Solved

Cisco ASA 5510 routing from Mgt(DMZ) to Internal

Posted on 2013-10-31
4
537 Views
Last Modified: 2013-11-19
Hi Guys,

Some help needed.
I've spent a while on this, let me set the scene

Scene:
I've a webserver on the mgt interface (this is really a DMZ using the mgt interface as a non mgt interface, in otherwords box "dedicate this interface to management" not ticked)
This is IP range 192.168.50.x with websever at 192.168.50.99

I've a PC on the standard internal interface (inside) on 192.168.8.64

Problem:
I cannot browse to http:\\192.168.50.99 (MGT) from 192.168.8.64 (inside) in other words it is not allowing web traffic between the interfaces. I looked up security levels etc and have kept them both to 100, I've also allowed the intefaces to talk to each other with "same-security-traffic permit inter-interface". Along with permit rules and NAT rules. FYI The box can ping both addresses from each of it's interfaces.

Logs:
In the syslog I'm getting SYN Timeout which points me towards NAT, but I've NAT rules in for all networks to see each other.

Help Needed:
I need help in allowing the inside to be able to browse to a web server on the mgt.
The webserver is working well on the localhost PC.

I've a sample of the config below.

Any help much apreciated.


Config:

interface Ethernet0/0
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.8.254 255.255.255.0

interface Management0/0
 description Mgt Internal
 speed 100
 duplex full
 nameif Mgt
 security-level 100
 ip address 192.168.50.254 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network Inside_Network
 subnet 192.168.8.0 255.255.255.0

object network Mgt-network
 subnet 192.168.50.0 255.255.255.0
 description Mgt-network



object-group network Internal_Networks
 network-object object Inside_Network
 network-object 192.168.21.0 255.255.255.0
 network-object 192.168.40.0 255.255.255.0
 network-object object Mgt-network

access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Mgt-network any


access-list backup_access_in extended deny ip any any
access-list Mgt_access_in extended permit tcp object-group Internal_Networks any eq www
access-list Mgt_access_in extended permit ip any any
access-list Mgt_access_out extended permit ip any any


nat (any,any) source static Internal_Networks Internal_Networks destination static Internal_Networks Internal_Networks no-proxy-arp description Nat Exemption for internal networks


access-group inside_access_in in interface inside
access-group outside_access_in in interface outside


access-group Mgt_access_in in interface Mgt
access-group Mgt_access_out out interface Mgt



http server enable
http 192.168.8.0 255.255.255.0 inside

sysopt noproxyarp inside
0
Comment
Question by:ggntt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 39614119
First, don't do this:

access-group Mgt_access_in in interface Mgt
access-group Mgt_access_out out interface Mgt

Only apply ACL's into the interface to keep it simple.

For now remove:
access-list Mgt_access_in extended permit tcp object-group Internal_Networks any eq www
Leaving only the permit any any to see if that's an issue.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 39614126
Oh, and looking at:
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Mgt-network any


You could simplify that to:
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any

Why? because you first allow certain ports:
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp

And after that allow everything (ip) from that network making the first three rules unneccessary.

The last line:
access-list inside_access_in extended permit ip object Mgt-network any
is irrelevant because that network is not on the inside.
0
 

Accepted Solution

by:
ggntt earned 0 total points
ID: 39647429
Guys looks liek this turned out to be a local PC issue from what I can see, local firewall on PC had caused the issue. The trobleshooting pointed to this logic. I had spent too much time focusing on the Cisco side, what put me off is that the PC replied to ping. However the PC was blocking http access.
0
 

Author Closing Comment

by:ggntt
ID: 39658747
An oversight by not looking at the PC itself causing the routing block.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question