Cisco ASA 6.4 - unable to access our internal website externally on port 80

Port 80 is open from the outside we verified, however we are not able to pull up the web page externally.

Access Rule
2  any      outside      tcp/http      Permit      

NAT Rules
2      Static      10.10.3.104  tcp/http      outside      outside      tcp/http      

Packet Tracer
Access-List [Action - Drop]
- Implicit Rule

Result - The packet is dropped
Info: (acl-drop) Flow is denied by configuration rule
Rolando RamosAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
You need DNS doctoring.  If you put the keyword "dns" at the end of the static nat statement for that host, you can use the public fully qualified domain name and get redirected to the internal web site.
0
Rolando RamosAuthor Commented:
Not sure what you mean put keyword dns at the end of static nat statement?
Access-Rule-ps.png
0
Jan SpringerCommented:
Sorry, you're showing me ASDM and I only use CLI.

Can you pull up the CLI within ASDM and do a "sho run nat"?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Rolando RamosAuthor Commented:
ciscoasa# sho run nat
nat (inside) 1 0.0.0.0 0.0.0.0
0
Jan SpringerCommented:
how about:

show run | i static

(make sure that there is a space before and after the pipe)
0
Rolando RamosAuthor Commented:
ciscoasa# show run | i static
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255
0
Jan SpringerCommented:
that statement needs to be modified (you can it via multiline mode in CLI under ASDM):

no static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255 dns
0
Rolando RamosAuthor Commented:
ok, which out of both do I need to send via multi-line mode?

no static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255
or
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255 dns
0
Rolando RamosAuthor Commented:
This is what shows now > show run | i static
static (inside,outside) tcp interface www Exchange-Server-Int www netmask 255.255.255.255  dns
0
Rolando RamosAuthor Commented:
The syslog log reports the following for port 80
10.10.x.x      55035      71.1.x.x      80 TCP access denied by ACL from 10.10.x.x/55035 to inside:71.1.x.x/80
0
Rolando RamosAuthor Commented:
however when I run a port test externally it shows that port 80 is opened, I have also tested other ports just for the sake  like 3389 for RDP. Just can't do any more than just see that the port is opened and not much more.
0
Jan SpringerCommented:
Do you have an access list on the inside interface?

And you may need to permit intra-interface traffic.
0
Rolando RamosAuthor Commented:
permit intra-interface traffic?

The inside list is the following - Access Rules
 
1. Source: Any Destination: less secure networks      Service: ip      Action: Permit       Description: Implicit rule: Permit all traffic to less secure networks

2. Source: any      Destination: any      Service: ip      Action: Deny      Implicit rule

When I run the packet tracer under Access List error it point to -> #2 above with the Action Drop
Results for the reason packet is dropped (acl-drop) Flow is denied by configured rule
0
Jan SpringerCommented:
You'll need to create an access list that permits all inside traffic in (essentially a permit ip any any).
0
Rolando RamosAuthor Commented:
The one above #1 in the ASDM show - Source: Any, Destination: Any, Service IP, Action Permit <- #1 inside seem to be indicting that? Not sure what you mean or what I could add to make it work?
0
Rolando RamosAuthor Commented:
Based on what is showing it should work the port designated on our server is 80 and it shows externally that it's opened. The odd thing is if the port shows opened and the access list #1 for inside shows:  Source: Any, Destination: Any, Service IP, Action Permit why does packet tracer ignore (#1 Source: Any, Destination: Any, Service IP, Action Permit) and automatically default to (#2 Source: any Destination: any   Service: ip  Action: Deny  Implicit rule)

That's what I can see happening? very odd
0
Jan SpringerCommented:
did you update the config to allow intra-interface traffic?
0
Feroz AhmedSenior Network EngineerCommented:
Hi,

Try this command as below and check

ASA#config-t
ASA(Config-t)#access-list 101 permit ip any any echo reply  or
ASA(Config-t)#access-list 101 permit tcp any any http

and try to browse site on other side on ASA type this command anc check for the error

ASA#debug icmp (it will show you details of error message where packets are dropping .
0
Rolando RamosAuthor Commented:
Ok, so what I did to get it working was

added NAT Rule
      no static (inside,outside)  tcp interface 80 10.10.x.x 80 netmask 255.255.255.255
      clear xlate interface inside local 10.10.x.x netmask 255.255.255.255 gport 80
      static (inside,outside)  tcp interface 80 10.10.x.x 80 netmask 255.255.255.255 dns tcp 0 0 udp 0A

Access-List
      object-group service DM_INLINE_SERVICE_2
        service-object tcp eq http
      access-list ACL-OUTSIDE line 1 extended permit object-group DM_INLINE_SERVICE_2 any interface outside
      no access-list ACL-OUTSIDE line 2 extended permit tcp any interface outside object-group DM_INLINE_TCP_2
      no object-group service DM_INLINE_TCP_2 tcp

People can now access from external to internal but not internal to internal by typing in test.com.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rolando RamosAuthor Commented:
In order to get internal traffic to port 80 all of the commands must be implemented together. Once doing so it works.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.