505.bin
asdm location 62.92.36.77 255.255.255.255 outside
asdm location 10.46.10.0 255.255.255.0 outside
asdm location 10.47.30.0 255.255.255.0 inside
asdm location 10.255.255.248 255.255.255.248 outside
asdm location 10.47.101.0 255.255.255.0 outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 10.255.255.248 255.255.255.248
nat (inside) 0 access-list no_nat
nat (inside) 1 10.47.1.0 255.255.255.0
nat (inside) 1 10.47.10.0 255.255.255.0
nat (inside) 1 10.47.30.0 255.255.255.0
nat (inside) 1 10.47.40.0 255.255.255.0
static (inside,outside) tcp 62.92.36.77 smtp 10.47.1.10 smtp netmask 255.255.255.255
static (inside,outside) tcp 62.92.36.77 995 10.47.1.10 995 netmask 255.255.255.255
static (inside,outside) tcp 62.92.36.77 993 10.47.1.10 993 netmask 255.255.255.255
static (inside,outside) tcp 62.92.36.77 www 10.47.1.10 www netmask 255.255.255.255
static (inside,outside) tcp 62.92.36.77 https 10.47.1.10 https netmask 255.255.255.255
static (inside,outside) tcp 62.92.36.78 www 10.47.1.15 www netmask 255.255.255.255
static (inside,outside) tcp 62.92.36.78 https 10.47.1.15 https netmask 255.255.255.255
access-group outside in interface outside
access-group inside in interface inside
route outside 10.46.10.0 255.255.255.0 195.198.27.242 1
route outside 0.0.0.0 0.0.0.0 62.92.36.73 1
route outside 10.47.101.0 255.255.255.0 82.146.95.220 1
route inside 10.47.10.0 255.255.255.0 10.47.1.1 1
route inside 10.47.30.0 255.255.255.0 10.47.1.1 1
route inside 10.47.40.0 255.255.255.0 10.47.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpn protocol radius
aaa-server vpn host 10.47.1.10
 timeout 5
 key harley
group-policy DekkPartner internal
group-policy DekkPartner attributes
 wins-server value 10.47.1.10
 dns-server value 10.47.1.10
 ip-comp enable
 split-tunnel-policy tunnelall
 default-domain value dekkpartner.no
 webvpn
group-policy okoNOMIbistand internal
username administrator password xxx encrypted privilege 15
username itumoslo password xxx encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 193.214.112.184 255.255.255.248 outside
http 10.47.1.0 255.255.255.0 inside
http 10.255.255.248 255.255.255.248 inside
snmp-server location xxx
snmp-server contact xxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
 
telnet 10.47.1.0 255.255.255.0 inside
telnet 10.47.10.0 255.255.255.0 inside
telnet 10.255.255.248 255.255.255.248 inside
telnet timeout 5
ssh 193.214.112.184 255.255.255.248 outside
ssh timeout 5
console timeout 0
management-access inside
priority-queue outside
  tx-ring-limit 256
!
class-map Voice
 match dscp ef
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect esmtp
policy-map Voicepolicy
 class Voice
  priority
!
service-policy global_policy global
service-policy Voicepolicy interface outside
ntp server 129.240.12.4 source outside prefer
ntp server 129.242.4.240 source outside
smtp-server 10.47.1.10
Cryptochecksum:xxx

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068482
The config looks fine so I'm guessing something is wrong with the server.  Can you access the 10.47.1.15 server internally on port 80 and 443?  Is the Windows firewall enabled?  I can access the .77 server from the Internet on 80 and 443 but not the .78 server and if you notice, the config for the two servers are the same.
0
 

Author Comment

by:RudiR
ID: 23068548
Yes i am able to connect internally to the server on port 80 and 443 on the internal IP.
The firewall is disabled on the server also.

i am out of ideas.

must be something i have forgotten or done wrong but can't imagine what.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068568
What is the default gateway of the server?  This ASA right?
0
 

Author Comment

by:RudiR
ID: 23068621
Could it be that the switches are blocking it in some way?
There are access lists present and they are controlling the vlan's and wich nett who are allowed to communicate to the other.

