[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 321
  • Last Modified:

Cisco ASA 6.4 - unable to access our internal website externally on port 80

Port 80 is open from the outside we verified, however we are not able to pull up the web page externally.

Access Rule
2  any      outside      tcp/http      Permit      

NAT Rules
2      Static      10.10.3.104  tcp/http      outside      outside      tcp/http      

Packet Tracer
Access-List [Action - Drop]
- Implicit Rule

Result - The packet is dropped
Info: (acl-drop) Flow is denied by configuration rule
0
Rolando Ramos
Asked:
Rolando Ramos
  • 12
  • 7
2 Solutions
 
Jan SpringerCommented:
You need DNS doctoring.  If you put the keyword "dns" at the end of the static nat statement for that host, you can use the public fully qualified domain name and get redirected to the internal web site.
0
 
Rolando RamosAuthor Commented:
Not sure what you mean put keyword dns at the end of static nat statement?
Access-Rule-ps.png
0
 
Jan SpringerCommented:
Sorry, you're showing me ASDM and I only use CLI.

Can you pull up the CLI within ASDM and do a "sho run nat"?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Rolando RamosAuthor Commented:
ciscoasa# sho run nat
nat (inside) 1 0.0.0.0 0.0.0.0
0
 
Jan SpringerCommented:
how about:

show run | i static

(make sure that there is a space before and after the pipe)
0
 
Rolando RamosAuthor Commented:
ciscoasa# show run | i static
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255
0
 
Jan SpringerCommented:
that statement needs to be modified (you can it via multiline mode in CLI under ASDM):

no static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255 dns
0
 
Rolando RamosAuthor Commented:
ok, which out of both do I need to send via multi-line mode?

no static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255
or
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255 dns
0
 
Rolando RamosAuthor Commented:
This is what shows now > show run | i static
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255  dns
0
 
Rolando RamosAuthor Commented:
The syslog log reports the following for port 80
10.10.x.x      55035      71.1.x.x      80 TCP access denied by ACL from 10.10.x.x/55035 to inside:71.1.x.x/80
0
 
Rolando RamosAuthor Commented:
however when I run a port test externally it shows that port 80 is opened, I have also tested other ports just for the sake  like 3389 for RDP. Just can't do any more than just see that the port is opened and not much more.
0
 
Jan SpringerCommented:
Do you have an access list on the inside interface?

And you may need to permit intra-interface traffic.
0
 
Rolando RamosAuthor Commented:
permit intra-interface traffic?

The inside list is the following - Access Rules
 
1. Source: Any Destination: less secure networks      Service: ip      Action: Permit       Description: Implicit rule: Permit all traffic to less secure networks

2. Source: any      Destination: any      Service: ip      Action: Deny      Implicit rule

When I run the packet tracer under Access List error it point to -> #2 above with the Action Drop
Results for the reason packet is dropped (acl-drop) Flow is denied by configured rule
0
 
Jan SpringerCommented:
You'll need to create an access list that permits all inside traffic in (essentially a permit ip any any).
0
 
Rolando RamosAuthor Commented:
The one above #1 in the ASDM show - Source: Any, Destination: Any, Service IP, Action Permit <- #1 inside seem to be indicting that? Not sure what you mean or what I could add to make it work?
0
 
Rolando RamosAuthor Commented:
Based on what is showing it should work the port designated on our server is 80 and it shows externally that it's opened. The odd thing is if the port shows opened and the access list #1 for inside shows:  Source: Any, Destination: Any, Service IP, Action Permit why does packet tracer ignore (#1 Source: Any, Destination: Any, Service IP, Action Permit) and automatically default to (#2 Source: any Destination: any   Service: ip  Action: Deny  Implicit rule)

That's what I can see happening? very odd
0
 
Jan SpringerCommented:
did you update the config to allow intra-interface traffic?
0
 
Feroz AhmedSenior Network EngineerCommented:
Hi,

Try this command as below and check

ASA#config-t
ASA(Config-t)#access-list 101 permit ip any any echo reply  or
ASA(Config-t)#access-list 101 permit tcp any any http

and try to browse site on other side on ASA type this command anc check for the error

ASA#debug icmp (it will show you details of error message where packets are dropping .
0
 
Rolando RamosAuthor Commented:
Ok, so what I did to get it working was

added NAT Rule
      no static (inside,outside)  tcp interface 80 10.10.x.x 80 netmask 255.255.255.255
      clear xlate interface inside local 10.10.x.x netmask 255.255.255.255 gport 80
      static (inside,outside)  tcp interface 80 10.10.x.x 80 netmask 255.255.255.255 dns tcp 0 0 udp 0A

Access-List
      object-group service DM_INLINE_SERVICE_2
        service-object tcp eq http
      access-list ACL-OUTSIDE line 1 extended permit object-group DM_INLINE_SERVICE_2 any interface outside
      no access-list ACL-OUTSIDE line 2 extended permit tcp any interface outside object-group DM_INLINE_TCP_2
      no object-group service DM_INLINE_TCP_2 tcp

People can now access from external to internal but not internal to internal by typing in test.com.
0
 
Rolando RamosAuthor Commented:
In order to get internal traffic to port 80 all of the commands must be implemented together. Once doing so it works.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 12
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now