Solved

Cisco ASA 5510 routing from Mgt(DMZ) to Internal

Posted on 2013-10-31
4
530 Views
Last Modified: 2013-11-19
Hi Guys,

Some help needed.
I've spent a while on this, let me set the scene

Scene:
I've a webserver on the mgt interface (this is really a DMZ using the mgt interface as a non mgt interface, in otherwords box "dedicate this interface to management" not ticked)
This is IP range 192.168.50.x with websever at 192.168.50.99

I've a PC on the standard internal interface (inside) on 192.168.8.64

Problem:
I cannot browse to http:\\192.168.50.99 (MGT) from 192.168.8.64 (inside) in other words it is not allowing web traffic between the interfaces. I looked up security levels etc and have kept them both to 100, I've also allowed the intefaces to talk to each other with "same-security-traffic permit inter-interface". Along with permit rules and NAT rules. FYI The box can ping both addresses from each of it's interfaces.

Logs:
In the syslog I'm getting SYN Timeout which points me towards NAT, but I've NAT rules in for all networks to see each other.

Help Needed:
I need help in allowing the inside to be able to browse to a web server on the mgt.
The webserver is working well on the localhost PC.

I've a sample of the config below.

Any help much apreciated.


Config:

interface Ethernet0/0
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.8.254 255.255.255.0

interface Management0/0
 description Mgt Internal
 speed 100
 duplex full
 nameif Mgt
 security-level 100
 ip address 192.168.50.254 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network Inside_Network
 subnet 192.168.8.0 255.255.255.0

object network Mgt-network
 subnet 192.168.50.0 255.255.255.0
 description Mgt-network



object-group network Internal_Networks
 network-object object Inside_Network
 network-object 192.168.21.0 255.255.255.0
 network-object 192.168.40.0 255.255.255.0
 network-object object Mgt-network

access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Mgt-network any


access-list backup_access_in extended deny ip any any
access-list Mgt_access_in extended permit tcp object-group Internal_Networks any eq www
access-list Mgt_access_in extended permit ip any any
access-list Mgt_access_out extended permit ip any any


nat (any,any) source static Internal_Networks Internal_Networks destination static Internal_Networks Internal_Networks no-proxy-arp description Nat Exemption for internal networks


access-group inside_access_in in interface inside
access-group outside_access_in in interface outside


access-group Mgt_access_in in interface Mgt
access-group Mgt_access_out out interface Mgt



http server enable
http 192.168.8.0 255.255.255.0 inside

sysopt noproxyarp inside
0
Comment
Question by:ggntt
  • 2
  • 2
4 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 39614119
First, don't do this:

access-group Mgt_access_in in interface Mgt
access-group Mgt_access_out out interface Mgt

Only apply ACL's into the interface to keep it simple.

For now remove:
access-list Mgt_access_in extended permit tcp object-group Internal_Networks any eq www
Leaving only the permit any any to see if that's an issue.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 39614126
Oh, and looking at:
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Mgt-network any


You could simplify that to:
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any

Why? because you first allow certain ports:
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp

And after that allow everything (ip) from that network making the first three rules unneccessary.

The last line:
access-list inside_access_in extended permit ip object Mgt-network any
is irrelevant because that network is not on the inside.
0
 

Accepted Solution

by:
ggntt earned 0 total points
ID: 39647429
Guys looks liek this turned out to be a local PC issue from what I can see, local firewall on PC had caused the issue. The trobleshooting pointed to this logic. I had spent too much time focusing on the Cisco side, what put me off is that the PC replied to ping. However the PC was blocking http access.
0
 

Author Closing Comment

by:ggntt
ID: 39658747
An oversight by not looking at the PC itself causing the routing block.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ASA NAT question. 9 25
Flashing Cisco Meraki MR18 with OpenWRT firmware ? 5 57
DHCP on ASA 3 24
stacking Catalyst 3650 20 12
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now