Solved

Simple Port forward TCP 80 and 443

Posted on 2008-10-30
32
3,460 Views
Last Modified: 2013-11-16
Hello Experts,

I have a firewall configured with a public ip on the outside interface and it forwards port 80,443 amongst others to an inside ip.

Now there is need to forward the same ports to another internal server, i have a list of public ip's that i can use.

I checked the configuration on the firewall and copied a few rows that i think would work, but it seems like i need to something more.

Here are the rows that i added.

What i think i need to do is maybe bind the new public ip to the outside interface, i do not want to use another physical interface on the firewall if i don't need to.

Any help would be nice.
access-list outside extended permit tcp any host 62.92.x.x eq 80

access-list outside extended permit tcp any host 62.92.x.x eq 443
 

static (inside,outside) tcp 62.92.x.x 80 10.47.1.15 80 netmask 255.255.255.255

static (inside,outside) tcp 62.92.x.x 443 10.47.1.15 443 netmask 255.255.255.255

Open in new window

0
Comment
Question by:RudiR
  • 18
  • 14
32 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22844567
This should do it:

access-list outside extended permit tcp any host 62.92.x.y eq 80
access-list outside extended permit tcp any host 62.92.x.y eq 443
 
static (inside,outside) tcp 62.92.x.y 80 10.47.1.y 80 netmask 255.255.255.255
static (inside,outside) tcp 62.92.x.y 443 10.47.1.y 443 netmask 255.255.255.255

Where 62.92.x.y is the new public IP and 10.47.1.y is the internal server.  You don't need to bind the other address to an interface.
0
 

Author Comment

by:RudiR
ID: 22845009
Yes i have added those rows but it does not seem to work.

I even ended with a wr mem ^^
0
 

Author Comment

by:RudiR
ID: 22845617
Just adding this for reference.

Does it matter if the access-list i added is AFTER the following line?
If so how do i move the lines up above the deny line?

access-list outside extended deny ip any any log
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22845643
Yes, it matters.  You need to remove the deny and then add it back which will put it at the bottom of the list.

no access-list outside extended deny ip any any log
access-list outside extended deny ip any any log
0
 

Author Comment

by:RudiR
ID: 22845917
Ok, i get a ping response on the port now and that is progress, i will look into the application that should access the server tomorrow to see if it works.

But it looks like you earned yourself 500 points :D

Thanks for the help.
0
 

Author Comment

by:RudiR
ID: 23068127
Sorry for late reply but i just got word back from the other customer that shall use the server and they could not connect on 443 or 80.

So now it's obvious that i have missed something...but what?

Should i post a code snippet from the configuration so that you can see if i missed something?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068160
Yes, please post configuration.
0
 

Author Comment

by:RudiR
ID: 23068367
Ok here is the config from the firewall.

The only thing i want to do is to forward traffic on ports 80 and 443 to the internal server, though it's not the same external ip as listed on the ext interface.

We have a range of external ip's and i took x.x.x.78 to use for the server i want to forward traffic to.

Please help me ^^
enable password xxx encrypted

names

no dns-guard

!

interface Ethernet0/0

 speed 100

 duplex full

 nameif outside

 security-level 0

 ip address 62.92.36.74 255.255.255.248

!

interface Ethernet0/1

 speed 100

 duplex full

 nameif inside

 security-level 100

 ip address 10.47.1.4 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 no nameif

 no security-level

 no ip address

 management-only

!

