topic Cannot access DMZ port 80 & 443 from INSIDE after configuring du in Network Security

Cannot access DMZ port 80 & 443 from INSIDE after configuring dual ISP

rgbatucan — Tue, 12 Mar 2019 00:00:44 GMT

Hello,

I add the below configuration in our ASA config so I can use the ISP2 to browse the internet using port 80 & 443 only.

route ISP1 0 0 1.1.1.2 // Default route pointing to ISP1

route ISP2 0 0 2.2.2.2 2 // Default route with Metric 2 via ISP2

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80

static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

sysopt noproxyarp inside

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

The above config works well BUT I have some problem, the USERS cannot access anymore the application servers in DMZ using port 80 & 443. Could it be the static NAT? Or do I need to add a new ACL for ISP 2?

I appreciate any feedback. Thank you.

Cannot access DMZ port 80 & 443 from INSIDE after configuring du

Harish Balakrishnan — Fri, 28 Sep 2012 05:39:24 GMT

Hello

It will be definitely to play with NAT andf ACL.

If you have a seperate public IP address to NAT the DMZ server, then you can do following

static (inside,ISP2) tcp http http netmask 255.255.55.255

access-list outside_in extended permit tcp any host eq 80

access-group outside_in in interface outside

Now If you dont have seperate public IP and you do want to use ISP2 interface IP to forward the packet to inside then

static (inside,outside) tcp interface http http netmask 255.255.55.255

access-list outside_in extended permit tcp any interface outside eq 80

access-group outside_in in interface outside

do the same for port 443 as well

Please rate all helpful posts

Harish.

Re: Cannot access DMZ port 80 & 443 from INSIDE after configurin

Karsten Iwen — Fri, 28 Sep 2012 06:03:23 GMT

At least you need a translation-rule from the inside to the DMZ because you have a nat-statement on the inside interface. Have you tried to configure NAT-exemption for the insede->DMZ-traffic?

Sent from Cisco Technical Support iPad App

Cannot access DMZ port 80 & 443 from INSIDE after configuring du

rgbatucan — Fri, 28 Sep 2012 06:07:00 GMT

Hi Harish,

Thank you for your reply.

I don't have a separate public IP for the DMZ servers.

For your second recommendation, it didn't work. We have multiple servers with different IP's that needs http and https.

The static nat limits only to 1 server, but still didn't work.

Still trying to figure out here.

Restie

Cannot access DMZ port 80 & 443 from INSIDE after configuring du

Harish Balakrishnan — Fri, 28 Sep 2012 06:16:04 GMT

are your sevrs in DMZ or inside ? I was under imression that the servers are in inside, could you post the ASA configuration

Cannot access DMZ port 80 & 443 from INSIDE after configuring du

rgbatucan — Fri, 28 Sep 2012 06:38:01 GMT

all the servers are in DMZ. please see attched diagram in attachments.

I'm trying NAT exemption now as per Karsten.

Thank you Harish.

Cannot access DMZ port 80 & 443 from INSIDE after configuring du

Harish Balakrishnan — Fri, 28 Sep 2012 06:43:57 GMT

ok.. in that case that nat has to be constructed a sbelow

static (dmz,outside) tcp interface http http netmask 255.255.55.255

access-list outside_in extended permit tcp any interface outside eq 80

access-group outside_in in interface outside

but I think this is not possible if you have multiple servers with same service but possible with multiple servers with different service

for example 192.168.100.1 - FTP, 192.168.100.2 - SMTP etc...

Harish.

Cannot access DMZ port 80 & 443 from INSIDE after configuring du

rgbatucan — Tue, 02 Oct 2012 05:58:43 GMT

Hi Karsten,

Thank you for your reply. I added the below command.

access-list 110 permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list 110

But still i can't access the servers port 80 & 443.