Solved

CISCO ASA Allow WWW to Internal Server

Posted on 2010-09-18
7
730 Views
Last Modified: 2012-05-10
Need to allow www access to internal web server IP 10.10.30.70 for all outside users .

I have hit the books and just can't get there from here.

Although this question is specifically regarding internal WWW access for outside users, I will post a separate question regarding why users on a remote side of a SITE-TO-SITE VPN are unable to access the WWW server.


no asdm history enable

: Saved

:

ASA Version 7.0(8) 

!

hostname KeyKeeperASA

domain-name BI.Local

enable password w7W8JLe2E5LfsNPn encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

no dns-guard

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 97.77.66.55 255.255.255.0 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 10.10.30.1 255.255.255.0 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.10.1 255.255.255.0 

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

same-security-traffic permit inter-interface

access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.192 

access-list inside_nat0_outbound extended permit ip 10.10.30.0 255.255.255.0 10.10.90.0 255.255.255.0 

 

pager lines 24

logging enable

logging asdm-buffer-size 300

logging console errors

logging monitor errors

logging buffered errors

logging trap errors

logging history errors

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool Local_Pool 192.168.40.10-192.168.40.50 mask 255.255.255.0

no failover

monitor-interface outside

monitor-interface inside

monitor-interface management

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 97.77.202.69 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute



aaa authentication http console LOCAL 

aaa authentication ssh console LOCAL 

http server enable



no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto map outside_map 20 set peer 80.111.222.333 

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000



crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp identity address 

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp nat-traversal  20

tunnel-group HQ type ipsec-ra

tunnel-group HQ general-attributes

 address-pool Local_Pool

 authentication-server-group none

tunnel-group HQ ipsec-attributes

 pre-shared-key *

tunnel-group CONT type ipsec-ra

tunnel-group CONT general-attributes

 address-pool Local_Pool

 authentication-server-group none

tunnel-group CONT ipsec-attributes

 pre-shared-key *

tunnel-group 99.88.77.66 type ipsec-l2l

tunnel-group 99.88.77.66 ipsec-attributes

 pre-shared-key *



!!!!!!!!EDITED CONTENT



!

service-policy global_policy global

Cryptochecksum:7b25df4c7491cc4cb722f7a3517e751c

: end

Open in new window

0
Comment
Question by:wwakefield
7 Comments
 
LVL 1

Assisted Solution

by:aadesh2010
aadesh2010 earned 200 total points
Comment Utility
Add the following Commands in the running config.


1) Create a static Nat for the internal host.

static (inside,outside) 97.77.66.56 10.10.30.70 netmask 255.255.255.255

2) Create a Access- List

access-list outside_access_in extended permit tcp any host 97.77.66.56 eq www

3) Define the Interface where this access list to be applied

access-group outside_access_in in interface outside

Now all your outside users will be able to access your web Server.
0
 
LVL 6

Author Comment

by:wwakefield
Comment Utility
Applied as shown below and the connection ceased.   Unable to use SSH or VPN Client.  Was able to access via a remote site and reload the ASA so I am back in.

NOTE:   I am able to access when I connect via VPN Client and type the web server IP.   However, it is essential to have the outside IP direct www to that internal IP

Password: ********
KeyKeeperASA# con t

KeyKeeperASA(config)# static (inside,outside) 97.77.66.56 10.10.30.70 netmask$
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

KeyKeeperASA(config)# static (inside,outside) interface 10.10.30.70 netmask 25$

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

KeyKeeperASA(config)# access-list outside_access_in extended permit tcp any ho$

KeyKeeperASA(config)# access-group outside_access_in in interface outside

KeyKeeperASA(config)#
0
 
LVL 6

Author Comment

by:wwakefield
Comment Utility
Everything I read indicates that is the correct answer, but it still fails.  Any other recomendations.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Expert Comment

by:aadesh2010
Comment Utility
okay. Try to change the

global (outside) 101 interface

to

global (outside) 101 97.77.66.55

and then try to use the static PAT command.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 300 total points
Comment Utility
You cant do static NAT for your outside interface ip since it kills all traffic to/from the firewall (as you experienced...)


Replace the static-command above with:
static (inside,outside) tcp 97.77.66.56 80 10.10.30.70 80

/Kvistofta
0
 
LVL 6

Author Comment

by:wwakefield
Comment Utility
KVISTOFTA:   That got it back on.

OK, so it appears these settings are correct.  The equipment with the web interface commnicating entirely on 80.

Apprecitate the help.
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
Comment Utility
You need to apply below mentioned command after applying access list on outside interface...that will allow vpn traffic to pass even if an access list is applied..

sysopt connection permit-ipsec
sysopt connection permit-vpn

and your issue will be resolved.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now