Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nat/Access Rule for webserver

Status
Not open for further replies.
fenderjbass

fenderjbass

IS-IT--Management
Jun 4, 2011
18
US
Hey guys this is my first thread here. I've used this site a lot to resolve issues I've been faced with. So hopefully this time I help someone else out with my issue. I'm studying for the CCENT, and just started using Cisco on my home network. I had a router running DD-WRT which had static NATs set up for my public web server, ftp, ssh etc.. I've swapped that out for a 5505. I've checked, and double checked my Nat and access rules. Still cant view website on the internet. Ill shut p now and show you my running config. I'm sure its something simple:


interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
host 192.168.10.10
object service Web
service tcp source eq eq www
object network web
host 192.168.10.10
description Web
access-list outside_access_in extended permit tcp any object Webserver eq www
access-list outside_access_in_1 extended permit tcp any object web eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (any,outside) after-auto source static any interface destination static web web service Web Web
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 98.213.226.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd dns 8.8.8.8
!
dhcpd address 192.168.10.100-192.168.10.110 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2c51c0ffab2c728fa944afe165c60845
: end
 
Sort by date Sort by votes
you should use a 1 to 1 nat rule with a different IP (nxt IP up from your wan for example) as adsm uses http ports to administer your device

p.s - you really should remove your public IP before posting.... ;-)

ACSS - SME
General Geek

1832163.png
 
Upvote 0 Downvote
Well that was the gateway IP. Not my public IP. And its dynamic, and it's already changed. If it comes to it, ill make it static. But its 100% for experiment and learning, not production. I made some changes to network objects and it works now. Actually, it may have been working the whole time. If I'm outside my network say McDonalds for instance. I can access my webserver by But when i was writing this post, I was sitting on my comfy couch, and could not access it by To verify my settings, it works fine if I use my old firewall running dd-wrt. I can access from home or outside. Once I put the asa in i can only see it from outside my network. I can access the webserver internally by its hostname and of course, by its private ip.
 
Upvote 0 Downvote
@Fenderjbass

Yes you are right and that is the default action performed by pix and asa, when you query an external DNS server ( assuming your ISP's dns server) and the A record points back to your source IP ( which is your pix/asa outside interface ), the firewall will normally drop this packets without dns doctoring.
The link below should help you resolve it.

HTH
Viconsul
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
333
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
375
intel233
intel233
quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
176
iggsterman
iggsterman
quar
  • Locked
  • Question
Moving a rule
Replies
0
Views
65
quar
quar
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
281
XLNTech1
XLNTech1

Part and Inventory Search

Sponsor

Back
Top