ASA 5510 internal traffic dropped

Discussion in 'Cisco' started by The Stig, Mar 1, 2012.

  1. The Stig

    The Stig

    Joined:
    Mar 1, 2012
    Messages:
    1
    I am trying to create a pretty basic two interface setup (inside and outside, or as I have labeled them in my config LAN and WAN). I have a web server on 192.168.7.3 and can access it from an outside network just fine, but cannot access the page internally (like say on machine 192.168.7.4)! What gives? I am sure it is something basic. I appreciate any help. If you can't tell I am new to ASA's and am just trying to figure this stuff out as I go along. The setup is pretty basic, Internet----ASA----Inside network (where the web server is and some other machines). No DMZ or any other routers.

    The packet tracer in ASDM says that everything is fine but I can't connect internally to the web server. The logs show

    19:34:07|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags ACK on interface LAN

    19:34:06|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags ACK on interface LAN

    19:34:06|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags SYN ACK on interface LAN

    19:34:05|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags ACK on interface LAN

    19:34:04|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags ACK on interface LAN

    19:34:04|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags SYN ACK on interface LAN

    19:34:03|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags SYN ACK on interface LAN

    Config file below:


    ASA Version 8.0(2)

    !

    hostname ciscoasa

    enable password xBWw8/XdalZA81PL encrypted

    names

    !

    interface Ethernet0/0

    nameif WAN

    security-level 0

    ip address 75.XX.XX.XX 255.255.255.248

    !

    interface Ethernet0/1

    nameif LAN

    security-level 100

    ip address 192.168.7.1 255.255.255.0

    !

    interface Ethernet0/2

    shutdown

    no nameif

    no security-level

    no ip address

    !

    interface Ethernet0/3

    shutdown

    no nameif

    no security-level

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    ip address 192.168.1.1 255.255.255.0

    management-only

    !

    passwd 2KVQrbNIdI.2EYOU encrypted

    ftp mode passive

    same-security-traffic permit inter-interface

    same-security-traffic permit intra-interface

    access-list PERMIT_IN extended permit tcp any host 75.XX.XX.XX eq www

    access-list PERMIT_IN extended permit tcp any interface WAN eq www

    access-list PERMIT_OUT extended permit ip 192.168.7.0 255.255.255.0 any

    access-list PERMIT_OUT extended permit ip host 192.168.7.3 any

    access-list PERMIT_OUT extended permit ip any host 192.168.7.3

    pager lines 24

    logging enable

    logging asdm informational

    mtu WAN 1500

    mtu LAN 1500

    mtu management 1500

    no failover

    icmp unreachable rate-limit 1 burst-size 1

    asdm image disk0:/asdm-602.bin

    no asdm history enable

    arp timeout 14400

    global (WAN) 1 interface

    global (LAN) 1 interface

    nat (LAN) 0 192.168.7.0 192.168.7.50

    static (LAN,WAN) tcp interface www 192.168.7.3 www netmask 255.255.255.255

    access-group PERMIT_IN in interface WAN

    access-group PERMIT_OUT in interface LAN

    route WAN 0.0.0.0 0.0.0.0 75.XX.XX.XX 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout uauth 0:05:00 absolute

    dynamic-access-policy-record DfltAccessPolicy

    aaa authentication ssh console LOCAL

    http server enable

    http 192.168.1.0 255.255.255.0 management

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmp authentication linkup linkdown coldstart

    no crypto isakmp nat-traversal

    telnet timeout 5

    ssh 192.168.7.3 255.255.255.255 LAN

    ssh timeout 5

    console timeout 0

    dhcpd dns 8.8.8.8

    !

    dhcpd address 192.168.7.50-192.168.7.150 LAN

    dhcpd enable LAN

    !

    dhcpd address 192.168.1.2-192.168.1.254 management

    dhcpd enable management

    !

    threat-detection basic-threat

    threat-detection statistics access-list

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    parameters

    message-length maximum 512

    policy-map global_policy

    class inspection_default

    inspect dns preset_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect esmtp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    inspect xdmcp

    inspect sip

    inspect netbios

    inspect tftp

    !

    service-policy global_policy global

    : end
    The Stig, Mar 1, 2012
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GT_mmaciej

    ASA 5510 doesn't put through traffic.

    GT_mmaciej, Jun 6, 2007, in forum: Cisco
    Replies:
    0
    Views:
    492
    GT_mmaciej
    Jun 6, 2007
  2. niemannl

    ASA 5510 vpn wont pass traffic

    niemannl, Jul 3, 2007, in forum: Cisco
    Replies:
    1
    Views:
    10,362
    kanna.mk
    Feb 6, 2009
  3. Tilman Schmidt
    Replies:
    0
    Views:
    3,255
    Tilman Schmidt
    Jan 24, 2008
  4. Tilman Schmidt
    Replies:
    5
    Views:
    18,669
    Lutz Donnerhacke
    Feb 18, 2008
  5. gbottazzi
    Replies:
    0
    Views:
    1,862
    gbottazzi
    Feb 29, 2012
Loading...

Share This Page