Avatar of Mr.NovaL
Mr.NovaLFlag for United States of America asked on

ASA 5510 - Access Website externally.

We currently have a website that was published on the intranet and is available to users. I am trying to make it accessible outside of the network.  I have updated the settings below in the ASA ASDM yet it seems like I am missing a step since I am not able to access the site externally.  As an fyi there are other ports that are open that allow access to functioning sites available externally.

Access Rule - Done
NAT Rules - Done
Network Object - done
Service Object - done
ACL Manager - Complete
Network AnalysisNetworkingRoutersCiscoRemote Access

Avatar of undefined
Last Comment
Mr.NovaL

8/22/2022 - Mon
El Fierro

what version of asa are you running? can you access your site via external ip? iis or apache?  what about your dns?
Pete Long

Is the server on its own public IP, or are you port forwarding the traffic from the outside interface of the ASA? (Port Forwarding)

As mentioned above make sure it works internally before you do anything further.

Then you can NMAP from outside to see if ports 80/443 are open. Also use packet tracer (it on the tools meant in the ASDM.

Pete
ASKER
Mr.NovaL

This is ASA 5510 ASDM v7.1
Using IIS

The site is accessible internally.

I am trying to access the website via  the outside ip address:port

It is currently using port 85 from the "webserver" for the internal connection.  

The server does not have its own public ip address. I will be using port forwarding.
Your help has saved me hundreds of hours of internet surfing.
fblack61
El Fierro

out of curiosity why aren't you using port 80? can you post the config ?
ASKER
Mr.NovaL

This was partially setup before I got here and I have been tasked to finish the project and get it working.

However, I have tried using port 80 it fails when trying to connect from the outside.
Ernie Beek

Like stated above, I think we be able to assist you better when you post (part of) your configuration. Of course you can sanitize it first.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Mr.NovaL

I just noticed when doing the show config the nat for the webserver "time clock server" does not show even though it is configured.  As an fyi each thermostat is viable outside of the network.

