We help IT Professionals succeed at work.

ASA 5510 - Access Website externally.

151 Views
Last Modified: 2016-04-19
We currently have a website that was published on the intranet and is available to users. I am trying to make it accessible outside of the network.  I have updated the settings below in the ASA ASDM yet it seems like I am missing a step since I am not able to access the site externally.  As an fyi there are other ports that are open that allow access to functioning sites available externally.

Access Rule - Done
NAT Rules - Done
Network Object - done
Service Object - done
ACL Manager - Complete
Comment
Watch Question

El FierroNetwork Engineer

Commented:
what version of asa are you running? can you access your site via external ip? iis or apache?  what about your dns?
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Is the server on its own public IP, or are you port forwarding the traffic from the outside interface of the ASA? (Port Forwarding)

As mentioned above make sure it works internally before you do anything further.

Then you can NMAP from outside to see if ports 80/443 are open. Also use packet tracer (it on the tools meant in the ASDM.

Pete
Mr.NovaLIT Director

Author

Commented:
This is ASA 5510 ASDM v7.1
Using IIS

The site is accessible internally.

I am trying to access the website via  the outside ip address:port

It is currently using port 85 from the "webserver" for the internal connection.  

The server does not have its own public ip address. I will be using port forwarding.
El FierroNetwork Engineer

Commented:
out of curiosity why aren't you using port 80? can you post the config ?
Mr.NovaLIT Director

Author

Commented:
This was partially setup before I got here and I have been tasked to finish the project and get it working.

However, I have tried using port 80 it fails when trying to connect from the outside.
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
Like stated above, I think we be able to assist you better when you post (part of) your configuration. Of course you can sanitize it first.
Mr.NovaLIT Director

Author

Commented:
I just noticed when doing the show config the nat for the webserver "time clock server" does not show even though it is configured.  As an fyi each thermostat is viable outside of the network.

