Need help making site available externally

Posted by White Island on Server Fault See other posts from Server Fault or by White Island
Published on 2012-07-06T12:17:36Z Indexed on 2012/07/10 3:17 UTC
Read the original article Hit count: 406

I'm trying to open a hole in the firewall (ASA 5505, v8.2) to allow external access to a Web application. Via ASDM (6.3?), I've added the server as a Public Server, which creates a static NAT entry [I'm using the public IP that is assigned to 'dynamic NAT--outgoing' for the LAN, after confirming on the Cisco forums that it wouldn't bring everyone's access crashing down] and an incoming rule "any... public_ip... https... allow" but traffic is still not getting through. When I look at the log viewer, it says it's denied by access-group outside_access_in, implicit rule, which is "any any ip deny"

I haven't had much experience with Cisco management. I can't see what I'm missing to allow this connection through, and I'm wondering if there's anything else special I have to add. I tried adding a rule (several variations) within that access-group to allow https to the server, but it never made a difference. Maybe I haven't found the right combination? :P

I also made sure the Windows firewall is open on port 443, although I'm pretty sure the current problem is Cisco, because of the logs. :)

Any ideas? If you need more information, please let me know.

Thanks

Edit: First of all, I had this backward. (Sorry) Traffic is being blocked by access-group "inside_access_out" which is what confused me in the first place. I guess I confused myself again in the midst of typing the question.

Here, I believe, is the pertinent information. Please let me know what you see wrong.

access-list acl_in extended permit tcp any host PUBLIC_IP eq https  
access-list acl_in extended permit icmp CS_WAN_IPs 255.255.255.240 any  
access-list acl_in remark Allow Vendor connections to LAN  
access-list acl_in extended permit tcp host Vendor any object-group RemoteDesktop  
access-list acl_in remark NetworkScanner scan-to-email incoming (from smtp.mail.microsoftonline.com to PCs)  
access-list acl_in extended permit object-group TCPUDP any object-group Scan-to-email host NetworkScanner object-group Scan-to-email  
access-list acl_out extended permit icmp any any  
access-list acl_out extended permit tcp any any  
access-list acl_out extended permit udp any any  
access-list SSLVPNSplitTunnel standard permit LAN_Subnet 255.255.255.0  
access-list nonat extended permit ip VPN_Subnet 255.255.255.0 LAN_Subnet 255.255.255.0  
access-list nonat extended permit ip LAN_Subnet 255.255.255.0 VPN_Subnet 255.255.255.0  
access-list inside_access_out remark NetworkScanner Scan-to-email outgoing (from scanner to Internet)  
access-list inside_access_out extended permit object-group TCPUDP host NetworkScanner object-group Scan-to-email any object-group Scan-to-email  
access-list inside_access_out extended permit tcp any interface outside eq https

static (inside,outside) PUBLIC_IP LOCAL_IP[server object] netmask 255.255.255.255

I wasn't sure if I needed to reverse that "static" entry, since I got my question mixed up... and also with that last access-list entry, I tried interface inside and outside - neither proved successful... and I wasn't sure about whether it should be www, since the site is running on https. I assumed it should only be https.

© Server Fault or respective owner

Related posts about firewall

Related posts about configuration