Solved

Not able to browse site from the outside since last change on Cisco ASA5505

Posted on 2010-09-23
26
349 Views
Last Modified: 2012-05-10
I have a Web Server and Exchange Server.  Since my last change, on my ASA, I am not able to browse websites or check email from the outside.  I installed an SSL Certificate last week on my ASA.  Can someone help me diagnose my problem?  Thanks so much.  I have posted my running config.
ASA Version 8.2(1)
!
hostname vpn
domain-name technologyblends.com
enable password * encrypted
passwd * encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.149.66.203 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name technologyblends.com
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10
.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq http
s
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp

access-list outside-access-in extended permit tcp any host 75.149.66.202 eq http
s
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq http
s
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 5061

access-list outside-access-in extended permit tcp any host 75.149.66.205 eq http
s
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.202 https 192.168.1.42 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 https 192.168.1.43 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.205 https 192.168.1.41 https netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.149.66.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set *
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint3
 crl configure
crypto ca trustpoint ASDM_TrustPoint4
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 keypair ASDM_TrustPoint0
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint2
 certificate ca 0301
    *
  quit
crypto ca certificate chain ASDM_TrustPoint1
 certificate *
  quit
 certificate ca 0301
    *
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
username test1 password * encrypted privilege 15
username admin password * encrypted privilege 15
username "test1" password * encrypted privilege 15
username obautista password * encrypted privilege 15
username obautista attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:*
: end
vpn#

Open in new window

0
Comment
Question by:obautista
  • 14
  • 10
26 Comments
 
LVL 4

Expert Comment

by:Zxeses
ID: 33750532
delete these two lines:

conf t
no access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
no access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
end
wr mem

You also need to permit same-interface communication
conf t
same-security-traffic permit intra-interface
end

I also can't see how this line is needed, might try delete after the other suggestions are tried.
access-group INSIDE in interface inside



0
 

Author Comment

by:obautista
ID: 33750539
What do the 1st two commands do?  And what does the 3rd command do?  I am still learning the ASA.
0
 

Author Comment

by:obautista
ID: 33750649
I have attached my last running config (before adding the SSL stuff).  Things were okay before the SSL addition.  Some things I noticed: host name changed from "ciscoasa" to "vpn", domain-name changed from "default.domain.invalid" to "technologyblends.com", the "trustpoint" and "ASDM_TrustPoint***" stuff was added, ssl trust-point changed from "localtrust" to "ASDM_TrustPoint1".  
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password * encrypted
passwd * encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.149.66.203 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
access-list outside-access-in extended permit tcp any host 75.149.66.202 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 5061
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq https
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.202 https 192.168.1.42 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 https 192.168.1.43 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.205 https 192.168.1.41 https netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.149.66.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec transform-set *
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set *
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
username test1 password * encrypted privilege 15
username admin password * encrypted privilege 15
username "test1" password * encrypted privilege 15
username obautista password * encrypted privilege 15
username obautista attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:*
: end
ciscoasa#

Open in new window

0
 
LVL 4

Expert Comment

by:Zxeses
ID: 33750705
Did you change the host and domain names, and THEN add SSL, or did you add SSL and then change the names?

If the former, you are fine there.  
If the latter, you need to rebuild your certificates/keys.

I hope you are using the web/java based ASDM to do this...  You can do all that from the command line, but shesh, you have ASDM 6.3 and that is an awesome interface.

You should remove the access lists because they don't match your IP pool for VPN connectors.

In the 3rd command, you are applying a redundant rule, access from a higher security level (100) to a lower security level outside (0), along with command 2 above, you don't need an access group that allows ip any any.

fyi, there are week long classes on mastering the basics of ASA, so keep in mind you are wading into deep water here.
0
 

Author Comment

by:obautista
ID: 33750733
I used ASDM to configure SSL.  I didnt specifically mean to change my host and domain names.  I just meant to add the SSL.  I will run the commands you suggest and post my results.  Thanks for helping me.
0
 

Author Comment

by:obautista
ID: 33750762
This command:
no access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

Returned this:
ERROR: Access-list cisco_splitTunnelAcl is attached to class-map, route-map,
username, group-policy, distribute-list, multicast, wccp,
dynamic-filter or dynamic-access-policy subsystem.
Please remove the relevant configuration before removing the access-list.

These commands ran okay:
no access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

same-security-traffic permit intra-interface

Tried browsing my site from the outside and still no luck.  Sites come up okay when browsing from inside.
0
 
LVL 4

Expert Comment

by:Zxeses
ID: 33750785
Clarification:

When you say outside, do you mean from a non-vpn client, like a random person on the internet, or do you mean a vpn client on the outside?

In the ASDM, there is a command called packet tracer...  

Do a TCP trace on the outside interface to the proper port, with the target being the outside static (or the one global PAT) address.
0
 

Author Comment

by:obautista
ID: 33750791
Sorry.  Yes - non vpn client (random person on the internet).  I am using Logmein to remote to a computer outside of my network to test outside connectivity.