Result of the command: "show config"
!
ASA Version 9.1(4)
!
hostname FFFF-5510-1
domain-name FFFF.Systems
enable password XXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXX encrypted
names
dns-guard
ip local pool ipad-vpn-pool 192.168.150.100-192.168.150.150 mask 255.255.255.0
!
interface Ethernet0/0
 description -> router
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 111.11.1.1 255.255.255.0
!
interface Ethernet0/1
 description ->(Cisco 1841)-->(T1)-->(Cisco 1841)-->lAve
 nameif lAve
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 description
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 00.000.000.00 255.255.255.0
!
interface Ethernet0/3
 nameif backup
 security-level 0
 ip address 222.222.2.22 255.255.255.248
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.4.1 255.255.255.0
!
boot system disk0:/asa914-k8.bin
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup backup
dns domain-lookup management
dns server-group DefaultDNS
 name-server 10.10.X.X
 name-server 10.10.X.X
 name-server 10.10.X.X
 name-server 10.10.X.X
 domain-name FFFF.Systems
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-network()
 subnet 1XX.16.1.0 255.255.255.0
object network iPad-VPN-NET
 subnet 192.168.150.0 255.255.255.0
object network Fl.Ave-Network
 subnet 192.168.60.0 255.255.255.0
object service FileMaker
 service tcp destination eq 5XXX
 description FileMaker            
object network Security-Maint
 subnet 192.168.55.0 255.255.255.0
object service Syncrify
 service tcp destination eq 5XXX
object network 10.10-Net
 subnet 10.10.0.0 255.255.0.0
object service 8e6_SSH
 service tcp destination eq 5XXX
object service RDP(Inside)
 service tcp destination eq 3XXX
object network Server-10
 host 10.10.10.12
object service Torrent
 service tcp destination eq 42XXX
object network Apps-Server
 host 10.10.10.100
object service MumbleTCP
 service tcp destination eq 64XXX
object service MumbleUDP
 service udp destination eq 64XXX
object service RDP(Server10)
 service tcp destination eq 63XXX
object service Spiceworks(Inside)
 service tcp destination eq https
object service Spiceworks(Outside)
 service tcp destination eq 14XX
object network TimeClockServer
 host 10.10.35.1
 description Time Clock Server  
object network Helpdesk_VM
 host 10.10.10.10
 description Spiceworks Server  
object network FFFFACCT-Network
 subnet 192.168.2.0 255.255.255.0
object service FTP
 service tcp destination eq ftp
object service FTP-data
 service tcp destination eq ftp-data
object service PLEX
 service tcp destination eq 32XXX
object service RDP(TimeClockServer)
 service tcp destination eq 63XXX
object network Thermostat-_SE_Kitchen
 host 10.10.25.61
object network Thermostat-SMRC_Main_Mezanine
 host 10.10.25.21
object network Thermostat-_NW_Rooms_ABC
 host 10.10.25.64
object network Thermostat-_SW_Rooms_DEF
 host 10.10.25.65
object network Thermostat-_2nd_Floor
 host 10.10.25.62
object service Thermostats-35021
 service tcp destination eq 000
object service Thermostats-35061
 service tcp destination eq 000
object service Thermostats-35062
 service tcp destination eq 000
object service Thermostats-35064
 service tcp destination eq 000
object service Thermostats-35065
 service tcp destination eq 000
object service HTTP
 service tcp destination eq www
object network MASH-NET
 subnet 192.168.2.0 255.255.255.0
object network OPP-Net
 subnet 10.20.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
 network-object object Fl.Ave-Network
 network-object object inside-network()
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object time-exceeded
 icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_2
 icmp-object echo
 icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_3
 icmp-object time-exceeded
 icmp-object unreachable
 icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_4
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object unreachable
object-group service DM_INLINE_SERVICE_2
 service-object object RDP(Server10)
 service-object object RDP(Inside)
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_3
 service-object object RDP(Inside)
 service-object object RDP(TimeClockServer)
object-group service DM_INLINE_SERVICE_4
 service-object object Spiceworks(Inside)
 service-object object Spiceworks(Outside)
object-group network DM_INLINE_NETWORK_2
 network-object object 10.10-Net
 network-object object inside-network()
object-group network DM_INLINE_NETWORK_3
 network-object object 10.10-Net
 network-object object inside-network()
object-group service Thermostats
 service-object object Thermostats-35021
 service-object object Thermostats-35061
 service-object object Thermostats-35062
 service-object object Thermostats-35064
 service-object object Thermostats-35065
object-group network DM_INLINE_NETWORK_4
 network-object object Thermostat-_2nd_Floor
 network-object object Thermostat-_NW_Rooms_ABC
 network-object object Thermostat-_SE_Kitchen
 network-object object Thermostat-_SW_Rooms_DEF
 network-object object Thermostat-_Main_Mezanine
object-group service DM_INLINE_SERVICE_5
 group-object Thermostats
 service-object tcp destination eq www
object-group network DM_INLINE_NETWORK_5
 network-object object 10.10-Net
 network-object object inside-network()
access-list LAN_access_in extended permit ip object inside-network() object lAve-Network
access-list LAN_access_in extended permit ip any object MASH-NET
access-list LAN_access_in extended permit ip any object OPP-Net
access-list LAN_access_in extended permit ip any4 object iPad-VPN-NET
access-list LAN_access_in extended permit ip object iPad-VPN-NET any4
access-list LAN_access_in extended permit ip any4 any4
access-list LAN_access_in extended deny ip any4 any4
access-list Backup_access_in extended permit icmp any4 any4 object-group DM_INLINE_ICMP_4
access-list Backup_access_in extended deny ip any4 any4
access-list LAN_access_in_1 extended permit ip any4 any4
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object OPPIDAN-Net
access-list IPAD1-acl standard permit 192.168.60.0 255.255.255.0
access-list IPAD1-acl standard permit 10.10.0.0 255.255.0.0
access-list NAT extended permit ip object inside-network() object iPad-VPN-NET
access-list VPN extended permit ip object-group DM_INLINE_NETWORK_1 object iPad-VPN-NET
access-list lAve_access_in extended permit ip any4 any4
access-list lAve_access_in extended deny ip any4 any4
access-list Maintenance_access_in extended permit icmp any4 any4
access-list Maintenance_access_in extended permit ip any4 any4
access-list outside_access_in extended permit icmp any4 any4 object-group DM_INLINE_ICMP_3
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any4 object Server-10
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object TimeClockServer
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Helpdesk_VM
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any4 object-group DM_INLINE_NETWORK_4
access-list outside_access_in extended deny ip any4 any4
access-list MASH_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object MASH-NET
access-list backup_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_5 object MASH-NET
access-list backup_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_2 object OPP-Net
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu FlAve 1500
mtu outside 1500
mtu backup 1300
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any backup
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,any) source static any any destination static interface Server-10 service Syncrify Syncrify
nat (outside,any) source static any any destination static interface Server-10 service RDP(Server10) RDP(Inside)
nat (outside,any) source static any any destination static interface TimeClockServer service RDP(TimeClockServer) RDP(Inside)
nat (outside,any) source static any any destination static interface Helpdesk_VM service Spiceworks(Outside) Spiceworks(Inside)
nat (outside,any) source static any any destination static interface Thermostat-_Main_Mezanine service Thermostats-35021 HTTP
nat (outside,any) source static any any destination static interface Thermostat-_Kitchen service Thermostats-35061 HTTP
nat (outside,any) source static any any destination static interface Thermostat-_2nd_Floor service Thermostats-35062 HTTP
nat (outside,any) source static any any destination static interface Thermostat-_NW_Rooms_ABC service Thermostats-35064 HTTP
nat (outside,any) source static any any destination static interface Thermostat-_SW_Rooms_DEF service Thermostats-35065 HTTP
nat (inside,any) source static 10.10-Net 10.10-Net destination static OPP-Net OPP-Net no-proxy-arp route-lookup
nat (inside,any) source static inside-network() inside-network() destination static OPP-Net OPP-Net no-proxy-arp route-lookup
nat (inside,any) source static 10.10-Net 10.10-Net destination static MASH-NET MASH-NET no-proxy-arp route-lookup
nat (inside,any) source static inside-network() inside-network() destination static Accounting-NET Accounting-NET no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
nat (inside,backup) source dynamic any interface
nat (any,any) source static iPad-VPN-NET iPad-VPN-NET no-proxy-arp
nat (any,any) source static any any destination static iPad-VPN-NET iPad-VPN-NET
!
object network lAve-Network
 nat (any,outside) dynamic interface
object network 10.10-Net
 nat (any,outside) dynamic interface
access-group LAN_access_in_1 in interface inside control-plane
access-group LAN_access_in in interface inside
access-group lAve_access_in in interface lAve
access-group outside_access_in in interface outside
access-group Backup_access_in in interface backup
route outside 0.0.0.0 0.0.0.0 67.208.197.1 128 track 1
route backup 0.0.0.0 0.0.0.0 96.94.7.54 200
route inside 10.10.0.0 255.255.0.0 172.16.1.2 1
route inside 192.168.50.0 255.255.255.0 172.16.1.2 1
route inside 192.168.55.0 255.255.255.0 172.16.1.2 1
route lAve 192.168.60.0 255.255.255.0 192.168.1.70 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http server session-timeout 60
http 192.0.0.0 255.255.255.0 management
http 172.0.0.0 255.255.255.0 inside
http 10.10.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 backup
no snmp-server location
no snmp-server contact