passwd xxx encrypted

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns timeout 30

dns domain-lookup inside

dns name-server 10.47.1.10

same-security-traffic permit intra-interface

access-list inside extended permit ip 10.47.0.0 255.255.0.0 10.46.10.0 255.255.255.0

access-list inside extended permit ip 10.47.0.0 255.255.0.0 10.47.101.0 255.255.255.0

access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq h323 inactive

access-list inside extended permit udp 10.47.0.0 255.255.0.0 any eq tftp inactive

access-list inside extended permit udp 10.47.0.0 255.255.0.0 range 32000 32512 any range 32000 32512 inactive

access-list inside extended permit udp 10.47.0.0 255.255.0.0 eq 7775 any range 5000 5099 inactive

access-list inside extended permit udp 10.47.0.0 255.255.0.0 any range bootps bootpc inactive

access-list inside extended permit icmp 10.47.0.0 255.255.0.0 any echo

access-list inside extended permit icmp 10.47.0.0 255.255.0.0 10.46.10.0 255.255.255.0 echo-reply

access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any range ftp-data telnet

access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq smtp

access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq pop3

access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq www

access-list inside extended permit udp 10.47.0.0 255.255.0.0 any eq ntp

access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq https

access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq citrix-ica

access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq 3389

access-list inside extended permit tcp 10.47.0.0 255.255.0.0 any eq 8080

access-list inside extended permit udp 10.47.0.0 255.255.0.0 any eq domain

access-list inside extended permit udp 10.47.0.0 255.255.0.0 any eq isakmp

access-list inside extended permit udp 10.47.0.0 255.255.0.0 any eq 4500

access-list inside extended deny ip any any log

access-list inside extended permit ip 10.255.255.248 255.255.255.248 10.46.10.0 255.255.255.0

access-list outside extended permit tcp any host 62.92.36.77 eq smtp

access-list outside extended permit tcp any host 62.92.36.77 eq 995

access-list outside extended permit tcp any host 62.92.36.77 eq 993

access-list outside extended permit tcp any host 62.92.36.77 eq www

access-list outside extended permit tcp any host 62.92.36.77 eq https

access-list outside extended permit icmp any 62.92.36.72 255.255.255.248 echo-reply

access-list outside extended permit icmp any 62.92.36.72 255.255.255.248 time-exceeded

access-list outside extended permit icmp any 62.92.36.72 255.255.255.248 traceroute

access-list outside extended permit icmp any 62.92.36.72 255.255.255.248 unreachable

access-list outside extended permit tcp any host 62.92.36.78 eq www

access-list outside extended permit tcp any host 62.92.36.78 eq https

access-list outside extended deny ip any any log

access-list no_nat extended permit ip 10.47.1.0 255.255.255.0 10.255.255.248 255.255.255.248

access-list no_nat extended permit ip host 10.47.1.11 host 192.168.255.1

access-list no_nat extended permit ip 10.47.10.0 255.255.255.0 10.255.255.248 255.255.255.248

access-list no_nat extended permit ip 10.46.10.0 255.255.255.0 10.255.255.248 255.255.255.248

access-list no_nat extended permit ip 10.47.1.0 255.255.255.0 10.46.10.0 255.255.255.0

access-list no_nat extended permit ip 10.47.10.0 255.255.255.0 10.46.10.0 255.255.255.0

access-list no_nat extended permit ip 10.47.20.0 255.255.255.0 10.46.10.0 255.255.255.0

access-list no_nat extended permit ip 10.47.30.0 255.255.255.0 10.46.10.0 255.255.255.0

access-list no_nat extended permit ip 10.255.255.248 255.255.255.248 10.46.10.0 255.255.255.0

access-list no_nat extended permit ip 10.47.1.0 255.255.255.0 10.47.101.0 255.255.255.0

access-list no_nat extended permit ip 10.47.10.0 255.255.255.0 10.47.101.0 255.255.255.0

access-list no_nat extended permit ip 10.47.20.0 255.255.255.0 10.47.101.0 255.255.255.0

access-list no_nat extended permit ip 10.47.30.0 255.255.255.0 10.47.101.0 255.255.255.0

access-list ipsec_tunnel_Sverige extended permit ip 10.47.1.0 255.255.255.0 10.46.10.0 255.255.255.0

access-list ipsec_tunnel_Sverige extended permit ip 10.47.10.0 255.255.255.0 10.46.10.0 255.255.255.0

access-list ipsec_tunnel_Sverige extended permit ip 10.47.20.0 255.255.255.0 10.46.10.0 255.255.255.0

