I have set up a web server on a separate VLAN and configured an object for the webserver to allow tcp port 80 communication, the access list and access group is also set up. But I can't reach the server from outside.
I have been googling and looking at answers here, but none of them have allowed me to access the server.
I have checked that the web server up and running, and that it's reachable from inside the network using it's ip.
Here's the relevant parts of the config:
!
interface Vlan1
nameif outside
security-level 0
ip address dhcp
!
interface Vlan2
nameif inside
security-level 100
ip address 10.5.1.1 255.255.255.0
!
interface Vlan3
no forward interface Vlan2
nameif dmz
security-level 50
ip address 10.4.1.1 255.255.255.0
!
dns server-group DefaultDNS
domain-name mastermind.local
object network dev-server-internal
host 10.4.1.2
object network inside-net
subnet 0.0.0.0 0.0.0.0
object network dev-server-external
host 10.4.1.2
access-list outside_access_in extended permit tcp any host 10.4.1.2 eq www
!
object network dev-server-internal
nat (inside,dmz) dynamic interface
object network inside-net
nat (inside,outside) dynamic interface
object network dev-server-external
nat (dmz,outside) static interface service tcp www www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.15.166.1 1
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 10.5.1.2-10.5.1.32 inside
dhcpd enable inside
!
dhcpd address 10.4.1.2-10.4.1.2 dmz
dhcpd enable dmz
!
So the idea is that the VLAN "inside" is used for regular users and VLAN "dmz" is for the web server. There will only be one server connected to VLAN "dmz", that's why I have only allowed dhcp for one address.
I added the object "dev-server-internal" to allow users from inside to access the web server directly using it's ip (10.4.1.2).
So what can I do to being able to access the web server from the outside?
Here's what the show nat
gives me after trying to reach the web server from the outside:
Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static dev-server-external interface service tcp www www
translate_hits = 0, untranslate_hits = 0
2 (inside) to (dmz) source dynamic dev-server-internal interface
translate_hits = 0, untranslate_hits = 0
3 (any) to (outside) source dynamic inside-net interface
translate_hits = 1160, untranslate_hits = 149
EDIT: Output from packet-tracer input outside tcp 1.2.3.4 2501 10.4.1.2 80
:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.4.1.0 255.255.255.0 dmz
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access in interface outside
access-list outside_access extended permit tcp any host 10.4.1.2 eq www
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network dev-server-external
nat (dmz,outside) static interface service tcp www www
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
EDIT 2: Relevant parts from show interface vlan1
:
Interface Vlan1 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 0007.7dab.c007, MTU 1500
IP address 94.254.4.141, subnet mask 255.255.254.0
Output from show route
:
Gateway of last resort is 10.15.166.1 to network 0.0.0.0
C 10.5.1.0 255.255.255.0 is directly connected, inside
C 10.4.1.0 255.255.255.0 is directly connected, dmz
C 94.254.4.0 255.255.254.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.15.166.1, outside
Output from packet-tracer input outside tcp 1.2.3.4 2501 94.254.4.141 80
:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network dev-server-external
nat (dmz,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface dmz
Untranslate 94.254.4.141/80 to 10.4.1.2/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access in interface outside
access-list outside_access extended permit tcp any host 10.4.1.2 eq www
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network dev-server-external
nat (dmz,outside) static interface service tcp www www
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 356329, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
Best Answer
Putting this in an answer to make it easier to format. This command may be posing a problem:
I would go ahead and get rid of this entry and identity nat your inside network over to the DMZ like so:
Also instead of using a static route, do this under vlan 1 to have dhcp renew and automatically set your default route from dhcp
Now try a packet capture on your outside interface. Add the acl in config mode and the capture command in normal exec mode
Then after you try to hit your website from the internet do a
show capture
to see if any packets made it to your firewall.