!
track 1 rtr 1 reachability
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 10
management-access inside
dhcpd address 192.168.4.2-192.168.4.20 management
dhcpd enable management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
 class class-default
  user-statistics accounting
!
NAT.JPG
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
So it's the TimeClockServer we're talking about?
I do see this one: nat (outside,any) source static any any destination static interface TimeClockServer service RDP(TimeClockServer) RDP(Inside)

When you try to connect to the webserver from the outside, does anything show up in the (ASDM) log?
Mr.NovaLIT Director

Author

Commented:
Yes we are talking about the Time Clock server. That setting is for rdp which works from the outside. When trying to connect from outside of the network I get connection denied on the ASDM.
Ian ArakelNetwork Lead: Data and Security
Top Expert 2016

Commented:
Hi There,

is the timeclock server a Linux server?
Kindly verify the IP tables in that case.
The understanding is that the RDP port forwarding for this server works whereas the HTTP port forwarding does not work.
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
What happens if you add the NAT statement again through the CLI? Is it giving you any errors?
Mr.NovaLIT Director

Author

Commented:
After restarting the ASDM I was able to get the NAT configuration to show in the config.

@Ian: The server is windows. You are correct the RDP port forwarding and Intranet website works for this server; connecting externally to the website does not.  

(working) intranet: webserver ip:port/index.html

am I missing something?
external: outside ip:port/index.html
IT Director
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
Should be something like: http://www.website.com:1234
Mr.NovaLIT Director

Author

Commented:
Most of the responses were questions not suggestions.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.