I will rin the packet tracer now.  Thanks...
0
 

Author Comment

by:obautista
ID: 33750824
I have attached a screenshot
screenshot.jpg
0
 
LVL 4

Expert Comment

by:Zxeses
ID: 33750865
Would you do the same test again

Set your source port to 32767

Set your destination IP address to 75.149.66.203
0
 

Author Comment

by:obautista
ID: 33750872
Like this:
screenshot2.jpg
0
 
LVL 4

Expert Comment

by:Zxeses
ID: 33750908
Your source address needs to be something other then 75.149.66.203

If your outside machine is 75.149.66.201, use that

You can use some random internet address, try 123.123.123.123

(use both actually, post SS if you notice something)
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:obautista
ID: 33750920
I have 5 static outside IPs: 75.149.66.201 through .205

I have them NAT'd to 192.168.1.*

A little confused how you want to me set up the trace?
0
 

Author Comment

by:obautista
ID: 33750927
I am using 75.149.66.203 for VPN on port 500.
0
 
LVL 4

Expert Comment

by:Zxeses
ID: 33750949
Source IP 123.123.123.123  <-- doesnt matter what you use here as long as its not your network(s)
Source Port: 32767
Destination IP:  75.149.66.203
Destination Port: 80

Reason:  Your outside address for your ASA is 75.149.66.203, you are currently using PAT (port address translation) in addition to NAT.  Currently your web server at 192.168.1.6 does not have a static, and according to the rules, WWW is mapped to "name 192.168.1.6 HTTP_ACCESS" using PAT.  Since there is no NAT static specified, the address must be the same as the outside interface of the ASA.

(There are lots of Best Practices errors in your config in general, however solving the immediate problem is the goal.)
0
 

Author Comment

by:obautista
ID: 33750964
In this trace I am using 207.38.46.131for the Source IP (this is the outside machine I am testing with).  Set the Source Port to 32767.  I set the Destination IP to 75.149.66.201, which is my outside IP to my Web Server and used HTTP.
screenshot3.jpg
0
 

Author Comment

by:obautista
ID: 33750987
I understand.  I think I know what is going on.  I changed my outside ASA from 75.149.66.201 to 75.149.66.203 last week also.  The reason is because I wanted to be able to vpn over port 443 and since 443 is used on 75.149.66.201 I changed my public ASA IP to 75.149.66.203.  I could not get VPN working on Port 443 on 75.149.66.203, so I just left it at port 500.  It may just be easier to change my ASA public back to 75.149.66.201, correct?
0
 
LVL 4

Accepted Solution

by:
Zxeses earned 500 total points
ID: 33750989
If that is your goal, you need this:
(copy/paste the results)

conf t
show xlate global 75.149.66.201
static (inside,outside) tcp 75.149.66.201 www 192.168.1.6 www netmask 255.255.255.255
clear xlate global 75.149.66.201
end
show xlate global 75.149.66.201


0
 
LVL 4

Expert Comment

by:Zxeses
ID: 33751002
act, um, well try that, if that doesnt work, undo it with the "no" form of the command and change your IP back.
0
 

Author Comment

by:obautista
ID: 33751041
That did it.  I just changed the IP back to .201.  I figure I may need .203 in the future.  

I think the domain name change is okay, but how do I change host name back to what it was or will that screw up cert on the ASA?
0
 
LVL 4

Expert Comment

by:Zxeses
ID: 33751053
Check your VPN connection now.  If its not working, you will need to rebuild the certs.  If its working leave it as is and go ask for a raise :-)
0
 

Author Comment

by:obautista
ID: 33751069
Just tested VPN connection.  Things appear to be back to normal.  Cert, when browsing VPN from the external computer, looks good too.  Thanks so much....

If you dont mind, can I ask one more question?  When I connect through VPN (browsing) from the outside - I see "Home", "Web Applications", "Browse Networks", and "AnyConnect" in the right nav menu.  Clicking on "Browse Network" does not let me browse, for example, my Share.  The user I am using to VPN, I believe, has admin access - "privilege 15".  Is there anything special I need to do to browse my Share?  Address would remain "cifs://", correct?

Thanks again...
0
 
LVL 4

Expert Comment

by:Zxeses
ID: 33754773
Unfortunately while SMB (the protocol behind CIFS) is a routed protocol, the "Browse Network" feature is not.  There are ways of encapsulating and forwarding these to fake a Layer 2 network, but I haven't spent much time researching that.
0
 

Author Comment

by:obautista
ID: 33755586
So there really is no easy way of being able to browse, for example, a Share using the Web Interface? Besides the way you mention, which isnt the most secure.  Just exploring my options with some of the VPN features.  Thanks for any thoughts or ideas given.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36960734
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 1830 AP behaving wierdly 7 25
The purpose of Root Bridge 7 28
VLSM calcuation 5 27
stacking Catalyst 3650 11 11
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now