0

I have set up a web server on a separate VLAN and configured an object for the webserver to allow tcp port 80 communication, the access list and access group is also set up. But I can't reach the server from outside.

I have been googling and looking at answers here, but none of them have allowed me to access the server.

I have checked that the web server up and running, and that it's reachable from inside the network using it's ip.

Here's the relevant parts of the config: 

!
interface Vlan1
 nameif outside
 security-level 0
 ip address dhcp 
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 10.5.1.1 255.255.255.0 
!
interface Vlan3
 no forward interface Vlan2
 nameif dmz
 security-level 50
 ip address 10.4.1.1 255.255.255.0 
!             

dns server-group DefaultDNS
 domain-name mastermind.local

object network dev-server-internal 
 host 10.4.1.2
object network inside-net 
 subnet 0.0.0.0 0.0.0.0
object network dev-server-external 
 host 10.4.1.2
access-list outside_access_in extended permit tcp any host 10.4.1.2 eq www 

!
object network dev-server-internal
 nat (inside,dmz) dynamic interface
object network inside-net
 nat (inside,outside) dynamic interface
object network dev-server-external
 nat (dmz,outside) static interface service tcp www www 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.15.166.1 1

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 10.5.1.2-10.5.1.32 inside
dhcpd enable inside
!
dhcpd address 10.4.1.2-10.4.1.2 dmz
dhcpd enable dmz
!

So the idea is that the VLAN "inside" is used for regular users and VLAN "dmz" is for the web server. There will only be one server connected to VLAN "dmz", that's why I have only allowed dhcp for one address.

I added the object "dev-server-internal" to allow users from inside to access the web server directly using it's ip (10.4.1.2).

So what can I do to being able to access the web server from the outside?

Here's what the show nat gives me after trying to reach the web server from the outside:

Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static dev-server-external interface service tcp www www 
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (dmz) source dynamic dev-server-internal interface
    translate_hits = 0, untranslate_hits = 0
3 (any) to (outside) source dynamic inside-net interface
    translate_hits = 1160, untranslate_hits = 149

EDIT: Output from packet-tracer input outside tcp 1.2.3.4 2501 10.4.1.2 80: 

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.4.1.0        255.255.255.0   dmz

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access in interface outside
access-list outside_access extended permit tcp any host 10.4.1.2 eq www 
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network dev-server-external
 nat (dmz,outside) static interface service tcp www www 
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

EDIT 2: Relevant parts from show interface vlan1:

Interface Vlan1 "outside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
    MAC address 0007.7dab.c007, MTU 1500
    IP address 94.254.4.141, subnet mask 255.255.254.0

Output from show route:

Gateway of last resort is 10.15.166.1 to network 0.0.0.0

C    10.5.1.0 255.255.255.0 is directly connected, inside
C    10.4.1.0 255.255.255.0 is directly connected, dmz
C    94.254.4.0 255.255.254.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 10.15.166.1, outside

Output from packet-tracer input outside tcp 1.2.3.4 2501 94.254.4.141 80:

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network dev-server-external
 nat (dmz,outside) static interface service tcp www www 
Additional Information:
NAT divert to egress interface dmz
Untranslate 94.254.4.141/80 to 10.4.1.2/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:       
access-group outside_access in interface outside
access-list outside_access extended permit tcp any host 10.4.1.2 eq www 
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network dev-server-external
 nat (dmz,outside) static interface service tcp www www 
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 356329, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
rzetterberg
  • 137
  • 3
  • 11
  • I can't see any problems with your config. Have you tried using packet tracer? `packet-tracer input outside tcp 1.2.3.4 2501 10.4.1.2 80` – resmon6 Feb 13 '12 at 14:17
  • Are you trying to hit this from the internet or just from outside the firewall? I just noticed you're routing to a 10. address. – resmon6 Feb 13 '12 at 14:26
  • See my edit with the packet tracer. I'm trying to access it from the internet. The firewall's VLAN outside is connected directly to our ISP's fiber modem. – rzetterberg Feb 13 '12 at 14:32
  • Ahh ok. What is the subnet mask of the IP address that your ISP is providing via DHCP? Also try doing another packet-tracer command but change 10.4.1.2 to the outside interface IP. If you can, post the output of your `show route` command – resmon6 Feb 13 '12 at 14:44
  • The subnet mask is `255.255.254.0` and IP is `94.254.4.141`. I've added a packet trace for outside interface IP in my answer. I noticed that the `route` command contains wrong IP, `10.15.166.1` was the old IP before the router got access to ISP public IP. Could this be the problem? – rzetterberg Feb 13 '12 at 14:50
  • According to that packet tracer your firewall should be configured correctly for NAT. Your routing table does concern me. The gateway of last resort is 10.15.166.1 but there is no route for this network in the routing table. Can hosts from the inside of your firewall access the internet? Is there an arp entry in your firewall for 10.15.166.1? – resmon6 Feb 13 '12 at 14:53
  • Yes, the routing was wrong. I have changed it from 10.15.166.1 to 94.254.4.141. Yes, we have access to internet. There are no arp entries except for the timeout. – rzetterberg Feb 13 '12 at 14:59

