topic problem at DMZ in Network Security

problem at DMZ

tulijulhas — Tue, 12 Mar 2019 07:04:30 GMT

hi expert.

i am new at cisco asa. i tried to resolve my lab but fail. please help. at DMZ has a web and dns server. public user not access my web server.

julhas

Hi Julhas,

Shivapramod M — Fri, 25 Dec 2015 01:48:28 GMT

Hi Julhas,

Have you configured a static NAT on the ASA to translate a public IP to the server or real IP.

object network obj-10.10.10.10
host <server IP>
nat (DMZ,outside) static <mapped IP>

Can you provide the configuration of the ASA?

You can also take the packet tracer on the ASA to check the flow of the packet on the ASA.

packet-tracer input outside tcp 8.8.8.8 12345 <server mapped IP> 80

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hi Shivapramod M,

tulijulhas — Fri, 25 Dec 2015 07:50:35 GMT

Hi Shivapramod M,

As per my attached diagram, i have configured as below:

:
ASA Version 8.4(2)
!
hostname ciscoasa

!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.248
!
interface GigabitEthernet1
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.248
!
interface GigabitEthernet2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network dmzwebserver
host 10.10.10.3
object network mydmzdnsserver
host 10.10.10.2
access-list 100 extended permit tcp any host 10.10.10.2 eq domain
access-list 100 extended permit tcp any host 10.10.10.3 eq www
access-list 100 extended permit tcp any host 20.20.20.3 eq www
access-list 100 extended permit tcp any host 20.20.20.4 eq domain

!
object network dmzwebserver
nat (dmz,outside) static 20.20.20.3 dns
object network mydmzdnsserver
nat (dmz,outside) static 20.20.20.4 dns
access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 20.20.20.2 1

!
class-map myclass
match default-inspection-traffic
!
!
policy-map mypolicy
class myclass
inspect icmp
inspect http
inspect dns
!
service-policy mypolicy global

: end

........................................

is the issue between ISP dns and dmz dns?????

pls see the attachment.

julhas

Hi,

Akshay Rastogi — Fri, 25 Dec 2015 18:22:51 GMT

Hi,

Julhas,

Remove the last two access-list which are pointing to the public ip.

Also i could see that you are using 'tcp' for dns access-list instead of 'udp'. Please change that. I guess that is the reason that your users might not able to resolve the ip.

Also check 'nslookup' on from the host for the website which you are trying to access and see if you are able to the site name to ip.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Re: Hi Shivapramod M,

vedantratnnema201814016 — Mon, 17 May 2021 18:32:38 GMT

Can you share the .pkt file with me