Solved

Cisco ASA 5510 routing from Mgt(DMZ) to Internal

Posted on 2013-10-31
4
534 Views
Last Modified: 2013-11-19
Hi Guys,

Some help needed.
I've spent a while on this, let me set the scene

Scene:
I've a webserver on the mgt interface (this is really a DMZ using the mgt interface as a non mgt interface, in otherwords box "dedicate this interface to management" not ticked)
This is IP range 192.168.50.x with websever at 192.168.50.99

I've a PC on the standard internal interface (inside) on 192.168.8.64

Problem:
I cannot browse to http:\\192.168.50.99 (MGT) from 192.168.8.64 (inside) in other words it is not allowing web traffic between the interfaces. I looked up security levels etc and have kept them both to 100, I've also allowed the intefaces to talk to each other with "same-security-traffic permit inter-interface". Along with permit rules and NAT rules. FYI The box can ping both addresses from each of it's interfaces.

Logs:
In the syslog I'm getting SYN Timeout which points me towards NAT, but I've NAT rules in for all networks to see each other.

Help Needed:
I need help in allowing the inside to be able to browse to a web server on the mgt.
The webserver is working well on the localhost PC.

I've a sample of the config below.

Any help much apreciated.


Config:

interface Ethernet0/0
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.8.254 255.255.255.0

interface Management0/0
 description Mgt Internal
 speed 100
 duplex full
 nameif Mgt
 security-level 100
 ip address 192.168.50.254 255.255.255.0

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network Inside_Network
 subnet 192.168.8.0 255.255.255.0

object network Mgt-network
 subnet 192.168.50.0 255.255.255.0
 description Mgt-network



object-group network Internal_Networks
 network-object object Inside_Network
 network-object 192.168.21.0 255.255.255.0
 network-object 192.168.40.0 255.255.255.0
 network-object object Mgt-network

access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Mgt-network any


access-list backup_access_in extended deny ip any any
access-list Mgt_access_in extended permit tcp object-group Internal_Networks any eq www
access-list Mgt_access_in extended permit ip any any
access-list Mgt_access_out extended permit ip any any


nat (any,any) source static Internal_Networks Internal_Networks destination static Internal_Networks Internal_Networks no-proxy-arp description Nat Exemption for internal networks


access-group inside_access_in in interface inside
access-group outside_access_in in interface outside


access-group Mgt_access_in in interface Mgt
access-group Mgt_access_out out interface Mgt



http server enable
http 192.168.8.0 255.255.255.0 inside

sysopt noproxyarp inside
0
Comment
Question by:ggntt
  • 2
  • 2
4 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 39614119
First, don't do this:

access-group Mgt_access_in in interface Mgt
access-group Mgt_access_out out interface Mgt

Only apply ACL's into the interface to keep it simple.

For now remove:
access-list Mgt_access_in extended permit tcp object-group Internal_Networks any eq www
Leaving only the permit any any to see if that's an issue.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 39614126
Oh, and looking at:
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any
access-list inside_access_in extended permit ip object Mgt-network any


You could simplify that to:
access-list inside_access_in extended permit ip 192.168.8.0 255.255.255.0 any

Why? because you first allow certain ports:
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.8.0 255.255.255.0 any eq ftp

And after that allow everything (ip) from that network making the first three rules unneccessary.

The last line:
access-list inside_access_in extended permit ip object Mgt-network any
is irrelevant because that network is not on the inside.
0
 

Accepted Solution

by:
ggntt earned 0 total points
ID: 39647429
Guys looks liek this turned out to be a local PC issue from what I can see, local firewall on PC had caused the issue. The trobleshooting pointed to this logic. I had spent too much time focusing on the Cisco side, what put me off is that the PC replied to ping. However the PC was blocking http access.
0
 

Author Closing Comment

by:ggntt
ID: 39658747
An oversight by not looking at the PC itself causing the routing block.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA LDAP Authentication for VPN and Management 8 39
Help with a subnetting question 7 58
Server 2012 R2 Radius server and Cisco AP 7 23
Change name on 7940 Cisco UM 10 25
How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question