access-list ipsec_tunnel_Sverige extended permit ip 10.47.30.0 255.255.255.0 10.46.10.0 255.255.255.0

access-list ipsec_tunnel_Sverige extended permit ip 10.255.255.248 255.255.255.248 10.46.10.0 255.255.255.0

access-list ipsec_tunnel_Tone extended permit ip 10.47.1.0 255.255.255.0 10.47.101.0 255.255.255.0

access-list ipsec_tunnel_Tone extended permit ip 10.47.10.0 255.255.255.0 10.47.101.0 255.255.255.0

access-list ipsec_tunnel_Tone extended permit ip 10.47.20.0 255.255.255.0 10.47.101.0 255.255.255.0

access-list ipsec_tunnel_Tone extended permit ip 10.47.30.0 255.255.255.0 10.47.101.0 255.255.255.0

pager lines 24

logging asdm informational

logging from-address asa5510@dekkpartner.no

logging recipient-address xxx level errors

mtu outside 1500

mtu inside 1500

ip local pool vpn_pool 10.255.255.249-10.255.255.254 mask 255.255.255.248

ip local pool vpn_okonomibistand_pool 192.168.255.1 mask 255.255.255.255

ip verify reverse-path interface outside

asdm image disk0:/asdm505.bin

asdm location 62.92.36.77 255.255.255.255 outside

asdm location 10.46.10.0 255.255.255.0 outside

asdm location 10.47.30.0 255.255.255.0 inside

asdm location 10.255.255.248 255.255.255.248 outside

asdm location 10.47.101.0 255.255.255.0 outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 10.255.255.248 255.255.255.248

nat (inside) 0 access-list no_nat

nat (inside) 1 10.47.1.0 255.255.255.0

nat (inside) 1 10.47.10.0 255.255.255.0

nat (inside) 1 10.47.30.0 255.255.255.0

nat (inside) 1 10.47.40.0 255.255.255.0

static (inside,outside) tcp 62.92.36.77 smtp 10.47.1.10 smtp netmask 255.255.255.255

static (inside,outside) tcp 62.92.36.77 995 10.47.1.10 995 netmask 255.255.255.255

static (inside,outside) tcp 62.92.36.77 993 10.47.1.10 993 netmask 255.255.255.255

static (inside,outside) tcp 62.92.36.77 www 10.47.1.10 www netmask 255.255.255.255

static (inside,outside) tcp 62.92.36.77 https 10.47.1.10 https netmask 255.255.255.255

static (inside,outside) tcp 62.92.36.78 www 10.47.1.15 www netmask 255.255.255.255

static (inside,outside) tcp 62.92.36.78 https 10.47.1.15 https netmask 255.255.255.255

access-group outside in interface outside

access-group inside in interface inside

route outside 10.46.10.0 255.255.255.0 195.198.27.242 1

route outside 0.0.0.0 0.0.0.0 62.92.36.73 1

route outside 10.47.101.0 255.255.255.0 82.146.95.220 1

route inside 10.47.10.0 255.255.255.0 10.47.1.1 1

route inside 10.47.30.0 255.255.255.0 10.47.1.1 1

route inside 10.47.40.0 255.255.255.0 10.47.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server vpn protocol radius

aaa-server vpn host 10.47.1.10

 timeout 5

 key harley

group-policy DekkPartner internal

group-policy DekkPartner attributes

 wins-server value 10.47.1.10

 dns-server value 10.47.1.10

 ip-comp enable

 split-tunnel-policy tunnelall

 default-domain value dekkpartner.no

 webvpn

group-policy okoNOMIbistand internal

username administrator password xxx encrypted privilege 15

username itumoslo password xxx encrypted privilege 15

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 193.214.112.184 255.255.255.248 outside

http 10.47.1.0 255.255.255.0 inside

http 10.255.255.248 255.255.255.248 inside

snmp-server location xxx

snmp-server contact xxx

snmp-server enable traps snmp authentication linkup linkdown coldstart
 

telnet 10.47.1.0 255.255.255.0 inside

telnet 10.47.10.0 255.255.255.0 inside

telnet 10.255.255.248 255.255.255.248 inside

telnet timeout 5

ssh 193.214.112.184 255.255.255.248 outside

ssh timeout 5

console timeout 0

management-access inside

priority-queue outside

  tx-ring-limit 256

!

