GET-IT: TEAMS DAY | 1-Day Free Virtual Conference all about Teams. Here on Petri.com - 8/12/20 GET-IT: TEAMS DAY - 8/12/20

Can’t access internal web server from outside through ASA 5505

Home Forums Networking Cisco Security – PIX/ASA/VPN Can’t access internal web server from outside through ASA 5505

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    paulino
    Member
    #155446

    Hi everyone,
    Can anybody please help me out with my asa 5505 configuration. I have made several attempt trying to get vpn working for external users to access our internal web server but all my effort seems not giving positive result. I resulted to this solution- leaving the server on the inside network and permitting only http access to it form the internet but this also seems not working.

    I have created a static nat that maps the private address of the server 192.168.0.1 to the public address from our isp (the same address asigned to the outside interface ) and created a acl entry for http inflow to both public and private address of the server.

    Here is the sh run from cli

    ASA Version 7.2(4)

    !

    hostname ASA

    domain-name asa.com

    enable password 8Ry2YjIyt7RRXU24 encrypted

    passwd 2KFQnbNIdI.2KYOU encrypted

    names

    name 192.168.0.1 WEB_SERVER_private

    name 1.2.3.4 WEB_SERVER_public

    !

    interface Vlan1

    nameif inside

    security-level 100

    ip address 192.168.0.21 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    ip address WEB_SERVER_public 255.255.255.192

    !

    interface Vlan3

    shutdown

    no forward interface Vlan1

    nameif dmz

    security-level 50

    no ip address

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    !

    time-range 12noon-to-11pm

    periodic daily 12:00 to 23:00

    !

    time-range 4pm-to-11pm

    periodic daily 16:00 to 23:00

    !

    time-range 8am-to-4pm

    periodic daily 8:00 to 16:00

    !

    ftp mode passive

    clock timezone CEST 1

    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

    dns server-group DefaultDNS

    domain-name ORG-gateway.com

    same-security-traffic permit inter-interface

    same-security-traffic permit intra-interface

    object-group network ACCOUNT1-PCs

    network-object host 192.168.0.27

    network-object host 192.168.0.34

    object-group network ACCOUNT2-PCs

    network-object host 192.168.0.28

    network-object host 192.168.0.31

    network-object host 192.168.0.32

    network-object host 192.168.0.33

    object-group network ADIMN

    network-object host 192.168.0.48

    object-group network MARKETING-PCs

    description Collection of IP addresses asigned to marketing workstations

    network-object host 192.168.0.61

    network-object host 192.168.0.62

    network-object host 192.168.0.95

    network-object host 192.168.0.96

    network-object host 192.168.0.98

    network-object host 192.168.0.99

    object-group network WRITER1

    network-object host 192.168.0.36

    network-object host 192.168.0.37

    object-group network WRITER2

    network-object host 192.168.0.40

    network-object host 192.168.0.42

    network-object host 192.168.0.43

    network-object host 192.168.0.44

    object-group network DM_INLINE_NETWORK_1

    group-object ACCOUNT2-PCs

    group-object ADIMN

    group-object MARKETING-PCs

    group-object WRITER1

    group-object WRITER2

    access-list outside_access_in extended permit tcp any host WEB_SERVER_public eq www log disable

    access-list ORG-GROUP_splitTunnelAcl standard permit any

    access-list outside_access_out extended deny ip object-group ACCOUNT1-PCs any time-range 12noon-to-11pm

    access-list outside_access_out extended deny ip object-group DM_INLINE_NETWORK_1 any time-range 8am-to-4pm

    access-list outside_access_out extended permit ip any any

    pager lines 24

    logging asdm informational

    mtu outside 1500

    mtu inside 1500

    mtu dmz 1500

    icmp unreachable rate-limit 1 burst-size 1

    asdm image disk0:/asdm-524.bin

    no asdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 1 0.0.0.0 0.0.0.0

    static (inside,outside) tcp interface www WEB_SERVER_private www netmask 255.255.255.255

    access-group outside_access_in in interface outside

    access-group outside_access_out out interface outside

    route outside 0.0.0.0 0.0.0.0 41.75.199.65 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    http server enable

    http 192.168.0.0 255.255.255.0 inside

    http 192.168.1.0 255.255.255.0 inside

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmp authentication linkup linkdown coldstart

    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

    crypto map outside_map interface outside

    crypto isakmp enable outside

    crypto isakmp policy 10

    authentication pre-share

    encryption des

    hash sha

    group 2

    lifetime 86400

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    dhcpd auto_config outside

    !

    dhcpd address 192.168.0.100-192.168.0.130 inside

    dhcpd dns 217.117.0.35 217.117.15.106 interface inside

    dhcpd domain ORG.com interface inside

    dhcpd enable inside

    !

    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

    username ORG password Q/zjZIOUziicgEHF encrypted privilege 15

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    parameters

    message-length maximum 512

    policy-map global_policy

    class inspection_default

    inspect dns preset_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect esmtp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    inspect xdmcp

    inspect sip

    inspect netbios

    inspect tftp

    !

    service-policy global_policy global

    prompt hostname context

    Cryptochecksum:2c346952ea323d330a9a49ff8619b6ff

    : end

    asdm image disk0:/asdm-524.bin

    no asdm history enable

    I don’t know what can be wrong here

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.