How to setup my CISCO ASA to host my web server on port 80

Hi,
I am trying to configure my CISCO ASA 5505 to allow my outside vlan to point to a specific server (port 80) and I can't figure it out.

Any help on this?
maxlebAsked:
Who is Participating?
 
flyingskyConnect With a Mentor Commented:
Please give some more detail about what have been done and what is not working.
0
 
maxlebAuthor Commented:
So far, I have set up inside to be able to navigate thru internet.

here is my configuration :

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ZCB0DiVbFtdIB73s encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.226.46.100 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 216.226.46.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 142.169.1.16 199.84.242.22
dhcpd auto_config outside
!
dhcpd address 10.0.0.100-10.0.0.130 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1a12b6ec2c421fc52e241a25d821e4ad
: end
asdm image disk0:/asdm-524.bin
no asdm history enable


From there I need to allow port 80 from outside to point to 10.0.0.102

I have tried to play with access rules but with no success.

Sorry I am a newbie

Thanks

0
 
MikeKaneConnect With a Mentor Commented:
To enable an inside host you'll need 3 things.  

A static nat or port forward from outside to inside
An ACL allowing the traffic
An Access group to apply the ACL.  

So if you have an IP address range on the outside say 192.168.1.0/24 and an inside range 192.168.2.0/24 with a server at 192.168.2.10  then you'll have something similar to the following:

static (inside,outside) 192.168.1.<any free ip for this static>  192.168.2.10 netmask 255.255.255.255

access-list outside _in extended permit tcp any host 192.168.1.<the ip chosen> eq 80

access-group outside_in in interface outside
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
maxlebAuthor Commented:
ciscoasa(config)# static (inside,outside) 216.226.46.100 10.0.0.102 netmask 255.255.255.255
ERROR: Static PAT using the interface requires the use of the 'interface' keywor
d instead of the interface IP address

Do I do something wrong?
0
 
MikeKaneCommented:
You can't use the interface IP for a static nat.  

You external IP belongs to the 216.226.46.96/29 subnet   so you have 216.226.46.97-102 available as hosts.   Use one of these for the new static.  

static (inside,outside) 216.226.46.101 10.0.0.102 netmask 255.255.255.255
access-list outside _in extended permit tcp any host 216.226.46.101 eq 80
access-group outside_in in interface outside

0
 
vreinaldoConnect With a Mentor Commented:
Hi There,

Just for the record, Yes you CAN, use the interface ip address for a static nat,

the only requirement is replace the ip address of the outside interface for the "interface" keyword...
by the way if you plan to use the interface ip address, you should change the static for this:

static (inside,outside) tcp interface 80 10.0.0.102 80 netmask 255.255.255.255

the full set of command (just a few changes of what MikeKane said), is something like:

static (inside,outside) tcp interface 80 10.0.0.102 80 netmask 255.255.255.255
access-list outside _in extended permit tcp any interface outside eq 80
access-group outside_in in interface outside

That should work.

NOTE:

if you use this static:
static (inside,outside) 216.226.46.101 10.0.0.102 netmask 255.255.255.255 (without TCP and port numbers listed)
this is not static PAT, it is just static NAT, and will use the ip listed exclusively for the host in the command, and anyone else.

Good luck




0
 
vreinaldoCommented:

Jesus!!

Sorry MikeKane, i read it bad, you're right: You can't use the interface IP for a "static nat".
What i was meaning is. Yes you CAN, use the interface ip address for a "static PAT"....

Sorry again :(

0
 
maxlebAuthor Commented:
Thanks, I've been trying but still not working.
I changed my ip to x.x.x.98 because I wanted to keep x.x.x.100 for my webserver and my webserver to 10.0.0.4 but still norworking.

Here is my new config configuration.

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ZCB0DiVbFtdIB73s encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.226.46.98 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_in extended permit tcp any host 216.226.46.100 eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 216.226.46.100 10.0.0.4 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.226.46.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 142.169.1.16 199.84.242.22
dhcpd auto_config outside
!
dhcpd address 10.0.0.100-10.0.0.130 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:394b0429b865ad721bfe01cd54fe3a13
: end
asdm image disk0:/asdm-524.bin
no asdm history enable



I am a little lost at this time. Any ideas?
0
 
vreinaldoCommented:
well...


it looks to me that you have all the config needed:

static (inside,outside) 216.226.46.100 10.0.0.4 netmask 255.255.255.255
access-list outside_in extended permit tcp any host 216.226.46.100 eq www
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.226.46.97 1

but try to make some tests to help you troubleshoot your problem:

1) From the inside network in any computer try to access the web server in 10.0.0.4 (http://10.0.0.4)
 
If you CAN'T access it... is your server fix it.
  If you CAN, so keep reading.

2) From the web server try to access some internet page:

If you CAN'T verify your default gateway/dns/ and ip addressing on the server.
Also check that other host on the lan can access the internet (just to be sure that your ISP don't have any fault on this).

If you can access the internet, it means that you have properly configured the local net and a default gateway (let's assume that you don't have other gateway to the internet than the cisco ASA.)
so, keep reading.

3)Last, if still no luck, try to make a capture session like this, (you can copy/paste in your real config, it will no make any changes to your connections, this is just for traffic capture):

access-list cap1 permit tcp any host 216.226.46.100 eq 80
access-list cap1 permit tcp any host 10.0.0.4 eq 80
!
access-list cap1 permit tcp host 10.0.0.4 eq 80 any
access-list cap1 permit tcp host 216.226.46.100 eq 80 any
capture cap1 access-list cap1 interface outside trace
capture cap11 access-list cap1 interface inside
capture cap2 access-list cap2 interface outside
capture cap22 access-list cap2 interface inside trace

Then try to access from the internet to your webserver (X.Y.46.100) and if everything is working (that  will be weird) your done, but if not, do the following in your ASA command line:

issue the "show capture" command:
copy what you will get in your screen and post it, i will tell you what's going on...

By the way, avoid using static nat, it's better if you use static pat, what i'm telling you is:

change this line:

static (inside,outside) 216.226.46.100 10.0.0.4 netmask 255.255.255.255

for this one:

static (inside,outside) tcp 216.226.46.100 80 10.0.0.4 80 netmask 255.255.255.255

It's a more secure configuration...


Good luck!!



 

0
All Courses

From novice to tech pro — start learning today.