Result of the command: "show config"
!
ASA Version 9.1(4)
!
hostname FFFF-5510-1
domain-name FFFF.Systems
enable password XXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXX encrypted
names
dns-guard
ip local pool ipad-vpn-pool 192.168.150.100-192.168.150.150 mask 255.255.255.0
!
interface Ethernet0/0
 description -> router
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 111.11.1.1 255.255.255.0
!
interface Ethernet0/1
 description ->(Cisco 1841)-->(T1)-->(Cisco 1841)-->lAve
 nameif lAve
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 description
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 00.000.000.00 255.255.255.0
!
interface Ethernet0/3
 nameif backup
 security-level 0
 ip address 222.222.2.22 255.255.255.248
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.4.1 255.255.255.0
!
boot system disk0:/asa914-k8.bin
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup backup
dns domain-lookup management
dns server-group DefaultDNS
 name-server 10.10.X.X
 name-server 10.10.X.X
 name-server 10.10.X.X
 name-server 10.10.X.X
 domain-name FFFF.Systems
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-network()
 subnet 1XX.16.1.0 255.255.255.0
object network iPad-VPN-NET
 subnet 192.168.150.0 255.255.255.0
object network Fl.Ave-Network
 subnet 192.168.60.0 255.255.255.0
object service FileMaker
 service tcp destination eq 5XXX
 description FileMaker            
object network Security-Maint
 subnet 192.168.55.0 255.255.255.0
object service Syncrify
 service tcp destination eq 5XXX
object network 10.10-Net
 subnet 10.10.0.0 255.255.0.0
object service 8e6_SSH
 service tcp destination eq 5XXX
object service RDP(Inside)
 service tcp destination eq 3XXX
object network Server-10
 host 10.10.10.12
object service Torrent
 service tcp destination eq 42XXX
object network Apps-Server
 host 10.10.10.100
object service MumbleTCP
 service tcp destination eq 64XXX
object service MumbleUDP
 service udp destination eq 64XXX
object service RDP(Server10)
 service tcp destination eq 63XXX
object service Spiceworks(Inside)
 service tcp destination eq https
object service Spiceworks(Outside)
 service tcp destination eq 14XX
object network TimeClockServer
 host 10.10.35.1
 description Time Clock Server  
object network Helpdesk_VM
 host 10.10.10.10
 description Spiceworks Server  
object network FFFFACCT-Network
 subnet 192.168.2.0 255.255.255.0
object service FTP
 service tcp destination eq ftp
object service FTP-data
 service tcp destination eq ftp-data
object service PLEX
 service tcp destination eq 32XXX
object service RDP(TimeClockServer)
 service tcp destination eq 63XXX
object network Thermostat-_SE_Kitchen
 host 10.10.25.61
object network Thermostat-SMRC_Main_Mezanine
 host 10.10.25.21
object network Thermostat-_NW_Rooms_ABC
 host 10.10.25.64
object network Thermostat-_SW_Rooms_DEF
 host 10.10.25.65
object network Thermostat-_2nd_Floor
 host 10.10.25.62
object service Thermostats-35021
 service tcp destination eq 000
object service Thermostats-35061
 service tcp destination eq 000
object service Thermostats-35062
 service tcp destination eq 000
object service Thermostats-35064
 service tcp destination eq 000
object service Thermostats-35065
 service tcp destination eq 000
object service HTTP
 service tcp destination eq www
object network MASH-NET
 subnet 192.168.2.0 255.255.255.0
object network OPP-Net
 subnet 10.20.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
 network-object object Fl.Ave-Network
 network-object object inside-network()
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object time-exceeded
 icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_2
 icmp-object echo
 icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_3
 icmp-object time-exceeded
 icmp-object unreachable
 icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_4
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object unreachable
object-group service DM_INLINE_SERVICE_2
 service-object object RDP(Server10)
 service-object object RDP(Inside)
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_3
 service-object object RDP(Inside)
 service-object object RDP(TimeClockServer)
object-group service DM_INLINE_SERVICE_4
 service-object object Spiceworks(Inside)
 service-object object Spiceworks(Outside)
object-group network DM_INLINE_NETWORK_2
 network-object object 10.10-Net
 network-object object inside-network()
object-group network DM_INLINE_NETWORK_3
 network-object object 10.10-Net
 network-object object inside-network()
object-group service Thermostats
 service-object object Thermostats-35021
 service-object object Thermostats-35061
 service-object object Thermostats-35062
 service-object object Thermostats-35064
 service-object object Thermostats-35065
object-group network DM_INLINE_NETWORK_4
 network-object object Thermostat-_2nd_Floor
 network-object object Thermostat-_NW_Rooms_ABC
 network-object object Thermostat-_SE_Kitchen
 network-object object Thermostat-_SW_Rooms_DEF
 network-object object Thermostat-_Main_Mezanine
object-group service DM_INLINE_SERVICE_5
 group-object Thermostats
 service-object tcp destination eq www
object-group network DM_INLINE_NETWORK_5
 network-object object 10.10-Net
 network-object object inside-network()
access-list LAN_access_in extended permit ip object inside-network() object lAve-Network
access-list LAN_access_in extended permit ip any object MASH-NET
access-list LAN_access_in extended permit ip any object OPP-Net
access-list LAN_access_in extended permit ip any4 object iPad-VPN-NET
access-list LAN_access_in extended permit ip object iPad-VPN-NET any4
access-list LAN_access_in extended permit ip any4 any4
access-list LAN_access_in extended deny ip any4 any4
access-list Backup_access_in extended permit icmp any4 any4 object-group DM_INLINE_ICMP_4
access-list Backup_access_in extended deny ip any4 any4
access-list LAN_access_in_1 extended permit ip any4 any4
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object OPPIDAN-Net
access-list IPAD1-acl standard permit 192.168.60.0 255.255.255.0
access-list IPAD1-acl standard permit 10.10.0.0 255.255.0.0
access-list NAT extended permit ip object inside-network() object iPad-VPN-NET
access-list VPN extended permit ip object-group DM_INLINE_NETWORK_1 object iPad-VPN-NET
access-list lAve_access_in extended permit ip any4 any4
access-list lAve_access_in extended deny ip any4 any4
access-list Maintenance_access_in extended permit icmp any4 any4
access-list Maintenance_access_in extended permit ip any4 any4
access-list outside_access_in extended permit icmp any4 any4 object-group DM_INLINE_ICMP_3
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any4 object Server-10
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object TimeClockServer
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Helpdesk_VM
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any4 object-group DM_INLINE_NETWORK_4
access-list outside_access_in extended deny ip any4 any4
access-list MASH_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object MASH-NET
access-list backup_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_5 object MASH-NET
access-list backup_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_2 object OPP-Net
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu FlAve 1500
mtu outside 1500
mtu backup 1300
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any backup
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,any) source static any any destination static interface Server-10 service Syncrify Syncrify
nat (outside,any) source static any any destination static interface Server-10 service RDP(Server10) RDP(Inside)
nat (outside,any) source static any any destination static interface TimeClockServer service RDP(TimeClockServer) RDP(Inside)
nat (outside,any) source static any any destination static interface Helpdesk_VM service Spiceworks(Outside) Spiceworks(Inside)
nat (outside,any) source static any any destination static interface Thermostat-_Main_Mezanine service Thermostats-35021 HTTP
nat (outside,any) source static any any destination static interface Thermostat-_Kitchen service Thermostats-35061 HTTP
nat (outside,any) source static any any destination static interface Thermostat-_2nd_Floor service Thermostats-35062 HTTP
nat (outside,any) source static any any destination static interface Thermostat-_NW_Rooms_ABC service Thermostats-35064 HTTP
nat (outside,any) source static any any destination static interface Thermostat-_SW_Rooms_DEF service Thermostats-35065 HTTP
nat (inside,any) source static 10.10-Net 10.10-Net destination static OPP-Net OPP-Net no-proxy-arp route-lookup
nat (inside,any) source static inside-network() inside-network() destination static OPP-Net OPP-Net no-proxy-arp route-lookup
nat (inside,any) source static 10.10-Net 10.10-Net destination static MASH-NET MASH-NET no-proxy-arp route-lookup
nat (inside,any) source static inside-network() inside-network() destination static Accounting-NET Accounting-NET no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
nat (inside,backup) source dynamic any interface
nat (any,any) source static iPad-VPN-NET iPad-VPN-NET no-proxy-arp
nat (any,any) source static any any destination static iPad-VPN-NET iPad-VPN-NET
!
object network lAve-Network
 nat (any,outside) dynamic interface
object network 10.10-Net
 nat (any,outside) dynamic interface
access-group LAN_access_in_1 in interface inside control-plane
access-group LAN_access_in in interface inside
access-group lAve_access_in in interface lAve
access-group outside_access_in in interface outside
access-group Backup_access_in in interface backup
route outside 0.0.0.0 0.0.0.0 67.208.197.1 128 track 1
route backup 0.0.0.0 0.0.0.0 96.94.7.54 200
route inside 10.10.0.0 255.255.0.0 172.16.1.2 1
route inside 192.168.50.0 255.255.255.0 172.16.1.2 1
route inside 192.168.55.0 255.255.255.0 172.16.1.2 1
route lAve 192.168.60.0 255.255.255.0 192.168.1.70 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http server session-timeout 60
http 192.0.0.0 255.255.255.0 management
http 172.0.0.0 255.255.255.0 inside
http 10.10.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 backup
no snmp-server location
no snmp-server contact