Duno really, seems strange that the switches would block the forward?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068642
Sure, if there are access-lists on the switches.  Can you post the access-list bound to the VLAN interface for the 10.47.1.0/24 subnet?
0
 

Author Comment

by:RudiR
ID: 23068648
Actually the gatway of the server is 10.47.1.1 (A cisco switch)
I think all servers are using that ip for gateway, as well as the clients.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068661
Yeah, that is fine as long as the switch has a default route to the ASA (I'm sure it does).
0
 

Author Comment

by:RudiR
ID: 23068722
Here are a Show conf from the 10.47.1.1


Dekkpartner-U-ETG-Cisco-WS-C3560G-24TS#show conf
Using 10439 out of 524288 bytes
!
! Last configuration change at 13:57:16 cest Thu Aug 7 2008 by administra
! NVRAM config last updated at 13:57:29 cest Thu Aug 7 2008 by administra
!
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Dekkpartner-U-ETG-Cisco-WS-C3560G-24TS
!
logging buffered 51200 debugging
no logging console
!
aaa new-model
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
clock timezone cet 1
clock summer-time cest recurring last Sun Mar 2:00 last Sun Oct 3:00
!
udld aggressive
 
ip subnet-zero
ip routing
no ip domain-lookup
!
!
mls qos map cos-dscp 0 8 16 26 32 46 46 56
!
!
macro global description cisco-global
errdisable recovery cause link-flap
errdisable recovery interval 60
port-channel load-balance dst-mac
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
spanning-tree vlan 1,10,20,30,90 priority 4096
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 description Server_LAN
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 30
 switchport mode trunk
 switchport nonegotiate
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/2
 description Server_LAN
 switchport mode access
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/3
 description Server_LAN
 switchport mode access
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/4
 description Server_LAN
 switchport mode access
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/5
 description Server_LAN
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 30
 switchport mode trunk
 switchport nonegotiate
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/6
 description Server_LAN
 switchport mode access
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/7
 description Server_LAN
 switchport mode access
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/8
 description Server_LAN
 switchport mode access
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/9
 description Server_LAN
 switchport mode access
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/10
 description Server_LAN
 switchport mode access
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/11
 description Server_LAN
 switchport mode access
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/12
 description Server_LAN
 switchport mode access
 no snmp trap link-status
 spanning-tree portfast
!
interface GigabitEthernet0/13
 description Arbeidsstasjon_LAN
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 1
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/14
 description Arbeidsstasjon_LAN
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 1
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/15
 description Arbeidsstasjon_LAN
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 1
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/16
 description Arbeidsstasjon_LAN
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 1
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/17
 description Arbeidsstasjon_LAN
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 1
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/18
 description Arbeidsstasjon_LAN
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 1
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/19
 description Arbeidsstasjon_LAN
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 1
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/20
 description Arbeidsstasjon_LAN
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 1
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-phone
 auto qos voip cisco-phone
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet0/21
 shutdown
!
interface GigabitEthernet0/22
 shutdown
!
interface GigabitEthernet0/23
 shutdown
!
interface GigabitEthernet0/24
 shutdown
!
interface GigabitEthernet0/25
 switchport trunk encapsulation dot1q
 switchport mode trunk
 macro description cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface GigabitEthernet0/26
 switchport trunk encapsulation dot1q
 switchport mode trunk
 macro description cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface GigabitEthernet0/27
 switchport trunk encapsulation dot1q
 switchport mode trunk
 macro description cisco-switch
 auto qos voip trust
 spanning-tree link-type point-to-point
!
interface GigabitEthernet0/28
!
interface Vlan1
 description Server_VLAN
 ip address 10.47.1.2 255.255.255.0
 no ip redirects
 ntp broadcast client
 fair-queue
 standby 1 ip 10.47.1.1
 standby 1 priority 110
 standby 1 preempt
 standby 1 authentication dekk
 standby 1 track GigabitEthernet0/25 50
!
interface Vlan10
 description Arbeidsstasjoner_Telefoni_VLAN
 ip address 10.47.10.2 255.255.255.0
 ip helper-address 10.47.1.10
 no ip redirects
 fair-queue
 standby 10 ip 10.47.10.1
 standby 10 priority 110
 standby 10 preempt
 standby 10 authentication dekk
 standby 10 track GigabitEthernet0/25 50
!
interface Vlan20
 description Skrivere_VLAN
 ip address 10.47.20.2 255.255.255.0
 ip helper-address 10.47.1.10
 no ip redirects
 fair-queue
 standby 20 ip 10.47.20.1
 standby 20 priority 110
 standby 20 preempt
 standby 20 authentication dekk
 standby 20 track GigabitEthernet0/25 50
!
interface Vlan30
 description Traadlos_VLAN
 ip address 10.47.30.2 255.255.255.0
 ip helper-address 10.47.1.10
 no ip redirects
 fair-queue
 standby 30 ip 10.47.30.1
 standby 30 priority 110
 standby 30 preempt
 standby 30 authentication dekk
 standby 30 track GigabitEthernet0/25 50
!
interface Vlan40
 ip address 10.47.40.2 255.255.255.0
 ip access-group 100 in
 ip helper-address 10.47.1.10
!
interface Vlan90
 description Unisys_Future_VLAN
 ip address 10.47.90.2 255.255.255.0
 no ip redirects
 fair-queue
 standby 90 priority 110
 standby 90 preempt
 standby 90 authentication dekk
 standby 90 track GigabitEthernet0/25 50
!
interface Vlan100
 description Internett_VLAN
 no ip address
 shutdown
!
router eigrp 1
 redistribute static
 network 10.0.0.0
 distribute-list prefix DekkPartner in
 auto-summary
 eigrp stub connected summary
 no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.47.1.4
ip route 10.112.255.20 255.255.255.255 10.47.90.10
ip http server
ip http authentication aaa
!
!
ip prefix-list DekkPartner seq 5 permit 10.47.1.0/24
ip prefix-list DekkPartner seq 10 permit 10.47.10.0/24
ip prefix-list DekkPartner seq 15 permit 10.47.20.0/24
ip prefix-list DekkPartner seq 20 permit 10.47.30.0/24
access-list 100 permit udp 10.47.40.0 0.0.0.255 host 10.47.1.10 eq bootps
access-list 100 permit udp 10.47.40.0 0.0.0.255 host 10.47.1.10 eq bootpc
access-list 100 deny   ip 10.47.40.0 0.0.0.255 10.47.30.0 0.0.0.255
access-list 100 deny   ip 10.47.40.0 0.0.0.255 10.47.20.0 0.0.0.255
access-list 100 deny   ip 10.47.40.0 0.0.0.255 10.47.10.0 0.0.0.255
access-list 100 deny   ip 10.47.40.0 0.0.0.255 10.47.1.0 0.0.0.255
access-list 100 permit ip 10.47.40.0 0.0.0.255 any
snmp-server community itum RO 1
snmp-server location Gardermoen
snmp-server contact Maud_Martin_Telefon: 63 94 05 90
radius-server source-ports 1645-1646
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 logging synchronous
line vty 0 4
 session-timeout 5
 exec-timeout 120 0
 timeout login response 60
 privilege level 15
line vty 5 15
!
!
monitor session 1 source vlan 10 rx
monitor session 1 destination interface Gi0/8
ntp clock-period 36029153
ntp source Vlan1
ntp server 129.240.12.4
end

