Need help making site available externally
- by White Island
I'm trying to open a hole in the firewall (ASA 5505, v8.2) to allow external access to a Web application. Via ASDM (6.3?), I've added the server as a Public Server, which creates a static NAT entry [I'm using the public IP that is assigned to 'dynamic NAT--outgoing' for the LAN, after confirming on the Cisco forums that it wouldn't bring everyone's access crashing down] and an incoming rule "any... public_ip... https... allow" but traffic is still not getting through. When I look at the log viewer, it says it's denied by access-group outside_access_in, implicit rule, which is "any any ip deny"
I haven't had much experience with Cisco management. I can't see what I'm missing to allow this connection through, and I'm wondering if there's anything else special I have to add. I tried adding a rule (several variations) within that access-group to allow https to the server, but it never made a difference. Maybe I haven't found the right combination? :P
I also made sure the Windows firewall is open on port 443, although I'm pretty sure the current problem is Cisco, because of the logs. :)
Any ideas? If you need more information, please let me know.
Thanks
Edit:
First of all, I had this backward. (Sorry) Traffic is being blocked by access-group "inside_access_out" which is what confused me in the first place. I guess I confused myself again in the midst of typing the question.
Here, I believe, is the pertinent information. Please let me know what you see wrong.
access-list acl_in extended permit tcp any host PUBLIC_IP eq https
access-list acl_in extended permit icmp CS_WAN_IPs 255.255.255.240 any
access-list acl_in remark Allow Vendor connections to LAN
access-list acl_in extended permit tcp host Vendor any object-group RemoteDesktop
access-list acl_in remark NetworkScanner scan-to-email incoming (from smtp.mail.microsoftonline.com to PCs)
access-list acl_in extended permit object-group TCPUDP any object-group Scan-to-email host NetworkScanner object-group Scan-to-email
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any any
access-list acl_out extended permit udp any any
access-list SSLVPNSplitTunnel standard permit LAN_Subnet 255.255.255.0
access-list nonat extended permit ip VPN_Subnet 255.255.255.0 LAN_Subnet 255.255.255.0
access-list nonat extended permit ip LAN_Subnet 255.255.255.0 VPN_Subnet 255.255.255.0
access-list inside_access_out remark NetworkScanner Scan-to-email outgoing (from scanner to Internet)
access-list inside_access_out extended permit object-group TCPUDP host NetworkScanner object-group Scan-to-email any object-group Scan-to-email
access-list inside_access_out extended permit tcp any interface outside eq https
static (inside,outside) PUBLIC_IP LOCAL_IP[server object] netmask 255.255.255.255
I wasn't sure if I needed to reverse that "static" entry, since I got my question mixed up... and also with that last access-list entry, I tried interface inside and outside - neither proved successful... and I wasn't sure about whether it should be www, since the site is running on https. I assumed it should only be https.
