1. Home
  2. Cisco Systems
  3. How to allow access through Cisco ASA

How to allow access through Cisco ASA

Can someone help me with this.

We have an ASA doing NAT for our network. We have a webserver on our network.

Lets say the IP address for the wan port on the ASA is

206.123.123.123. When I am on the network, I cant seem to access the webserver by going to http://206.123.123.123. If however I am on my home network and on the internet, I can access the webserver http://206.123.123.123. The port 80 forwarding rule is in place and works fine.

So you see, for some reason, the ASA is blocking me when I am going out through it and back in.

Reply to
adepaolis
Loading thread data ...

Yes. That's exactly how the ASA security model works. It's easier to work around if you use DNS [eg split views in bind].

Reply to
alexd

This is what I have, I changed

access-list OutsideISP_access_in extended permit tcp any interface OutsideISP eq https access-list OutsideISP_access_in extended permit tcp any host

206.xxx.xxx.xxx eq www access-list OutsideISP_pnat_inbound extended permit tcp interface OutsideISP eq https interface InsideStaff eq https static (InsideStaff,OutsideISP) tcp interface https 10.55.5.11 https netmask 255.255.255.255

10.55.5.11 can be reached from the internet when I go to http://206.xxx.xxx.xxx,however, when I am on the 10.55.5.x local network and try to visit http://206.123.123.123 it doesn't work.

Is there a way to make it work?

Reply to
adepaolis

visithttp://206.123.123.123it doesn't work.

Hi,

There were a couple of ways you could do this on the old PIX's, nameley DNS Doctoring (6.2) and the alias commands.

I know the ASA suports DNS Doctoring but am unsure about the alias command.

Just do a search on cisco.com and you shoud find a number of helful articles.

HTH

Regadrs

Darren

Reply to
Darren Green

why not just modify your *host* file on your windows box your using to browse on the internet (within the LAN/WAN of that router) .. eg

webserver 10.x.x.x

that way when your in your browser, you just type in webserver and you get in to your site (its a work around, but it does work)

Reply to
cvanoosbree

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.