Rolando Ramos
asked on
Cisco ASA 6.4 - unable to access our internal website externally on port 80
Port 80 is open from the outside we verified, however we are not able to pull up the web page externally.
Access Rule
2 any outside tcp/http Permit
NAT Rules
2 Static 10.10.3.104 tcp/http outside outside tcp/http
Packet Tracer
Access-List [Action - Drop]
- Implicit Rule
Result - The packet is dropped
Info: (acl-drop) Flow is denied by configuration rule
Access Rule
2 any outside tcp/http Permit
NAT Rules
2 Static 10.10.3.104 tcp/http outside outside tcp/http
Packet Tracer
Access-List [Action - Drop]
- Implicit Rule
Result - The packet is dropped
Info: (acl-drop) Flow is denied by configuration rule
You need DNS doctoring. If you put the keyword "dns" at the end of the static nat statement for that host, you can use the public fully qualified domain name and get redirected to the internal web site.
ASKER
Not sure what you mean put keyword dns at the end of static nat statement?
Access-Rule-ps.png
Access-Rule-ps.png
Sorry, you're showing me ASDM and I only use CLI.
Can you pull up the CLI within ASDM and do a "sho run nat"?
Can you pull up the CLI within ASDM and do a "sho run nat"?
ASKER
ciscoasa# sho run nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
how about:
show run | i static
(make sure that there is a space before and after the pipe)
show run | i static
(make sure that there is a space before and after the pipe)
ASKER
ciscoasa# show run | i static
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, which out of both do I need to send via multi-line mode?
no static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255
or
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255 dns
no static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255
or
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255 dns
ASKER
This is what shows now > show run | i static
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255 dns
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255 dns
ASKER
The syslog log reports the following for port 80
10.10.x.x 55035 71.1.x.x 80 TCP access denied by ACL from 10.10.x.x/55035 to inside:71.1.x.x/80
10.10.x.x 55035 71.1.x.x 80 TCP access denied by ACL from 10.10.x.x/55035 to inside:71.1.x.x/80
ASKER
however when I run a port test externally it shows that port 80 is opened, I have also tested other ports just for the sake like 3389 for RDP. Just can't do any more than just see that the port is opened and not much more.
Do you have an access list on the inside interface?
And you may need to permit intra-interface traffic.
And you may need to permit intra-interface traffic.
ASKER
permit intra-interface traffic?
The inside list is the following - Access Rules
1. Source: Any Destination: less secure networks Service: ip Action: Permit Description: Implicit rule: Permit all traffic to less secure networks
2. Source: any Destination: any Service: ip Action: Deny Implicit rule
When I run the packet tracer under Access List error it point to -> #2 above with the Action Drop
Results for the reason packet is dropped (acl-drop) Flow is denied by configured rule
The inside list is the following - Access Rules
1. Source: Any Destination: less secure networks Service: ip Action: Permit Description: Implicit rule: Permit all traffic to less secure networks
2. Source: any Destination: any Service: ip Action: Deny Implicit rule
When I run the packet tracer under Access List error it point to -> #2 above with the Action Drop
Results for the reason packet is dropped (acl-drop) Flow is denied by configured rule
You'll need to create an access list that permits all inside traffic in (essentially a permit ip any any).
ASKER
The one above #1 in the ASDM show - Source: Any, Destination: Any, Service IP, Action Permit <- #1 inside seem to be indicting that? Not sure what you mean or what I could add to make it work?
ASKER
Based on what is showing it should work the port designated on our server is 80 and it shows externally that it's opened. The odd thing is if the port shows opened and the access list #1 for inside shows: Source: Any, Destination: Any, Service IP, Action Permit why does packet tracer ignore (#1 Source: Any, Destination: Any, Service IP, Action Permit) and automatically default to (#2 Source: any Destination: any Service: ip Action: Deny Implicit rule)
That's what I can see happening? very odd
That's what I can see happening? very odd
did you update the config to allow intra-interface traffic?
Hi,
Try this command as below and check
ASA#config-t
ASA(Config-t)#access-list 101 permit ip any any echo reply or
ASA(Config-t)#access-list 101 permit tcp any any http
and try to browse site on other side on ASA type this command anc check for the error
ASA#debug icmp (it will show you details of error message where packets are dropping .
Try this command as below and check
ASA#config-t
ASA(Config-t)#access-list 101 permit ip any any echo reply or
ASA(Config-t)#access-list 101 permit tcp any any http
and try to browse site on other side on ASA type this command anc check for the error
ASA#debug icmp (it will show you details of error message where packets are dropping .
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In order to get internal traffic to port 80 all of the commands must be implemented together. Once doing so it works.