class-map Voice

 match dscp ef

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect esmtp

policy-map Voicepolicy

 class Voice

  priority

!

service-policy global_policy global

service-policy Voicepolicy interface outside

ntp server 129.240.12.4 source outside prefer

ntp server 129.242.4.240 source outside

smtp-server 10.47.1.10

Cryptochecksum:xxx

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068482
The config looks fine so I'm guessing something is wrong with the server.  Can you access the 10.47.1.15 server internally on port 80 and 443?  Is the Windows firewall enabled?  I can access the .77 server from the Internet on 80 and 443 but not the .78 server and if you notice, the config for the two servers are the same.
0
 

Author Comment

by:RudiR
ID: 23068548
Yes i am able to connect internally to the server on port 80 and 443 on the internal IP.
The firewall is disabled on the server also.

i am out of ideas.

must be something i have forgotten or done wrong but can't imagine what.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068568
What is the default gateway of the server?  This ASA right?
0
 

Author Comment

by:RudiR
ID: 23068621
Could it be that the switches are blocking it in some way?
There are access lists present and they are controlling the vlan's and wich nett who are allowed to communicate to the other.

Duno really, seems strange that the switches would block the forward?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068642
Sure, if there are access-lists on the switches.  Can you post the access-list bound to the VLAN interface for the 10.47.1.0/24 subnet?
0
 

Author Comment

by:RudiR
ID: 23068648
Actually the gatway of the server is 10.47.1.1 (A cisco switch)
I think all servers are using that ip for gateway, as well as the clients.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068661
Yeah, that is fine as long as the switch has a default route to the ASA (I'm sure it does).
0
 

Author Comment

by:RudiR
ID: 23068722
Here are a Show conf from the 10.47.1.1


Dekkpartner-U-ETG-Cisco-WS-C3560G-24TS#show conf

Using 10439 out of 524288 bytes

!

! Last configuration change at 13:57:16 cest Thu Aug 7 2008 by administra

! NVRAM config last updated at 13:57:29 cest Thu Aug 7 2008 by administra

!

version 12.2

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Dekkpartner-U-ETG-Cisco-WS-C3560G-24TS

!

logging buffered 51200 debugging

no logging console

!

aaa new-model

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

clock timezone cet 1

clock summer-time cest recurring last Sun Mar 2:00 last Sun Oct 3:00

!

udld aggressive
 

ip subnet-zero

ip routing

no ip domain-lookup

!

!

mls qos map cos-dscp 0 8 16 26 32 46 46 56

!

!

macro global description cisco-global

errdisable recovery cause link-flap

errdisable recovery interval 60

port-channel load-balance dst-mac

no file verify auto

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree extend system-id

spanning-tree vlan 1,10,20,30,90 priority 4096

!

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

 description Server_LAN

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 30

 switchport mode trunk

 switchport nonegotiate

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/2

 description Server_LAN

 switchport mode access

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/3

 description Server_LAN

 switchport mode access

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/4

 description Server_LAN

 switchport mode access

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/5

 description Server_LAN

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 30

 switchport mode trunk

 switchport nonegotiate

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/6

 description Server_LAN

 switchport mode access

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/7

 description Server_LAN

 switchport mode access

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/8

 description Server_LAN

 switchport mode access

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/9

 description Server_LAN

 switchport mode access

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/10

 description Server_LAN

 switchport mode access

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/11

 description Server_LAN

 switchport mode access

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/12

 description Server_LAN

 switchport mode access

 no snmp trap link-status

 spanning-tree portfast

!

