Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can't access web servers from outside

Status
Not open for further replies.
rswift

rswift

Technical User
Oct 14, 2002
55
US
New ASA5510. Config copied from existing PIX515e. Everything (to internet from inside, VPN to network from outside) works except accessing my web servers 150.176.6.139 and webmail 150.176.6.142 from outside. Works fine on old PIX but not new ASA5510. Thanks for assistance. ASA config below:

ASA Version 8.0(3)
!
hostname ASA-Turlington
domain-name dbs.doe.state.fl.us
enable password R1CfMW.FfhmyvwBL encrypted
names
name 150.176.6.142 owa-outside
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 150.176.6.130 255.255.255.240
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address @@.@@@.1.3 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address @@.@@@.4.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
passwd nrPMAQ4xLrUoTJkI encrypted
banner motd Access to this device is limited to authorized persons only. All efforts to achieve acc
ess, whether direct or indirect, are subject to monitoring activities. Unauthorized access is prohi
bited and will be subject to incident reporting procedures including notification of local, state an
d federal authorities.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group network denysvrs
network-object host 12.158.139.10
network-object host 24.73.55.18
network-object host 24.103.112.18
network-object host 38.117.132.200
network-object host 61.240.131.191
network-object host 61.251.190.247
network-object host 63.175.146.12
network-object host 63.175.146.18
network-object host 63.175.146.19
network-object host 63.175.146.25
network-object host 63.175.146.42
network-object host 64.38.198.12
network-object host 64.38.198.15
network-object host 64.38.232.92
network-object host 64.38.232.95
network-object host 64.124.41.39
network-object host 64.152.64.69
network-object host 65.92.89.216
network-object host 66.84.242.55
network-object host 68.5.8.84
network-object host 68.97.116.232
network-object host 68.98.62.2
network-object host 68.102.79.211
network-object host 68.65.238.48
network-object host 68.81.141.205
network-object host 69.42.72.29
network-object host 69.63.161.233
network-object host 128.121.26.135
network-object host 128.121.26.136
network-object host 128.121.26.137
network-object host 128.242.104.137
network-object host 157.130.197.206
network-object host 200.139.104.3
network-object host 201.3.240.234
network-object host 202.104.237.157
network-object host 206.204.187.12
network-object host 208.239.76.98
network-object host 208.253.59.171
network-object host 208.253.59.172
network-object host 208.253.59.173
network-object host 208.253.59.174
network-object host 208.253.59.175
network-object host 208.253.59.176
network-object host 209.133.120.90
network-object host 211.158.15.58
network-object host 213.248.107.10
network-object host 213.248.112.35
network-object host 216.194.67.88
network-object host 218.16.121.18
network-object host 220.164.144.154
network-object host 221.5.251.149
network-object host 221.5.251.202
network-object host 221.143.42.168
network-object host 222.233.52.93
access-list FROM_INSIDE extended permit tcp host @@.@@@.1.89 host @@.@@@.4.139 range 8400 8403
access-list FROM_INSIDE extended permit udp host @@.@@@.1.89 host @@.@@@.4.139 range 8400 8403
access-list FROM_INSIDE extended deny ip any host 165.254.117.70
access-list FROM_INSIDE extended deny ip any host 206.220.43.92
access-list FROM_INSIDE extended deny ip any host 63.80.215.233
access-list FROM_INSIDE extended permit icmp any any
access-list FROM_INSIDE extended deny udp any any eq netbios-ns
access-list FROM_INSIDE extended deny udp any any eq netbios-dgm
access-list FROM_INSIDE extended deny udp any any eq 15118
access-list FROM_INSIDE extended deny udp any any eq 445
access-list FROM_INSIDE remark *** Permit Any ***
