Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

http from inside to out? asa 5505

Status
Not open for further replies.
blzbubb

blzbubb

Technical User
Jun 4, 2009
4
GB
My setup is as follows:

DSL Modem --->Linksys Rv082 --> [ASA 5505] ---> webserver
192.168.1.0 192.168.2.0 192.168.2.100 192.168.3.30

I have a fixed external IP and seem to have all the forwards working up to the ASA. However when i trt to connect to my external IP i see the following pop up in the asdm real-time log:

6 Jun 04 2009 17:30:56 110003 192.168.2.100 80 <external IP> 3278 Routing failed to locate next hop for TCP from inside:192.168.2.100/80 to outside:<external IP>/3278

6 Jun 04 2009 17:30:56 302014 <external IP> 3278 192.168.3.30 80 Teardown TCP connection 1469 for outside:<external IP>/3278 to inside:192.168.3.30/80 duration 0:00:21 bytes 0 TCP Reset-I

Which i read to mean the http is making it to the webserver on 192.168.3.30 on the inside but is failing to find its way out.

I'm new to firewalls in general and a simple walk through on how to setup the basic rules which allow a standard IIS to opperate behind the ASA would be exetremely helpful.

NATS:
Static 192.168.3.30 tcp/http outside outside tcp/http False Unlimited Unlimited Unlimited True

Static 192.168.2.100 tcp/http inside 192.168.3.30 tcp/http False Unlimited Unlimited Unlimited True
(192.168.2.100 is the outside ip of the ASA)

Access Rules:
7 True outside-network/24 192.168.3.30 tcp-udp/http Permit 0 Debugging

Any help would be great ... this is driving me nuts.



 
Sort by date Sort by votes
Two things:
1) Why the Linksys in front of the ASA??
2) As North said, a scrubbed config would be nice. Chances are you are missing a default route

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
The Linksys and everything up from that is essentially just for the testing phase ... before the ASA and everything below eventually goes to a datacenter.

Result of the command: "show conn"

5 in use, 12 most used
TCP outside 192.168.2.101:3428 inside 192.168.3.60:3389, idle 0:00:00, bytes 6546493, flags UIOB
TCP outside 192.168.2.200:445 inside 192.168.3.60:50207, idle 0:00:31, bytes 27195918, flags UIO



Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password **** encrypted
passwd ***** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
description OutSide Facing
nameif outside
security-level 0
ip address 192.168.2.100 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol test
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit object-group TCPUDP any any eq debugging
access-list inside_access_in extended permit object-group TCPUDP any any log debugging
access-list outside_access_in remark *****
access-list outside_access_in extended permit object-group TCPUDP any any eq debugging
access-list outside_access_in extended permit tcp any host 192.168.3.50 eq 6001 log debugging
access-list outside_access_in remark ****
access-list outside_access_in extended permit tcp any host 192.168.3.40 eq 6000 log debugging
access-list outside_access_in remark ******
access-list outside_access_in extended permit tcp any host 192.168.3.40 eq 7001 log debugging
access-list outside_access_in remark *****
access-list outside_access_in extended permit tcp any host 192.168.3.30 eq 3030 log debugging
access-list outside_access_in remark ********
access-list outside_access_in extended permit tcp any host 192.168.3.60 eq 3031 log debugging
access-list outside_access_in remark ******
access-list outside_access_in extended permit tcp any host 192.168.3.30 eq 8001 log debugging
access-list outside_access_in extended permit object-group TCPUDP any any log debugging
access-list outside_access_in extended permit ip any any log debugging
access-list ****_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list ****_splitTunnelAcl standard permit any
access-list ****_splitTunnelAcl standard permit any
access-list ****_splitTunnelAcl standard permit any
access-list inside_access_out extended permit object-group TCPUDP any any eq debugging
access-list inside_access_out extended permit object-group TCPUDP any any log debugging
access-list outside_access_out extended permit object-group TCPUDP any any eq debugging
access-list outside_access_out extended permit object-group TCPUDP any any log debugging
access-list outside_access_out extended permit icmp any any log debugging
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool InternalPool 192.168.3.90-192.168.3.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 7001 192.168.3.50 3306 netmask 255.255.255.255
static (inside,outside) tcp interface 6001 192.168.3.50 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 6000 192.168.3.40 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 8001 192.168.3.30 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 3030 192.168.3.30 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3031 192.168.3.60 3389 netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.50 3306 192.168.2.100 7001 netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.50 ssh 192.168.2.100 6001 netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.40 ssh 192.168.2.100 6000 netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.30 8080 192.168.2.100 8001 netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.30 3389 192.168.2.100 3030 netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.60 3389 192.168.2.100 3031 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
!
router rip
!
route outside 0.0.0.0 255.255.255.255 192.168.2.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.2-192.168.3.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ***** internal
group-policy ***** attributes
dns-server value 192.168.3.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value *****_splitTunnelAcl
username ***** password ***** encrypted privilege 0
username ***** attributes
vpn-group-policy DfltGrpPolicy
tunnel-group DefaultRAGroup general-attributes
address-pool InternalPool
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool InternalPool
tunnel-group *****type remote-access
tunnel-group *****general-attributes
address-pool InternalPool
default-group-policy *****
tunnel-group *****ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:*******
: end



It is in a bit of a mess at the moment due to a lot random guess work. All i really care about is allowing http traffic to and from the 192.168.3.30.

