CISCO ASA Allow WWW to Internal Server

Need to allow www access to internal web server IP 10.10.30.70 for all outside users .

I have hit the books and just can't get there from here.

Although this question is specifically regarding internal WWW access for outside users, I will post a separate question regarding why users on a remote side of a SITE-TO-SITE VPN are unable to access the WWW server.


no asdm history enable
: Saved
:
ASA Version 7.0(8) 
!
hostname KeyKeeperASA
domain-name BI.Local
enable password w7W8JLe2E5LfsNPn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
no dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 97.77.66.55 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.30.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.192 
access-list inside_nat0_outbound extended permit ip 10.10.30.0 255.255.255.0 10.10.90.0 255.255.255.0 
 
pager lines 24
logging enable
logging asdm-buffer-size 300
logging console errors
logging monitor errors
logging buffered errors
logging trap errors
logging history errors
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Local_Pool 192.168.40.10-192.168.40.50 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 97.77.202.69 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 set peer 80.111.222.333 
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address 
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
tunnel-group HQ type ipsec-ra
tunnel-group HQ general-attributes
 address-pool Local_Pool
 authentication-server-group none
tunnel-group HQ ipsec-attributes
 pre-shared-key *
tunnel-group CONT type ipsec-ra
tunnel-group CONT general-attributes
 address-pool Local_Pool
 authentication-server-group none
tunnel-group CONT ipsec-attributes
 pre-shared-key *
tunnel-group 99.88.77.66 type ipsec-l2l
tunnel-group 99.88.77.66 ipsec-attributes
 pre-shared-key *

!!!!!!!!EDITED CONTENT

!
service-policy global_policy global
Cryptochecksum:7b25df4c7491cc4cb722f7a3517e751c
: end

Open in new window

LVL 6
wwakefieldAsked:
Who is Participating?
 
Jimmy Larsson, CISSP, CEHConnect With a Mentor Network and Security consultantCommented:
You cant do static NAT for your outside interface ip since it kills all traffic to/from the firewall (as you experienced...)


Replace the static-command above with:
static (inside,outside) tcp 97.77.66.56 80 10.10.30.70 80

/Kvistofta
0
 
aadesh2010Connect With a Mentor Commented:
Add the following Commands in the running config.


1) Create a static Nat for the internal host.

static (inside,outside) 97.77.66.56 10.10.30.70 netmask 255.255.255.255

2) Create a Access- List

access-list outside_access_in extended permit tcp any host 97.77.66.56 eq www

3) Define the Interface where this access list to be applied

access-group outside_access_in in interface outside

Now all your outside users will be able to access your web Server.
0
 
wwakefieldAuthor Commented:
Applied as shown below and the connection ceased.   Unable to use SSH or VPN Client.  Was able to access via a remote site and reload the ASA so I am back in.

NOTE:   I am able to access when I connect via VPN Client and type the web server IP.   However, it is essential to have the outside IP direct www to that internal IP

Password: ********
KeyKeeperASA# con t

KeyKeeperASA(config)# static (inside,outside) 97.77.66.56 10.10.30.70 netmask$
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

KeyKeeperASA(config)# static (inside,outside) interface 10.10.30.70 netmask 25$

WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.

KeyKeeperASA(config)# access-list outside_access_in extended permit tcp any ho$

KeyKeeperASA(config)# access-group outside_access_in in interface outside

KeyKeeperASA(config)#
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
wwakefieldAuthor Commented:
Everything I read indicates that is the correct answer, but it still fails.  Any other recomendations.
0
 
aadesh2010Commented:
okay. Try to change the

global (outside) 101 interface

to

global (outside) 101 97.77.66.55

and then try to use the static PAT command.
0
 
wwakefieldAuthor Commented:
KVISTOFTA:   That got it back on.

OK, so it appears these settings are correct.  The equipment with the web interface commnicating entirely on 80.

Apprecitate the help.
0
 
shubhanshu_jaiswalCommented:
You need to apply below mentioned command after applying access list on outside interface...that will allow vpn traffic to pass even if an access list is applied..

sysopt connection permit-ipsec
sysopt connection permit-vpn

and your issue will be resolved.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.