Solved

CISCO ASA Allow WWW to Internal Server

Posted on 2010-09-18
7
732 Views
Last Modified: 2012-05-10
Need to allow www access to internal web server IP 10.10.30.70 for all outside users .

I have hit the books and just can't get there from here.

Although this question is specifically regarding internal WWW access for outside users, I will post a separate question regarding why users on a remote side of a SITE-TO-SITE VPN are unable to access the WWW server.


no asdm history enable
: Saved
:
ASA Version 7.0(8) 
!
hostname KeyKeeperASA
domain-name BI.Local
enable password w7W8JLe2E5LfsNPn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
no dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 97.77.66.55 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.30.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.192 
access-list inside_nat0_outbound extended permit ip 10.10.30.0 255.255.255.0 10.10.90.0 255.255.255.0 
 
pager lines 24
logging enable
logging asdm-buffer-size 300
logging console errors
logging monitor errors
logging buffered errors
logging trap errors
logging history errors
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Local_Pool 192.168.40.10-192.168.40.50 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 97.77.202.69 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 set peer 80.111.222.333 
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address 
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
tunnel-group HQ type ipsec-ra
tunnel-group HQ general-attributes
 address-pool Local_Pool
 authentication-server-group none
tunnel-group HQ ipsec-attributes
 pre-shared-key *
tunnel-group CONT type ipsec-ra
tunnel-group CONT general-attributes
 address-pool Local_Pool
 authentication-server-group none
tunnel-group CONT ipsec-attributes
 pre-shared-key *
tunnel-group 99.88.77.66 type ipsec-l2l
tunnel-group 99.88.77.66 ipsec-attributes
 pre-shared-key *

!!!!!!!!EDITED CONTENT

!
service-policy global_policy global
Cryptochecksum:7b25df4c7491cc4cb722f7a3517e751c
: end

Open in new window

0
Comment
Question by:wwakefield
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 1

Assisted Solution

by:aadesh2010
aadesh2010 earned 200 total points
ID: 33710210
Add the following Commands in the running config.


1) Create a static Nat for the internal host.

static (inside,outside) 97.77.66.56 10.10.30.70 netmask 255.255.255.255

2) Create a Access- List

access-list outside_access_in extended permit tcp any host 97.77.66.56 eq www

3) Define the Interface where this access list to be applied

access-group outside_access_in in interface outside

Now all your outside users will be able to access your web Server.
0
 
LVL 6

Author Comment

by:wwakefield
ID: 33710295
Applied as shown below and the connection ceased.   Unable to use SSH or VPN Client.  Was able to access via a remote site and reload the ASA so I am back in.

NOTE:   I am able to access when I connect via VPN Client and type the web server IP.   However, it is essential to have the outside IP direct www to that internal IP

Password: ********
KeyKeeperASA# con t

KeyKeeperASA(config)# static (inside,outside) 97.77.66.56 10.10.30.70 netmask$
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

KeyKeeperASA(config)# static (inside,outside) interface 10.10.30.70 netmask 25$

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

KeyKeeperASA(config)# access-list outside_access_in extended permit tcp any ho$

KeyKeeperASA(config)# access-group outside_access_in in interface outside

KeyKeeperASA(config)#
0
 
LVL 6

Author Comment

by:wwakefield
ID: 33710298
Everything I read indicates that is the correct answer, but it still fails.  Any other recomendations.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:aadesh2010
ID: 33710311
okay. Try to change the

global (outside) 101 interface

to

global (outside) 101 97.77.66.55

and then try to use the static PAT command.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 300 total points
ID: 33710314
You cant do static NAT for your outside interface ip since it kills all traffic to/from the firewall (as you experienced...)


Replace the static-command above with:
static (inside,outside) tcp 97.77.66.56 80 10.10.30.70 80

/Kvistofta
0
 
LVL 6

Author Comment

by:wwakefield
ID: 33710445
KVISTOFTA:   That got it back on.

OK, so it appears these settings are correct.  The equipment with the web interface commnicating entirely on 80.

Apprecitate the help.
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 33713969
You need to apply below mentioned command after applying access list on outside interface...that will allow vpn traffic to pass even if an access list is applied..

sysopt connection permit-ipsec
sysopt connection permit-vpn

and your issue will be resolved.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question