I think it is probably a route thing. I'm also not quite sure what the servers default gateway/dns should be. It is currently set to the asa inside interface.

Thanks for the help so far.
 
Upvote 0 Downvote
Ignore the first config .... this is the one i meant to paste Doh!


Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password ********* encrypted
passwd ********** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
description OutSide Facing
nameif outside
security-level 0
ip address 192.168.2.100 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol test
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit object-group TCPUDP any any eq debugging
access-list inside_access_in extended permit object-group TCPUDP any any log debugging
access-list outside_access_in remark Dev1 3030 for rdp
access-list outside_access_in extended permit object-group TCPUDP any any eq debugging
access-list outside_access_in extended permit tcp any host 192.168.3.50 eq 6001 log debugging
access-list outside_access_in remark ***2 6000 for ssh
access-list outside_access_in extended permit tcp any host 192.168.3.40 eq 6000 log debugging
access-list outside_access_in remark ***2 7001 for mysql
access-list outside_access_in extended permit tcp any host 192.168.3.40 eq 7001 log debugging
access-list outside_access_in remark Dev1 3030 for rdp
access-list outside_access_in extended permit tcp any host 192.168.3.30 eq 3030 log debugging
access-list outside_access_in remark Adm1 3031 for rdp
access-list outside_access_in extended permit tcp any host 192.168.3.60 eq 3031 log debugging
access-list outside_access_in remark Dev1 8001 for svn
access-list outside_access_in extended permit tcp any host 192.168.3.30 eq 8001 log debugging
access-list outside_access_in extended permit object-group TCPUDP any any log debugging
access-list outside_access_in extended permit ip any any log debugging
access-list ***in_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list ***Client_splitTunnelAcl standard permit any
access-list ***_splitTunnelAcl standard permit any
access-list *******_splitTunnelAcl standard permit any
access-list inside_access_out extended permit object-group TCPUDP any any eq debugging
access-list inside_access_out extended permit object-group TCPUDP any any log debugging
access-list outside_access_out extended permit object-group TCPUDP any any eq debugging
access-list outside_access_out extended permit icmp any any log debugging
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool InternalPool 192.168.3.90-192.168.3.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 7001 192.168.3.50 3306 netmask 255.255.255.255
static (inside,outside) tcp interface 6001 192.168.3.50 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 6000 192.168.3.40 ssh netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.50 3306 192.168.2.100 7001 netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.50 ssh 192.168.2.100 6001 netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.40 ssh 192.168.2.100 6000 netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.30 8080 192.168.2.100 8001 netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.30 255.255.255.255
static (outside,inside) tcp 192.168.3.30 3389 192.168.2.100 3030 netmask 255.255.255.255
static (outside,inside) tcp 192.168.3.60 3389 192.168.2.100 3031 netmask 255.255.255.255
static (inside,outside) tcp interface 255.255.255.255
static (inside,outside) tcp interface 8001 192.168.3.30 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 3030 192.168.3.30 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3031 192.168.3.60 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
!
router rip
!
route outside 0.0.0.0 255.255.255.255 192.168.2.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.2-192.168.3.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ******* internal
group-policy ******* attributes
dns-server value 192.168.3.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value *******_splitTunnelAcl
username ********* password ZZwYQVWJP6UmtdrZ encrypted privilege 0
username ********* attributes
vpn-group-policy DfltGrpPolicy
tunnel-group DefaultRAGroup general-attributes
address-pool InternalPool
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool InternalPool
tunnel-group ******* type remote-access
tunnel-group ******* general-attributes
address-pool InternalPool
default-group-policy *******
tunnel-group ******* ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:73***********
: end
 
Upvote 0 Downvote
this
Code: 
route outside 0.0.0.0 255.255.255.255 192.168.2.100 1
literally means match 0.0.0.0 as the source of the connections. you need to change it to this:
Code: 
route outside 0.0.0.0 0.0.0.0 192.168.2.100

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thanks for the help.
After setting the default route correctly I also had to change the servers default DNS I previously had it set to the asa IP assuming it would route through after setting it to the 192.168.1.254 address directly along with the route it is all working fine.

Thanks again
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
672
Sameer258
Sameer258
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
314
AllenH12
AllenH12
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
584
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
445
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
630
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top