ASA 5510 internal traffic dropped

Discussion in 'Cisco' started by The Stig, Mar 1, 2012.

  1. The Stig

    The Stig

    Joined:
    Mar 1, 2012
    Messages:
    1
    Likes Received:
    0
    I am trying to create a pretty basic two interface setup (inside and outside, or as I have labeled them in my config LAN and WAN). I have a web server on 192.168.7.3 and can access it from an outside network just fine, but cannot access the page internally (like say on machine 192.168.7.4)! What gives? I am sure it is something basic. I appreciate any help. If you can't tell I am new to ASA's and am just trying to figure this stuff out as I go along. The setup is pretty basic, Internet----ASA----Inside network (where the web server is and some other machines). No DMZ or any other routers.

    The packet tracer in ASDM says that everything is fine but I can't connect internally to the web server. The logs show

    19:34:07|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags ACK on interface LAN

    19:34:06|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags ACK on interface LAN

    19:34:06|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags SYN ACK on interface LAN

    19:34:05|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags ACK on interface LAN

    19:34:04|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags ACK on interface LAN

    19:34:04|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags SYN ACK on interface LAN

    19:34:03|106015|192.168.7.3|192.168.7.4|Deny TCP (no connection) from 192.168.7.3/80 to 192.168.7.4/63746 flags SYN ACK on interface LAN

    Config file below:


    ASA Version 8.0(2)

    !

    hostname ciscoasa

    enable password xBWw8/XdalZA81PL encrypted

    names

    !

    interface Ethernet0/0

    nameif WAN

    security-level 0

    ip address 75.XX.XX.XX 255.255.255.248

    !

    interface Ethernet0/1

    nameif LAN

    security-level 100

    ip address 192.168.7.1 255.255.255.0

    !

    interface Ethernet0/2

    shutdown

    no nameif

    no security-level

    no ip address

    !

    interface Ethernet0/3

    shutdown

    no nameif

    no security-level

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    ip address 192.168.1.1 255.255.255.0

    management-only

    !

    passwd 2KVQrbNIdI.2EYOU encrypted

    ftp mode passive

    same-security-traffic permit inter-interface

    same-security-traffic permit intra-interface

    access-list PERMIT_IN extended permit tcp any host 75.XX.XX.XX eq www

    access-list PERMIT_IN extended permit tcp any interface WAN eq www

    access-list PERMIT_OUT extended permit ip 192.168.7.0 255.255.255.0 any

    access-list PERMIT_OUT extended permit ip host 192.168.7.3 any

    access-list PERMIT_OUT extended permit ip any host 192.168.7.3

    pager lines 24

    logging enable

    logging asdm informational

    mtu WAN 1500

    mtu LAN 1500

    mtu management 1500

    no failover

    icmp unreachable rate-limit 1 burst-size 1

    asdm image disk0:/asdm-602.bin

    no asdm history enable

    arp timeout 14400

    global (WAN) 1 interface

    global (LAN) 1 interface

    nat (LAN) 0 192.168.7.0 192.168.7.50

    static (LAN,WAN) tcp interface www 192.168.7.3 www netmask 255.255.255.255

    access-group PERMIT_IN in interface WAN

    access-group PERMIT_OUT in interface LAN

    route WAN 0.0.0.0 0.0.0.0 75.XX.XX.XX 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout uauth 0:05:00 absolute

    dynamic-access-policy-record DfltAccessPolicy

    aaa authentication ssh console LOCAL

    http server enable

    http 192.168.1.0 255.255.255.0 management

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmp authentication linkup linkdown coldstart

    no crypto isakmp nat-traversal

    telnet timeout 5

    ssh 192.168.7.3 255.255.255.255 LAN

    ssh timeout 5

    console timeout 0

    dhcpd dns 8.8.8.8

    !

    dhcpd address 192.168.7.50-192.168.7.150 LAN

    dhcpd enable LAN

    !

    dhcpd address 192.168.1.2-192.168.1.254 management

    dhcpd enable management

    !

    threat-detection basic-threat

    threat-detection statistics access-list

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    parameters

    message-length maximum 512

    policy-map global_policy

    class inspection_default

    inspect dns preset_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect esmtp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    inspect xdmcp

    inspect sip

    inspect netbios

    inspect tftp

    !

    service-policy global_policy global

    : end
     
    The Stig, Mar 1, 2012
    #1

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. Active/standby config for ASA 5510

  2. WCCP on ASA & traffic between physical interfaces on ASA

  3. ASA 5520 dropped some packet from inside interface, Please help

  4. ASA 5510 doesn't put through traffic.

  5. ASA 5510 vpn wont pass traffic

  6. IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116

  7. ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN

  8. ASA 5510 - Allow traffic from dmz to LAN

Loading...