interface GigabitEthernet0/13

 description Arbeidsstasjon_LAN

 switchport access vlan 10

 switchport mode access

 switchport voice vlan 1

 switchport port-security maximum 2

 switchport port-security

 switchport port-security aging time 2

 switchport port-security violation restrict

 switchport port-security aging type inactivity

 macro description cisco-phone

 auto qos voip cisco-phone

 spanning-tree portfast

 spanning-tree bpduguard enable

!

interface GigabitEthernet0/14

 description Arbeidsstasjon_LAN

 switchport access vlan 10

 switchport mode access

 switchport voice vlan 1

 switchport port-security maximum 2

 switchport port-security

 switchport port-security aging time 2

 switchport port-security violation restrict

 switchport port-security aging type inactivity

 macro description cisco-phone

 auto qos voip cisco-phone

 spanning-tree portfast

 spanning-tree bpduguard enable

!

interface GigabitEthernet0/15

 description Arbeidsstasjon_LAN

 switchport access vlan 10

 switchport mode access

 switchport voice vlan 1

 switchport port-security maximum 2

 switchport port-security

 switchport port-security aging time 2

 switchport port-security violation restrict

 switchport port-security aging type inactivity

 macro description cisco-phone

 auto qos voip cisco-phone

 spanning-tree portfast

 spanning-tree bpduguard enable

!

interface GigabitEthernet0/16

 description Arbeidsstasjon_LAN

 switchport access vlan 10

 switchport mode access

 switchport voice vlan 1

 switchport port-security maximum 2

 switchport port-security

 switchport port-security aging time 2

 switchport port-security violation restrict

 switchport port-security aging type inactivity

 macro description cisco-phone

 auto qos voip cisco-phone

 spanning-tree portfast

 spanning-tree bpduguard enable

!

interface GigabitEthernet0/17

 description Arbeidsstasjon_LAN

 switchport access vlan 10

 switchport mode access

 switchport voice vlan 1

 switchport port-security maximum 2

 switchport port-security

 switchport port-security aging time 2

 switchport port-security violation restrict

 switchport port-security aging type inactivity

 macro description cisco-phone

 auto qos voip cisco-phone

 spanning-tree portfast

 spanning-tree bpduguard enable

!

interface GigabitEthernet0/18

 description Arbeidsstasjon_LAN

 switchport access vlan 10

 switchport mode access

 switchport voice vlan 1

 switchport port-security maximum 2

 switchport port-security

 switchport port-security aging time 2

 switchport port-security violation restrict

 switchport port-security aging type inactivity

 macro description cisco-phone

 auto qos voip cisco-phone

 spanning-tree portfast

 spanning-tree bpduguard enable

!

interface GigabitEthernet0/19

 description Arbeidsstasjon_LAN

 switchport access vlan 10

 switchport mode access

 switchport voice vlan 1

 switchport port-security maximum 2

 switchport port-security

 switchport port-security aging time 2

 switchport port-security violation restrict

 switchport port-security aging type inactivity

 macro description cisco-phone

 auto qos voip cisco-phone

 spanning-tree portfast

 spanning-tree bpduguard enable

!

interface GigabitEthernet0/20

 description Arbeidsstasjon_LAN

 switchport access vlan 10

 switchport mode access

 switchport voice vlan 1

 switchport port-security maximum 2

 switchport port-security

 switchport port-security aging time 2

 switchport port-security violation restrict

 switchport port-security aging type inactivity

 macro description cisco-phone

 auto qos voip cisco-phone

 spanning-tree portfast

 spanning-tree bpduguard enable

!

interface GigabitEthernet0/21

 shutdown

!

interface GigabitEthernet0/22

 shutdown

!

interface GigabitEthernet0/23

 shutdown

!

interface GigabitEthernet0/24

 shutdown

!

interface GigabitEthernet0/25

 switchport trunk encapsulation dot1q

 switchport mode trunk

 macro description cisco-switch

 auto qos voip trust

 spanning-tree link-type point-to-point

!

interface GigabitEthernet0/26

 switchport trunk encapsulation dot1q

 switchport mode trunk

 macro description cisco-switch

 auto qos voip trust

 spanning-tree link-type point-to-point

!