access-list FROM_INSIDE extended permit ip @@.@@@.1.0 255.255.255.0 any
access-list FROM_INSIDE remark *** End of ACL ***
access-list FROM_INSIDE extended permit ip @@.0.0.0 255.0.0.0 any
access-list nat extended permit ip @@.@@@.1.0 255.255.255.0 any
access-list nat extended permit ip @@.0.0.0 255.0.0.0 any
access-list nonat extended permit ip @@.@@@.1.0 255.255.255.0 @@.0.0.0 255.0.0.0
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 @@.0.0.0 255.0.0.0
access-list nonat extended permit ip @@.0.0.0 255.0.0.0 172.17.2.0 255.255.255.0
access-list crypto extended permit ip @@.@@@.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list crypto extended permit ip @@.@@@.1.0 255.255.255.0 @@.0.0.0 255.0.0.0
access-list no-nat-dmz extended permit ip @@.@@@.4.0 255.255.255.0 @@.@@@.1.0 255.255.255.0
access-list from-dmz remark ACL to Allow DMZ server Internal Network Resources access-list from-dmz
line 26 deny ip @@.@@@.4.0 2
access-list from-dmz extended permit ip host @@.@@@.4.138 host @@.@@@.1.86
access-list from-dmz extended permit icmp any any
access-list from-dmz extended permit tcp any host @@.@@@.4.139 eq www
access-list from-dmz extended permit ip host @@.@@@.4.139 host @@.@@@.1.89
access-list from-dmz extended permit udp host @@.@@@.4.139 host @@.@@@.1.89 range 8400 8403
access-list from-dmz extended permit udp host @@.@@@.4.139 host @@.@@@.1.89 range 8600 8620
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.89 range 8600 8620
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.89 range 8400 8403
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.187 eq 3389
access-list from-dmz extended permit ip host @@.@@@.4.138 host @@.@@@.1.61
access-list from-dmz extended permit ip host @@.@@@.4.138 host @@.@@@.1.60
access-list from-dmz extended permit tcp any host @@.@@@.4.138 eq www
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.76 eq 138
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.76 eq 137
access-list from-dmz extended permit udp host @@.@@@.4.139 host @@.@@@.1.76 eq 139
access-list from-dmz extended permit ip host @@.@@@.4.138 host @@.@@@.1.76
access-list from-dmz extended permit ip host @@.@@@.4.139 host @@.@@@.1.76
access-list from-dmz extended permit udp host @@.@@@.4.138 host @@.@@@.1.61 eq 1435
access-list from-dmz extended permit udp host @@.@@@.4.138 host @@.@@@.1.61 eq 1434
access-list from-dmz extended permit udp host @@.@@@.4.138 host @@.@@@.1.61 eq 1433
access-list from-dmz extended permit udp host @@.@@@.4.136 host @@.@@@.1.61 eq 1433
access-list from-dmz extended permit udp host @@.@@@.4.136 host @@.@@@.1.61 eq 1434
access-list from-dmz extended permit udp host @@.@@@.4.136 host @@.@@@.1.61 eq 1435
access-list from-dmz extended permit tcp host @@.@@@.4.138 host @@.@@@.1.187 eq 3389
access-list from-dmz extended permit udp host @@.@@@.4.139 host @@.@@@.1.61 eq 1435
access-list from-dmz extended permit udp host @@.@@@.4.139 host @@.@@@.1.61 eq 1434
access-list from-dmz extended permit udp host @@.@@@.4.139 host @@.@@@.1.61 eq 1433
access-list from-dmz extended permit ip host @@.@@@.4.136 host @@.@@@.1.71
access-list from-dmz extended permit ip host @@.@@@.4.136 host @@.@@@.1.72
access-list from-dmz extended permit tcp host @@.@@@.4.136 host @@.@@@.1.187 eq 3389
access-list from-dmz extended permit tcp any host @@.@@@.4.136 eq www
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.61 eq 1435
access-list from-dmz extended permit tcp any host @@.@@@.4.137 eq www
access-list from-dmz extended permit tcp host @@.@@@.4.137 host @@.@@@.1.187 eq 3389
access-list from-dmz extended permit ip host @@.@@@.4.137 host @@.@@@.1.72
access-list from-dmz extended permit ip host @@.@@@.4.137 host @@.@@@.1.71
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.61 eq 1434
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.61 eq 1433
