Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
0
Helpful
3
Replies

ASA 8.2 Last Chance

ixholla69
Level 1
Level 1

‎07-13-2018 05:16 AM - edited ‎02-21-2020 07:59 AM

Older 8.2 ASA will not let us get HTTPS out to an Intranet server. Sends other traffic just fine to Private RFC1918 space just won't do it to a Public IP that happens to be on the inside.

 

I've checked everything and tried everything I'm getting hits on the ACLs that I've applied.

 

There's an ANY ANY already applied to the inside interface I'm wondering if I can do an ANY ANY on the outside just to test and see if this traffic makes it through.

 

Also, what about dropping the SECURITY on the interface from 100 to 0 would that open it up? I've never done this so not sure if there's going to be some ramifications on a live network.


Any help would be greatly appreciated.

Labels:
0 Helpful
3 Replies 3

Dennis Mink
VIP Alumni
VIP Alumni

‎07-13-2018 06:53 AM

I wouldnt do an ANY any on your outside (although its possible, but is permits all from external). dont drop your security level on outside either.

 

two things you need to do:

 

-allow port 443 from any on your ouside interface to the internal IP address of the https server

-NAT destination outside (on pub ipo address of outside interface) from any on port 443 to inside private IP address of https server.

 

have you got a working example of a port forward that is already working that you can copy?

 

also run packet tracer tool to verify ASA logioc

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

ixholla69
Level 1
Level 1
In response to Dennis Mink

‎07-13-2018 11:29 AM

The ASA is all Internal over Fiber, there's no "Internet" connection, it's INTRANET Only so it's secure.

 

I've done an ANY ANY and it doesn't seem to work.


I'm currently investigating lowering the security to 0 but have never done that. Technically, it should've never been a 100 in the first place they we're just being ridiculous.

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ixholla69

‎07-13-2018 09:13 PM

As @Dennis Mink said, "run packet tracer tool".

 

Packet-tracer will show you what happens as the traffic flows through the ASA. 

 

If packet-tracer reports it as OK, then run packet capture. The capture will show you the traffic leaving the ASA and whether or not return traffic is coming from the destination server.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card