How to allow access through Cisco ASA

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Can someone help me with this.

We have an ASA doing NAT for our network.  We have a webserver on our
network.

Lets say the IP address for the wan port on the ASA is
206.123.123.123.  When I am on the network, I cant seem to access the
webserver by going to http://206.123.123.123 .  If however I am on my
home network and on the internet, I can access the webserver
http://206.123.123.123 .

The port 80 forwarding rule is in place and works fine.

So you see, for some reason, the ASA is blocking me when I am going
out through it and back in.


Re: How to allow access through Cisco ASA
test

adepaolis@gmail.com wrote:
Quoted text here. Click to load it

Re: How to allow access through Cisco ASA
When using a Cisco PIX or ASA firewall, you cannot reach the configured IP
address of the outside interface from the inside of the firewall.  You also
cannot reach the configured IP address of inside interface from the outside
of the firewall.  It just does not work.

In cases such as this, if I am understanding the limited explination that
you provided, the internal DNS server resolves to the true IP address of the
web server and the external DNS server resolves to the outside global NAT IP
address on the firewall.

--

     ===========
     Scott Perry
     ===========
Indianapolis, Indiana
________________________________________
Quoted text here. Click to load it



Re: How to allow access through Cisco ASA
Sorry about the last post, been having problems.
anyhow.

You say you allow port 80 forwarding, huh? I guess the correct term
would be a static NAT NAT'ing your public to a private ip.

I think the correct statement would be;
static (inside,outside) 206.123.123.123 <private.web.server.ip> netmask
255.255.255.255 0 0

then you'd need an access-list allowing the traffic.
access-list outside-in permit tcp any host 206.123.123.123 eq http

obviously, you'll need to use the correct names and ip which you use.

Im not very experienced, so others might provide more info, or correct
any mistakes.

Cheers,
Anthony


adepaolis@gmail.com wrote:
Quoted text here. Click to load it

Re: How to allow access through Cisco ASA
This is what I have, I changed

access-list OutsideISP_access_in extended permit tcp any interface
OutsideISP eq https
access-list OutsideISP_access_in extended permit tcp any host
206.xxx.xxx.xxx eq www
access-list OutsideISP_pnat_inbound extended permit tcp interface
OutsideISP eq https interface InsideStaff eq https
static (InsideStaff,OutsideISP) tcp interface https 10.55.5.11 https
netmask 255.255.255.255

10.55.5.11 can be reached from the internet when I go to http://206.xxx.xxx.xxx ,
however, when I am on the 10.55.5.x local network and try to visit
http://206.123.123.123 it doesn't work.

Is there a way to make it work?

Quoted text here. Click to load it



Re: How to allow access through Cisco ASA
as of todays date that ip is good.. i get the apache test page
Quoted text here. Click to load it



Site Timeline