access-list from-dmz extended permit ip host @@.@@@.4.136 host @@.@@@.1.60
access-list from-dmz extended permit ip host @@.@@@.4.139 host @@.@@@.1.60
access-list from-dmz extended permit ip host @@.@@@.4.136 host @@.@@@.1.61
access-list from-dmz extended permit ip host @@.@@@.4.139 host @@.@@@.1.61
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.60 eq 1433
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.60 eq 1434
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.60 eq 1435
access-list from-dmz extended permit tcp host @@.@@@.4.139 host @@.@@@.1.60
access-list from-dmz extended permit udp host @@.@@@.4.139 host @@.@@@.1.60
access-list from-dmz extended permit udp host @@.@@@.4.139 host @@.@@@.1.60 eq 1433
access-list from-dmz extended permit udp host @@.@@@.4.139 host @@.@@@.1.60 eq 1434
access-list from-dmz extended permit udp host @@.@@@.4.139 host @@.@@@.1.60 eq 1435
access-list from-dmz extended permit ip host @@.@@@.4.134 host @@.@@@.1.71
access-list from-dmz extended permit tcp host @@.@@@.4.134 host @@.@@@.1.9 eq smtp
access-list from-dmz extended permit ip host @@.@@@.4.134 host @@.@@@.1.72
access-list from-dmz extended permit ip host @@.@@@.4.139 host @@.@@@.1.72
access-list from-dmz extended permit ip host @@.@@@.4.139 host @@.@@@.1.71
access-list from-dmz extended permit ip host @@.@@@.4.138 host @@.@@@.1.71
access-list from-dmz extended deny tcp any any eq 5900
access-list from-dmz extended deny ip @@.@@@.4.0 255.255.255.0 @@.@@@.1.0 255.255.255.0
access-list from-dmz extended permit ip any any
access-list FROM_OUTSIDE remark *** ACL FOR OUTSIDE INT ***
access-list FROM_OUTSIDE remark *** Bogon address blocking ***
access-list FROM_OUTSIDE remark *** ICMP Filtering ***
access-list FROM_OUTSIDE extended permit icmp any any
access-list FROM_OUTSIDE remark deny icmp any any
access-list FROM_OUTSIDE extended deny tcp any any eq 5900
access-list FROM_OUTSIDE remark deny icmp any any
access-list FROM_OUTSIDE remark *** Permit Core-specific app-requests ***
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.131 eq www
access-list FROM_OUTSIDE extended permit tcp any eq pptp any
access-list FROM_OUTSIDE extended permit tcp host 199.44.72.2 host 150.176.6.133 eq lpd
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.131 eq https
access-list FROM_OUTSIDE extended permit tcp 208.65.144.0 255.255.248.0 host 150.176.6.132 eq smtp
access-list FROM_OUTSIDE extended permit tcp host 209.53.156.1 host 150.176.6.136 eq 722
access-list FROM_OUTSIDE extended permit tcp host 209.53.156.1 host 150.176.6.136 eq ssh
access-list FROM_OUTSIDE remark * removed * permit tcp any host 150.176.6.132 eq smtp
access-list FROM_OUTSIDE extended permit tcp any host owa-outside eq www
access-list FROM_OUTSIDE extended permit tcp any host owa-outside eq https
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.136 eq https
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.139 eq https
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.139 eq www
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.139 eq ftp-data
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.134 eq www
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.134 eq 7260
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.139 eq ftp
access-list FROM_OUTSIDE extended permit tcp any host 150.176.6.130 eq ssh
access-list FROM_OUTSIDE remark *** END OF ACL ***
pager lines 24
logging asdm errors
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool ippool 172.17.2.1-172.17.2.254
no failover
icmp permit @@.@@@.1.0 255.255.255.0 inside
icmp permit any inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 @@.0.0.0 255.0.0.0
nat (dmz) 0 access-list no-nat-dmz
static (inside,outside) 150.176.6.131 @@.@@@.1.8 netmask 255.255.255.255
static (inside,outside) 150.176.6.132 @@.@@@.1.9 netmask 255.255.255.255
static (inside,outside) 150.176.6.133 @@.@@@.1.20 netmask 255.255.255.255