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068788
Hmm.  The access-list on the switch isn't playing into this at all.  What version of ASA code are you running?  Things aren't making sense which usually indicates a bug of some sort.  If you are able to, "wr mem" on the ASA and reload it.
0
 

Author Comment

by:RudiR
ID: 23068988
I have not restarted the firewall in a good while so that might be the solution.
I were able to wr mem on the firewall the last time i configured it and it took the command right away.

Are there any fast command to relode the firewall? yes i know im bit of a noob on this ^^
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23069064
wr mem    <--just for good measure
reload   <--reloads the Firewall

What version of software are you running "show version" 7.x, 8.x?
0
 

Author Comment

by:RudiR
ID: 23069133
ok here is the version printout.

i will try a restart later today, just have to check if there are any ppl working late today.
Cisco Adaptive Security Appliance Software Version 7.0(5)
Device Manager Version 5.0(5)
 
Compiled on Mon 10-Apr-06 14:40 by builders
System image file is "disk0:/asa705-k8.bin"
Config file at boot was "startup-config"
 
Dekkpartner-U-ETG-Cisco-ASA5510 up 68 days 3 hours
 
Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
 
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : ;CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: eCNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : :CNlite-MC-IPSECm-MAIN-2.04
 0: Ext: Ethernet0/0         : address is 0018.195b.ec7e, irq 9
 1: Ext: Ethernet0/1         : address is 0018.195b.ec7f, irq 9
 2: Ext: Ethernet0/2         : address is 0018.195b.ec80, irq 9
 3: Ext: Not licensed        : irq 9
 4: Ext: Management0/0       : address is 0018.195b.ec82, irq 11
 5: Int: Not licensed        : irq 11
 6: Int: Not licensed        : irq 5
 
Licensed features for this platform:
Maximum Physical Interfaces : 4
Maximum VLANs               : 10
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : 50
 
This platform has a Base license.

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23069218
Okay, you are running some pretty old software.  If you have a contract on the ASA, I would suggest upgrading to 7.2(4).
0
 

Author Comment

by:RudiR
ID: 23069600
Ok just did a wr mem and a relaod on the firewall...same problem im afraid.

I will call tha isp and ask if it's something wron with the range of ip's im using.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23069705
Yeah, double check with your ISP.  Based on your subnet mask, you should have 73-78 usable.  Looks like 73 is your gateway.  You can also check logs/connections on the Firewall to see if the connection request even reaches the ASA.

