Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

CISCO ASA Allow WWW to Internal Server

Posted on 2010-09-18
7
Medium Priority
?
744 Views
Last Modified: 2012-05-10
Need to allow www access to internal web server IP 10.10.30.70 for all outside users .

I have hit the books and just can't get there from here.

Although this question is specifically regarding internal WWW access for outside users, I will post a separate question regarding why users on a remote side of a SITE-TO-SITE VPN are unable to access the WWW server.


no asdm history enable
: Saved
:
ASA Version 7.0(8) 
!
hostname KeyKeeperASA
domain-name BI.Local
enable password w7W8JLe2E5LfsNPn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
no dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 97.77.66.55 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.30.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.192 
access-list inside_nat0_outbound extended permit ip 10.10.30.0 255.255.255.0 10.10.90.0 255.255.255.0 
 
pager lines 24
logging enable
logging asdm-buffer-size 300
logging console errors
logging monitor errors
logging buffered errors
logging trap errors
logging history errors
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Local_Pool 192.168.40.10-192.168.40.50 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 97.77.202.69 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 set peer 80.111.222.333 
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address 
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
tunnel-group HQ type ipsec-ra
tunnel-group HQ general-attributes
 address-pool Local_Pool
 authentication-server-group none
tunnel-group HQ ipsec-attributes
 pre-shared-key *
tunnel-group CONT type ipsec-ra
tunnel-group CONT general-attributes
 address-pool Local_Pool
 authentication-server-group none
tunnel-group CONT ipsec-attributes
 pre-shared-key *
tunnel-group 99.88.77.66 type ipsec-l2l
tunnel-group 99.88.77.66 ipsec-attributes
 pre-shared-key *

!!!!!!!!EDITED CONTENT

!
service-policy global_policy global
Cryptochecksum:7b25df4c7491cc4cb722f7a3517e751c
: end

Open in new window

0
Comment
Question by:wwakefield
7 Comments
 
LVL 1

Assisted Solution

by:aadesh2010
aadesh2010 earned 800 total points
ID: 33710210
Add the following Commands in the running config.


1) Create a static Nat for the internal host.

static (inside,outside) 97.77.66.56 10.10.30.70 netmask 255.255.255.255

2) Create a Access- List

access-list outside_access_in extended permit tcp any host 97.77.66.56 eq www

3) Define the Interface where this access list to be applied

access-group outside_access_in in interface outside

Now all your outside users will be able to access your web Server.
0
 
LVL 6

Author Comment

by:wwakefield
ID: 33710295
Applied as shown below and the connection ceased.   Unable to use SSH or VPN Client.  Was able to access via a remote site and reload the ASA so I am back in.

NOTE:   I am able to access when I connect via VPN Client and type the web server IP.   However, it is essential to have the outside IP direct www to that internal IP

Password: ********
KeyKeeperASA# con t

KeyKeeperASA(config)# static (inside,outside) 97.77.66.56 10.10.30.70 netmask$
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

KeyKeeperASA(config)# static (inside,outside) interface 10.10.30.70 netmask 25$

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

KeyKeeperASA(config)# access-list outside_access_in extended permit tcp any ho$

KeyKeeperASA(config)# access-group outside_access_in in interface outside

KeyKeeperASA(config)#
0
 
LVL 6

Author Comment

by:wwakefield
ID: 33710298
Everything I read indicates that is the correct answer, but it still fails.  Any other recomendations.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:aadesh2010
ID: 33710311
okay. Try to change the

global (outside) 101 interface

to

global (outside) 101 97.77.66.55

and then try to use the static PAT command.
0
 
LVL 17

Accepted Solution

by:
Jimmy Larsson, CISSP, CEH earned 1200 total points
ID: 33710314
You cant do static NAT for your outside interface ip since it kills all traffic to/from the firewall (as you experienced...)


Replace the static-command above with:
static (inside,outside) tcp 97.77.66.56 80 10.10.30.70 80

/Kvistofta
0
 
LVL 6

Author Comment

by:wwakefield
ID: 33710445
KVISTOFTA:   That got it back on.

OK, so it appears these settings are correct.  The equipment with the web interface commnicating entirely on 80.

Apprecitate the help.
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 33713969
You need to apply below mentioned command after applying access list on outside interface...that will allow vpn traffic to pass even if an access list is applied..

sysopt connection permit-ipsec
sysopt connection permit-vpn

and your issue will be resolved.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question