interface GigabitEthernet0/27

 switchport trunk encapsulation dot1q

 switchport mode trunk

 macro description cisco-switch

 auto qos voip trust

 spanning-tree link-type point-to-point

!

interface GigabitEthernet0/28

!

interface Vlan1

 description Server_VLAN

 ip address 10.47.1.2 255.255.255.0

 no ip redirects

 ntp broadcast client

 fair-queue

 standby 1 ip 10.47.1.1

 standby 1 priority 110

 standby 1 preempt

 standby 1 authentication dekk

 standby 1 track GigabitEthernet0/25 50

!

interface Vlan10

 description Arbeidsstasjoner_Telefoni_VLAN

 ip address 10.47.10.2 255.255.255.0

 ip helper-address 10.47.1.10

 no ip redirects

 fair-queue

 standby 10 ip 10.47.10.1

 standby 10 priority 110

 standby 10 preempt

 standby 10 authentication dekk

 standby 10 track GigabitEthernet0/25 50

!

interface Vlan20

 description Skrivere_VLAN

 ip address 10.47.20.2 255.255.255.0

 ip helper-address 10.47.1.10

 no ip redirects

 fair-queue

 standby 20 ip 10.47.20.1

 standby 20 priority 110

 standby 20 preempt

 standby 20 authentication dekk

 standby 20 track GigabitEthernet0/25 50

!

interface Vlan30

 description Traadlos_VLAN

 ip address 10.47.30.2 255.255.255.0

 ip helper-address 10.47.1.10

 no ip redirects

 fair-queue

 standby 30 ip 10.47.30.1

 standby 30 priority 110

 standby 30 preempt

 standby 30 authentication dekk

 standby 30 track GigabitEthernet0/25 50

!

interface Vlan40

 ip address 10.47.40.2 255.255.255.0

 ip access-group 100 in

 ip helper-address 10.47.1.10

!

interface Vlan90

 description Unisys_Future_VLAN

 ip address 10.47.90.2 255.255.255.0

 no ip redirects

 fair-queue

 standby 90 priority 110

 standby 90 preempt

 standby 90 authentication dekk

 standby 90 track GigabitEthernet0/25 50

!

interface Vlan100

 description Internett_VLAN

 no ip address

 shutdown

!

router eigrp 1

 redistribute static

 network 10.0.0.0

 distribute-list prefix DekkPartner in

 auto-summary

 eigrp stub connected summary

 no eigrp log-neighbor-changes

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.47.1.4

ip route 10.112.255.20 255.255.255.255 10.47.90.10

ip http server

ip http authentication aaa

!

!

ip prefix-list DekkPartner seq 5 permit 10.47.1.0/24

ip prefix-list DekkPartner seq 10 permit 10.47.10.0/24

ip prefix-list DekkPartner seq 15 permit 10.47.20.0/24

ip prefix-list DekkPartner seq 20 permit 10.47.30.0/24

access-list 100 permit udp 10.47.40.0 0.0.0.255 host 10.47.1.10 eq bootps

access-list 100 permit udp 10.47.40.0 0.0.0.255 host 10.47.1.10 eq bootpc

access-list 100 deny   ip 10.47.40.0 0.0.0.255 10.47.30.0 0.0.0.255

access-list 100 deny   ip 10.47.40.0 0.0.0.255 10.47.20.0 0.0.0.255

access-list 100 deny   ip 10.47.40.0 0.0.0.255 10.47.10.0 0.0.0.255

access-list 100 deny   ip 10.47.40.0 0.0.0.255 10.47.1.0 0.0.0.255

access-list 100 permit ip 10.47.40.0 0.0.0.255 any

snmp-server community itum RO 1

snmp-server location Gardermoen

snmp-server contact Maud_Martin_Telefon: 63 94 05 90

radius-server source-ports 1645-1646

!

control-plane

!