Attempt the connection from the outside and do a "show conn | i 10.47.1.15"
0
 

Author Comment

by:RudiR
ID: 23069976
Ok.

I made a request to the .78 IP through http and https.
I tried the show conn | i 10.47.1.15 in the firewall and it does not show up with anything.
when trying the command on the 1.10 server i get connections like i should.

Does that mean that there are some errors in front of the firewall? it sure sounds like it.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23070024
Yeah, it sounds like traffic to .78 is not reaching the Firewall.  Definitely check with your ISP.  If you enable logging to the buffer, do you see any messages regarding .78?

conf t
logging enable
logging timestamp
logging buffered debugging
logging buffer-size 16384

Attempt the connection again and do a "show log | i 62.92.36.78".  See if it returns anything.  You might have to attempt multiple times.  Verify by using the same command but to the 62.92.36.77 address.
0
 

Author Comment

by:RudiR
ID: 23070193
Ok.

Here is me connecting like a crazy to the server from another computer.
As you can see when i connect to the 77 server i get connections, verified my own ip so im sure it's my computer connecting.

But to the 78 server i get nothing...nada...zip.

Sorry for the formating on the code, forgot to set the buffersize on the command window.
Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78
Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78
Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78
Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78
Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78
Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78
Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78
Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.77
Dec 01 2008 17:45:33: %ASA-6-302013: Built inbound TCP connection 574 for outside:193.216.166.2/32907 (193.216.166.2/32907) to inside:10.47.1.10/443 (62.92.36.77/443)
Dec 01 2008 17:46:42: %ASA-6-106100: access-list outside denied icmp outside/84.194.61.90(8) -> outside/62.92.36.77(0) hit-cnt 1 300-second interval
Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.77
Dec 01 2008 17:45:33: %ASA-6-302013: Built inbound TCP connection 574 for outside:193.216.166.2/32907 (193.216.166.2/32907) to inside:10.47.1.10/443 (62.92.36.77/443)
Dec 01 2008 17:46:42: %ASA-6-106100: access-list outside denied icmp outside/84.194.61.90(8) -> outside/62.92.36.77(0) hit-cnt 1 300-second interval
Dec 01 2008 17:47:33: %ASA-6-302013: Built inbound TCP connection 581 for outside:193.216.166.2/33092 (193.216.166.2/33092) to inside:10.47.1.10/443 (62.92.36.77/443)
Dec 01 2008 17:47:43: %ASA-6-302013: Built inbound TCP connection 583 for outside:80.212.41.221/1241 (80.212.41.221/1241) to inside:10.47.1.10/80 (62.92.36.77/80)
Dekkpartner-U-ETG-Cisco-ASA5510(config)#

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23070236
Okay, traffic to the .78 address is not being routed to your Firewall.  Can you switch the config to the .76 address (doesn't appear to be in use) and test again.
0
 

Author Comment

by:RudiR
ID: 23070276
yes ofc.

What are the fastest command to just switch the 78 to 76 in the config?

Sorry for these basic questions but im not that used with Cisco commands ^^
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 23070327
Sure.

conf t
no access-list outside extended deny ip any any log
access-list outside extended permit tcp any host 62.92.36.76 eq 80
access-list outside extended permit tcp any host 62.92.36.76 eq 443
access-list outside extended deny ip any any log

no static (inside,outside) tcp 62.92.36.78 80 10.47.1.15 80 netmask 255.255.255.255
no static (inside,outside) tcp 62.92.36.78 443 10.47.1.15 443 netmask 255.255.255.255

static (inside,outside) tcp 62.92.36.76 80 10.47.1.15 80 netmask 255.255.255.255
static (inside,outside) tcp 62.92.36.76 443 10.47.1.15 443 netmask 255.255.255.255
0
 

Author Comment

by:RudiR
ID: 23070943
ok thanks.

funny thing is that it had no effect.
Still no contact on 76.

if this is all it should be to forward these ports it has to be an outside problem of some sort.

I did not get a hold of the ISP but i will call them tomorrow and look into this further.

Thanks alot for the help so far, i'll post here asap after speaking to the isp.

0
 

Author Comment

by:RudiR
ID: 23075302
Ok.

I went through the config one more time and i found that the line.

access-list outside extended deny ip any any log

Were above the lines i just added ^^

I don't know if i forgot to add the "no access" before i added the lines or if it just did not take the command?

Anyway it's working perfect now and i have you to thank for it.

I will try and edit some info away from this post as it contains i a little more info then nessesary.

Thanks a Million Jfrederick29.
0
 

Author Closing Comment

by:RudiR
ID: 31511818
Thanks alot, this forum is really A+

I'm sure we will meet again ^^
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question