Cisco ASA Issue

[cksrealm]

HI All, we have just bought two Cisco ASA's that I have setup in a failover pair, Having some issues with the Access Lists however.
I have created an access-list that permits any source to access a web server on the DMZ (Using NAT) However when I browse the the "real" natted address I am getting errors on the ASA saying that the request has been blocked by the implicit deny any statement, I totally understand that however why if I have created an access list that allows http traffic to the Internet address of the webserver should I be getting it, I can post config if required.

Any Idea?

 

[pmoorey]

Hi,

Please post configs minus sensitive info...

Peter
CCNA, Cisco Qualified Specialist

 

[cksrealm]

Config As Requested.


FIREWALL-ASA5510-PKR# show run
: Saved
:
ASA Version 7.2(2)19
!
hostname FIREWALL-ASA5510-PKR
domain-name default.domain.invalid
enable password xxxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
description Live Internet Interface
nameif Live_Internet
security-level 0
ip address x.x.x.x 255.255.255.224
!
interface Ethernet0/1
description Customer Network
nameif Customer_Net
security-level 10
ip address 172.17.4.2 255.255.252.0
!
interface Ethernet0/2
description Protected Network
nameif Protected_Net
security-level 100
ip address 192.9.224.2 255.255.255.0
!
interface Ethernet0/3
description STATE Failover Interface
!
interface Management0/0
description Live Network Interface
nameif Live_Net
security-level 100
ip address 192.9.230.2 255.255.255.0
!
passwd xxxxxxxxxxxxxxx encrypted
banner exec Welcome to the ASA
boot system disk0:/asa722-19-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service ISAKMP udp
port-object eq isakmp
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 195.167.187.224 255.255.255.224
access-list Live_Net_access_in extended permit icmp any 192.9.230.0 255.255.255.0
access-list outside_acl extended permit tcp any host 192.9.224.4 eq www
access-list Live_Internet_access_in extended permit tcp any host 195.167.187.230 eq www
pager lines 24
logging enable
logging timestamp
logging emblem
logging list IPSEC_MONITOR level critical
logging list IPSEC_MONITOR message 611101-611323
logging buffer-size 100000
logging trap informational
logging asdm informational
logging facility 16
logging host Live_Net 192.9.200.185
logging debug-trace
logging permit-hostdown
mtu Live_Internet 1500
mtu Customer_Net 1500
mtu Protected_Net 1500
mtu Live_Net 1500
failover
failover link FAILOVER Ethernet0/3
failover interface ip FAILOVER 1.1.1.2 255.255.255.0 standby 1.1.1.1
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Live_Internet
icmp permit any Live_Net
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Protected_Net) 1 x.x.x.x
access-group Live_Internet_access_in in interface Live_Internet
route Live_Internet 0.0.0.0 0.0.0.0 195.167.178.113 1
route Customer_Net 172.0.0.0 255.0.0.0 172.17.4.252 1
route Live_Net 192.9.200.0 255.255.255.0 192.9.230.246 1
timeout xlate 3:00:00
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
default-domain value cognito.co.uk
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
http server enable
http 192.9.200.0 255.255.255.0 Live_Net
snmp-server host Live_Net 192.9.200.185 community cognito
snmp-server location Park Royal CAB1
snmp-server contact Cognito Network Operations
snmp-server community cognito
snmp-server enable traps snmp authentication linkup linkdown coldstart
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *

telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
/tftpboot/FIREWALL1-ASA5510-PKR.config
smtp-server x.x.x.x
client-update enable
prompt hostname context
Cryptochecksum:e3257d4a45a9529ff69dd252c8ae2998
: end

 

[Supergrrover]

Your ACL needs to reference the external IP and not the internal IP
access-list Live_Internet_access_in extended permit tcp any host 195.167.187.230 eq www
should be
access-list Live_Internet_access_in extended permit tcp any host x.x.x.x eq www

You will also need a static to tie those two IPs together

static (Protected_Net,Live_Internet) tcp x.x.x.x 80 195.167.187.230 80 netmask 255.255.255.255


Brent
Systems Engineer / Consultant
CCNP, CCSP