dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
9865
share rss forum feed

just4while

join:2010-03-30

[Config] Problems with Cisco ASA allowing web traffic through

Hi All,

I just had a Cisco ASA 5505 and I am trying to configure it with a inside and outside interface. The inside network will just have one web server but I am having problems getting http connections out/in from the web server as the implicit deny all rule keep dropping the packets even though i wrote a permit rule for http on top of it.

I simply need the server to be accessible by all from the internet.

My running config
==========================
: Saved
:
ASA Version 7.2(4)
!
hostname host1
domain-name default.domain.invalid
enable password /Nv4NUBk670tHXkl encrypted
passwd 2KFQnbxxxIdI.2KAbYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2xx.xx.xx.xx 255.255.255.0
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host 2xx.xxx.xx.xx eq www
access-list inside_access_in extended permit tcp host 192.168.2.2 any eq www
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) interface 192.168.2.2 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0


aryoba
Premium,MVM
join:2002-08-22
kudos:4

Re: [Config] Problems with Cisco ASA allowing web traffic throug

There are some questionable configuration lines in place that cause the problem. Try to have the following on the configuration.

1. New part of configuration as follows

Object Group command

object-group network PUBLIC-SERVERS
network-object host 192.168.2.2
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
object-group service WEB-SERVICES tcp
port-object eq 80
port-object eq 443

Global command

global (outside) 1 interface

Route command

route outside 0.0.0.0 0.0.0.0.0 [ISP DEFAULT GATEWAY]

2. Modify existing command line as follows

ACL outside_access_in should look something like this

access-list outside_access_in extended permit icmp any host [THE ASA OUTSIDE INTERFACE IP ADDRESS] object-group ICMP-INBOUND
access-list outside_access_in extended permit tcp any host [THE ASA OUTSIDE INTERFACE IP ADDRESS] object-group WEB-SERVICES

ACL inside_access_in should look something like this

access-list inside_access_in extended permit icmp object-group PUBLIC-SERVERS any
access-list inside_access_in extended permit tcp object-group PUBLIC-SERVERS any
access-list inside_access_in extended permit udp object-group PUBLIC-SERVERS any
access-list inside_access_in extended deny ip any any log

static command should look like this

static (inside,outside) tcp interface 80 192.168.2.2 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 192.168.2.2 443 netmask 255.255.255.255

Once you have these commands in, issue clear xlate command to active the new NAT commands. Don't forget to save the configuration afterwards


nosx

join:2004-12-27
00000
kudos:5

Copy the show log output or deny lines that are scrolling by and paste them so we can be sure we know whats getting dropped and why.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to just4while

Really dumb question, but your 'show version' indicates you do NOT have an ASA Base licence, right?

Regards


just4while

join:2010-03-30
reply to just4while

Hi Aryoba,

I am still a noob in FW. Please bear with my questions:

May i know what does icmp-object 0,3 and 11 means?

your "route outside 0.0.0.0 0.0.0.0.0 [ISP DEFAULT GATEWAY]". Do I need to specific that as my firewall outside interface is connected to a router.

Hi Hellfire,

I assumed mine IS the base license ( I cant rem). 5505 only has the base and security + license. May I know why you asked that?


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by just4while:

May i know what does icmp-object 0,3 and 11 means?
The command itself defines ICMP-based Object Group to deal specifically with ICMP Types 0 (Echo Reply), 3 (Destination Unreachable), and 11 (Time Exceeded). Typically servers or hosts utilize these ICMP traffic in order to communicate with other hosts. You may note that the object-group is implemented on inbound ACL that manage incoming traffic from the Internet to Inside networks (LAN) to make sure that these ICMP traffic are permitted to enter the LAN.

For more info regarding ICMP Types, you can check out the following official IANA link: »www.iana.org/assignments/icmp-parameters

said by just4while:

your "route outside 0.0.0.0 0.0.0.0.0 [ISP DEFAULT GATEWAY]". Do I need to specific that as my firewall outside interface is connected to a router.
The default gateway is the gateway IP address. If you connect the firewall directly to modem, then the default gateway should be ISP-provided default gateway. If you connect the firewall directly to a router, then the default gateway should the router IP address.

just4while

join:2010-03-30

Thanks all for replying to my queries, esp Aryoba who was a big help. My web traffic is allowed through the FW now. I am in the middle of configuring the ACL.

May I know do I still need to put up rules to deny the usual stuff like loopback trafffic (127.0.0.1) and Class E multicast traffic?

Another question is the packet tracer function in the ASA ASDM. While trying it out, I keep getting a RPF failed. I know this is enabled when u "on" the anti-spoofing option. Is that a cause for concern?

Cheers,


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by just4while:

Thanks all for replying to my queries, esp Aryoba who was a big help. My web traffic is allowed through the FW now. I am in the middle of configuring the ACL.
Good to hear it is working

said by just4while:

May I know do I still need to put up rules to deny the usual stuff like loopback trafffic (127.0.0.1) and Class E multicast traffic?
Assuming you follow the ACL like I suggested exactly, then you don't really need to put specific rules to deny those loopback and Multicast traffic since by default, there is a deny ip any any.

said by just4while:

Another question is the packet tracer function in the ASA ASDM. While trying it out, I keep getting a RPF failed. I know this is enabled when u "on" the anti-spoofing option. Is that a cause for concern?
Frankly I'm not really familiar with ASDM features (pretty much CLI person I see myself ) so I can't really give insights. I know that ASA/PIX Firewall error messages are not usually easy or simple to decipher. You either have to really familiar with it or have a lot of experience around firewall to be able to read between the lines. Nevertheless, there is always one golden rule I keep which is "ain't fix that ain't broke"