!
track 1 rtr 1 reachability
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 10
management-access inside
dhcpd address 192.168.4.2-192.168.4.20 management
dhcpd enable management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
 class class-default
  user-statistics accounting
!
NAT.JPG
Ernie Beek

So it's the TimeClockServer we're talking about?
I do see this one: nat (outside,any) source static any any destination static interface TimeClockServer service RDP(TimeClockServer) RDP(Inside)

When you try to connect to the webserver from the outside, does anything show up in the (ASDM) log?
ASKER
Mr.NovaL

Yes we are talking about the Time Clock server. That setting is for rdp which works from the outside. When trying to connect from outside of the network I get connection denied on the ASDM.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Ian Arakel

Hi There,

is the timeclock server a Linux server?
Kindly verify the IP tables in that case.
The understanding is that the RDP port forwarding for this server works whereas the HTTP port forwarding does not work.
Ernie Beek

What happens if you add the NAT statement again through the CLI? Is it giving you any errors?
ASKER
Mr.NovaL

After restarting the ASDM I was able to get the NAT configuration to show in the config.

@Ian: The server is windows. You are correct the RDP port forwarding and Intranet website works for this server; connecting externally to the website does not.  

(working) intranet: webserver ip:port/index.html

am I missing something?
external: outside ip:port/index.html
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Mr.NovaL

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Ernie Beek

Should be something like: http://www.website.com:1234
ASKER
Mr.NovaL

Most of the responses were questions not suggestions.