!

line con 0

 exec-timeout 120 0

 logging synchronous

line vty 0 4

 session-timeout 5

 exec-timeout 120 0

 timeout login response 60

 privilege level 15

line vty 5 15

!

!

monitor session 1 source vlan 10 rx

monitor session 1 destination interface Gi0/8

ntp clock-period 36029153

ntp source Vlan1

ntp server 129.240.12.4

end

Open in new window

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 43

Expert Comment

by:JFrederick29
ID: 23068788
Hmm.  The access-list on the switch isn't playing into this at all.  What version of ASA code are you running?  Things aren't making sense which usually indicates a bug of some sort.  If you are able to, "wr mem" on the ASA and reload it.
0
 

Author Comment

by:RudiR
ID: 23068988
I have not restarted the firewall in a good while so that might be the solution.
I were able to wr mem on the firewall the last time i configured it and it took the command right away.

Are there any fast command to relode the firewall? yes i know im bit of a noob on this ^^
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23069064
wr mem    <--just for good measure
reload   <--reloads the Firewall

What version of software are you running "show version" 7.x, 8.x?
0
 

Author Comment

by:RudiR
ID: 23069133
ok here is the version printout.

i will try a restart later today, just have to check if there are any ppl working late today.
Cisco Adaptive Security Appliance Software Version 7.0(5)

Device Manager Version 5.0(5)
 

Compiled on Mon 10-Apr-06 14:40 by builders

System image file is "disk0:/asa705-k8.bin"

Config file at boot was "startup-config"
 

Dekkpartner-U-ETG-Cisco-ASA5510 up 68 days 3 hours
 

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
 

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : ;CNlite-MC-Boot-Cisco-1.2

                             SSL/IKE microcode: eCNlite-MC-IPSEC-Admin-3.03

                             IPSec microcode  : :CNlite-MC-IPSECm-MAIN-2.04

 0: Ext: Ethernet0/0         : address is 0018.195b.ec7e, irq 9

 1: Ext: Ethernet0/1         : address is 0018.195b.ec7f, irq 9

 2: Ext: Ethernet0/2         : address is 0018.195b.ec80, irq 9

 3: Ext: Not licensed        : irq 9

 4: Ext: Management0/0       : address is 0018.195b.ec82, irq 11

 5: Int: Not licensed        : irq 11

 6: Int: Not licensed        : irq 5
 

Licensed features for this platform:

Maximum Physical Interfaces : 4

Maximum VLANs               : 10

Inside Hosts                : Unlimited

Failover                    : Disabled

VPN-DES                     : Enabled

VPN-3DES-AES                : Enabled

Security Contexts           : 0

GTP/GPRS                    : Disabled

VPN Peers                   : 50
 

This platform has a Base license.

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23069218
Okay, you are running some pretty old software.  If you have a contract on the ASA, I would suggest upgrading to 7.2(4).
0
 

Author Comment

by:RudiR
ID: 23069600
Ok just did a wr mem and a relaod on the firewall...same problem im afraid.

I will call tha isp and ask if it's something wron with the range of ip's im using.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23069705
Yeah, double check with your ISP.  Based on your subnet mask, you should have 73-78 usable.  Looks like 73 is your gateway.  You can also check logs/connections on the Firewall to see if the connection request even reaches the ASA.

Attempt the connection from the outside and do a "show conn | i 10.47.1.15"
0
 

Author Comment

by:RudiR
ID: 23069976
Ok.

I made a request to the .78 IP through http and https.
I tried the show conn | i 10.47.1.15 in the firewall and it does not show up with anything.
when trying the command on the 1.10 server i get connections like i should.

Does that mean that there are some errors in front of the firewall? it sure sounds like it.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23070024
Yeah, it sounds like traffic to .78 is not reaching the Firewall.  Definitely check with your ISP.  If you enable logging to the buffer, do you see any messages regarding .78?

conf t
logging enable
logging timestamp
logging buffered debugging
logging buffer-size 16384

Attempt the connection again and do a "show log | i 62.92.36.78".  See if it returns anything.  You might have to attempt multiple times.  Verify by using the same command but to the 62.92.36.77 address.
0
 

Author Comment

by:RudiR
ID: 23070193
Ok.

