Cisco asa 5505 - Hvorfor er ikke port 80 åpen?

[gspott]

Kan noen se/skjønne hvorfor port 80 ikke er åpen ut i fra denne running config fra min asa 5505?

 

Jeg har prøvd ganske mye nå og til slutt har jeg åpnet en hel del i access rules lista, men det må være NOE jeg har gått glipp av her.

 

Takker for all hjelp

 

 

: Saved

:

ASA Version 8.2(4)

!

hostname cisco

domain-name fiolveien5

enable password ************** encrypted

passwd ************* encrypted

multicast-routing

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 5

!

interface Ethernet0/2

switchport access vlan 5

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan5

no nameif

security-level 50

ip address 172.30.1.1 255.255.255.0

!

boot system disk0:/asa824-k8.bin

boot system disk0:/asa832-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name fiolveien5

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.128

access-list outside_access_in extended permit tcp any any

access-list name extended permit icmp any interface outside

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit tcp any any

access-list 101 extended permit udp any any

access-list 101 extended permit ip any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any eq www

pager lines 24

logging enable

logging asdm warnings

logging ftp-bufferwrap

logging ftp-server 192.168.1.1 /users/ciscolog/ ciscolog *****

mtu inside 1500

mtu outside 1500

ip local pool pool 192.168.1.50-192.168.1.90 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,inside) tcp interface www 192.168.1.136 www netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group 101 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http authentication-certificate inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.131 inside

dhcpd enable inside

!

 

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

port 8888

enable inside

enable outside

tunnel-group-list enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 81.167.36.3 81.167.36.11

vpn-tunnel-protocol l2tp-ipsec

username root password Cij82w7c0i7LcGxa encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool pool

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

authentication eap-proxy

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email [email protected]

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c6f06df78bd57ce01974544f6a991743

: end

asdm image disk0:/asdm-635.bin

no asdm history enable

[mryia]

Nå er ikke jeg noen racer på ASA, men ser et par ting i configen som jeg stiller spørsmål ved.

"static (inside,inside) tcp interface www 192.168.1.136 www netmask 255.255.255.255" bør vel være (inside,outside). Du har også åpna port 80 acces-list inside_access_, men ser ut som det er acces-list 101 som står på WAN interfacet ditt slik jeg leser configen din, men det bør jo ikke ha noe å si siden den ser ut som er åpen for alt.

Som sagt ikke noen racer på ASA, men kansje det kan være til hjelp for at du kommer på rett vei?

[gspott]

der sier du noe.

Skal kikke på dette når jeg kommer hjem i dag og høres jo veldig logisk ut.

 

Gir tilbakemelding på dette.

[gspott]

Tror nesten ikke jeg tørr å svare på dette jeg.'

 

Jeg hadde jo selvfølgelig en lang liste med åpne porter til som jeg fjerna fra denne running conf'en og http/80 var den eneste med address inside, noe som gjorde at det ikke fungerte, men alt det andre funka.

 

Takker for at noen påpekte dette for meg, men skuffende siden jeg selv vet hvor mye jeg har googlet dette svaret