2 Answers2

1

Putting this in an answer to make it easier to format. This command may be posing a problem:

object network dev-server-internal
 nat (inside,dmz) dynamic interface

I would go ahead and get rid of this entry and identity nat your inside network over to the DMZ like so:

object network internal-hosts2
 subnet 10.5.1.0 255.255.255.0
 nat (inside,dmz) static 10.5.1.0

Also instead of using a static route, do this under vlan 1 to have dhcp renew and automatically set your default route from dhcp

interface vlan 1
no ip address dhcp
ip address dhcp setroute

Now try a packet capture on your outside interface. Add the acl in config mode and the capture command in normal exec mode

access-list test extended permit tcp any interface outside eq www
capture test access-list test interface outside

Then after you try to hit your website from the internet do a show capture to see if any packets made it to your firewall.

resmon6
  • 1,352
  • 6
  • 8
  • I remove the whole dev-server-internal object, and added the new one you suggested. However, the network command was not recognized. – rzetterberg Feb 13 '12 at 15:09
  • Oops! I typo-ed that. Check it now. – resmon6 Feb 13 '12 at 15:12
  • Still getting "ERROR: % Invalid input detected at '^' marker." at the e of "network". You didn't mean `subnet` instead of `network`? – rzetterberg Feb 13 '12 at 15:17
  • Yep you're right. Sorry I try to stay away from ASA 8.3+. – resmon6 Feb 13 '12 at 15:20
  • Alright, I applied both of the changes. I get the same result when doing a `packet-tracer` on 10.5.1.4, except for doing ACCESS-LIST in Phase 1, it no performs CP-PUNT in Phase 1. But still dropping in rpf-check. – rzetterberg Feb 13 '12 at 15:23
  • Yeah that's normal. What we're looking for is the second packet tracer (again, my old school asa 8.2 days screwing me up) and that one worked. Now what you should do is put a packet capture on the outside of your firewall to see if your ISP may be blocking port 80. I'll post the config in my answer. – resmon6 Feb 13 '12 at 15:27
  • Ok! I used the same setup with the old firewall/router and it worked fine, so I don't think the ISP should be blocking port 80. – rzetterberg Feb 13 '12 at 15:29
  • Are you trying to run a normal webserver? You may try turning off the http inspection in the asa temporarily to see if that's the issue. You can also look at the output of `show service-policy inspect http` to see if it is showing dropped http packets. – resmon6 Feb 13 '12 at 15:38
  • Oh, it looks like it's a problem with your webserver now. When I navigate to your webserver I get a `HTTP/1.0 504 Gateway Time-out` – resmon6 Feb 13 '12 at 15:43
  • Yes, exactly. The http inspection was not turned. The `service-policy inspect http` didn't show anything except for which policies is being used. – rzetterberg Feb 13 '12 at 15:43
  • That's interesting. When I tried accessing myself and looking at the capture it was 0 bytes, but now that you did it shows 759 bytes. And when I tunneled outside the network and accessed the ip in the browser, I also get a response from the webserver. – rzetterberg Feb 13 '12 at 15:45
  • Were you accessing it internally or externally? Remember that capture is only running on the outside interface. – resmon6 Feb 13 '12 at 15:46
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/2481/discussion-between-rzetterberg-and-resmon6) – rzetterberg Feb 13 '12 at 15:48
0

No amount of auto NAT will make a web server available on the outside interface.

There must be a static NAT rule from the DMZ machine to the outside, possibly for port 80 only if that's what you want.

adaptr
  • 16,576
  • 23
  • 34
  • I see, how would I go about to change my current setup to use static NAT so that the dmz machine is reachable for port 80 only? – rzetterberg Feb 13 '12 at 11:33