Here is me connecting like a crazy to the server from another computer.
As you can see when i connect to the 77 server i get connections, verified my own ip so im sure it's my computer connecting.

But to the 78 server i get nothing...nada...zip.

Sorry for the formating on the code, forgot to set the buffersize on the command window.
Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78

Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78

Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78

Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78

Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78

Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78

Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.78

Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.77

Dec 01 2008 17:45:33: %ASA-6-302013: Built inbound TCP connection 574 for outside:193.216.166.2/32907 (193.216.166.2/32907) to inside:10.47.1.10/443 (62.92.36.77/443)

Dec 01 2008 17:46:42: %ASA-6-106100: access-list outside denied icmp outside/84.194.61.90(8) -> outside/62.92.36.77(0) hit-cnt 1 300-second interval

Dekkpartner-U-ETG-Cisco-ASA5510(config)# show log | i 62.92.36.77

Dec 01 2008 17:45:33: %ASA-6-302013: Built inbound TCP connection 574 for outside:193.216.166.2/32907 (193.216.166.2/32907) to inside:10.47.1.10/443 (62.92.36.77/443)

Dec 01 2008 17:46:42: %ASA-6-106100: access-list outside denied icmp outside/84.194.61.90(8) -> outside/62.92.36.77(0) hit-cnt 1 300-second interval

Dec 01 2008 17:47:33: %ASA-6-302013: Built inbound TCP connection 581 for outside:193.216.166.2/33092 (193.216.166.2/33092) to inside:10.47.1.10/443 (62.92.36.77/443)

Dec 01 2008 17:47:43: %ASA-6-302013: Built inbound TCP connection 583 for outside:80.212.41.221/1241 (80.212.41.221/1241) to inside:10.47.1.10/80 (62.92.36.77/80)

Dekkpartner-U-ETG-Cisco-ASA5510(config)#

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23070236
Okay, traffic to the .78 address is not being routed to your Firewall.  Can you switch the config to the .76 address (doesn't appear to be in use) and test again.
0
 

Author Comment

by:RudiR
ID: 23070276
yes ofc.

What are the fastest command to just switch the 78 to 76 in the config?

Sorry for these basic questions but im not that used with Cisco commands ^^
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 23070327
Sure.

conf t
no access-list outside extended deny ip any any log
access-list outside extended permit tcp any host 62.92.36.76 eq 80
access-list outside extended permit tcp any host 62.92.36.76 eq 443
access-list outside extended deny ip any any log

no static (inside,outside) tcp 62.92.36.78 80 10.47.1.15 80 netmask 255.255.255.255
no static (inside,outside) tcp 62.92.36.78 443 10.47.1.15 443 netmask 255.255.255.255

static (inside,outside) tcp 62.92.36.76 80 10.47.1.15 80 netmask 255.255.255.255
static (inside,outside) tcp 62.92.36.76 443 10.47.1.15 443 netmask 255.255.255.255
0
 

Author Comment

by:RudiR
ID: 23070943
ok thanks.

funny thing is that it had no effect.
Still no contact on 76.

if this is all it should be to forward these ports it has to be an outside problem of some sort.

I did not get a hold of the ISP but i will call them tomorrow and look into this further.

Thanks alot for the help so far, i'll post here asap after speaking to the isp.

0
 

Author Comment

by:RudiR
ID: 23075302
Ok.

I went through the config one more time and i found that the line.

access-list outside extended deny ip any any log

Were above the lines i just added ^^

I don't know if i forgot to add the "no access" before i added the lines or if it just did not take the command?

Anyway it's working perfect now and i have you to thank for it.

I will try and edit some info away from this post as it contains i a little more info then nessesary.

Thanks a Million Jfrederick29.
0
 

Author Closing Comment

by:RudiR
ID: 31511818
Thanks alot, this forum is really A+

I'm sure we will meet again ^^
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now