static (inside,dmz) @@.@@@.1.0 @@.@@@.1.0 netmask 255.255.255.0
static (dmz,outside) 150.176.6.139 @@.@@@.4.139 netmask 255.255.255.255
static (dmz,outside) 150.176.6.140 @@.@@@.4.140 netmask 255.255.255.255
static (inside,outside) owa-outside @@.@@@.1.86 netmask 255.255.255.255
static (inside,dmz) @@.@@@.1.0 @@.@@@.1.0 netmask 255.255.255.255
static (inside,outside) 150.176.6.136 @@.@@@.1.69 netmask 255.255.255.255
static (dmz,outside) 150.176.6.134 @@.@@@.4.134 netmask 255.255.255.255
access-group FROM_OUTSIDE in interface outside
access-group FROM_INSIDE in interface inside
access-group from-dmz in interface dmz
access-group FROM_INSIDE in interface management
route outside 0.0.0.0 0.0.0.0 150.176.6.129 1
route outside 10.10.0.0 255.255.0.0 150.176.6.129 1
route inside 10.1.14.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.8.10.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.18.24.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.18.25.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.26.10.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.34.7.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.42.24.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.50.55.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.50.56.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.50.57.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.58.15.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.66.52.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.66.53.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.66.54.0 255.255.255.0 @@.@@@.1.2 1
route inside 10.66.55.0 255.255.255.0 @@.@@@.1.2 1
route inside @@.@@@.2.0 255.255.255.0 @@.@@@.1.2 1
route inside @@.@@@.3.0 255.255.255.0 @@.@@@.1.2 1
timeout xlate 6:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy 3000client internal
group-policy 3000client attributes
wins-server value @@.@@@.1.71 @@.@@@.1.72
dns-server value @@.@@@.1.71 @@.@@@.1.72
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
default-domain value fldbs.net
webvpn
username ron.swift password kW/dcZXbaRiCmB77 encrypted privilege 15
http server enable
http @@.@@@.1.0 255.255.255.0 inside
http @@.@@@.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map clientmap 2 set pfs
crypto map clientmap 2 set peer 150.176.8.253
crypto map clientmap 2 set transform-set myset
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap interface outside
isakmp identity address
isakmp enable outside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp ipsec-over-tcp port 10000
tunnel-group 150.176.8.253 type ipsec-l2l
tunnel-group 150.176.8.253 ipsec-attributes
pre-shared-key *
tunnel-group 3000client type ipsec-ra
tunnel-group 3000client general-attributes
address-pool ippool
default-group-policy 3000client
tunnel-group 3000client ipsec-attributes
pre-shared-key *
telnet @@.@@@.1.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect pptp
!
service-policy global_policy global
Cryptochecksum:81605360d2ac231593b52bdfc7c9de80
: end
 
Sort by date Sort by votes
I would double check your servers. Im pretty sure they are up :)


For future record, you may want to scrub your config before posting on the internet. By scrub I mean remove public IPs either by replacing with a private range or just replacing the first 3 octets by xxx.xxx.xxx.

Check your IIS config. The generic under construction page is showing.


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
980
Shmid
Shmid
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
333
hairlessupportmonkey
hairlessupportmonkey
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
218
Russtoleum
Russtoleum
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
237
ISDPCMAN
ISDPCMAN
markd885
  • Locked
  • Question
PAC file redirect web page to another gateway
Replies
0
Views
199
markd885
markd885

Part and Inventory Search

Sponsor

Back
Top