topic Re: Need Help getting Outside network to talk to DMZ in Network Security

Need Help getting Outside network to talk to DMZ

tharris — Mon, 11 Mar 2019 14:55:12 GMT

I'm in the testing phase of setting up an ASA 5520 and I'm having some issues getting the Outside network to talk to the DMZ. I set up a test using a web server on 172.20.175.110 (SCADADEV01) and I thought I had it NATed correctly and had the right ACL but I cannot seemed to get to from the test computer 10.80.1.16. Can you give me a little help. Attached is the config file.

Re: Need Help getting Outside network to talk to DMZ

andrew.prince — Mon, 23 Feb 2009 15:18:49 GMT

Your NAT is incorrect, and your outside acl is incorrect.

I would configure something like - for testing:-

static (DMZ,outside) tcp interface www 172.20.175.110 www netmask 255.255.255.255

Then write the acl

access-list outside_access_in permit tcp any interface outside eq 80

HTH>

Re: Need Help getting Outside network to talk to DMZ

tharris — Mon, 23 Feb 2009 16:02:26 GMT

I simplified the config and tried your suggestion. But no joy. Attached is the modified config.

Re: Need Help getting Outside network to talk to DMZ

andrew.prince — Mon, 23 Feb 2009 16:09:47 GMT

OK - when you say it did not work, how did you test it?

What debugging did you have enabled?

Re: Need Help getting Outside network to talk to DMZ

tharris — Mon, 23 Feb 2009 16:39:28 GMT

I simply opened up a browser on the outside client computer (10.80.1.16) and typed in the url 172.20.175.110 and it timed out. Doing this same test from a computer on the inside network works fine. How do you suggest I debug this?

Re: Need Help getting Outside network to talk to DMZ

andrew.prince — Mon, 23 Feb 2009 16:44:51 GMT

OK - firstly,

You are typing the wrong IP address. You are natting on the firewall - so you will not be able to connect to the DMZ IP address, as this is not know on the outside.

Test again using the IP address "10.80.1.15"

Secondly - enable logging, then check the logs. You can also check to see if your access is being hit - show access-list. The you should check connectivity locally from a device in the DMZ.

HTH>

Re: Need Help getting Outside network to talk to DMZ

tharris — Mon, 23 Feb 2009 16:57:48 GMT

Yes, typing in 10.80.1.15 was successful from the outside client copmputer. I apologize for how green I am in doing this. Thanks for your patience. I will also follow your other suggestions. I think I can use the web example to fix the other connectivity problems I'm having. I appreciate the help.

Re: Need Help getting Outside network to talk to DMZ

tharris — Mon, 23 Feb 2009 16:59:38 GMT

Re: Need Help getting Outside network to talk to DMZ

andrew.prince — Mon, 23 Feb 2009 17:09:47 GMT

Should I ignore this post? As I think I have already answered it?

Re: Need Help getting Outside network to talk to DMZ

tharris — Mon, 23 Feb 2009 17:28:12 GMT

Yes. Ignor it. Not sure how it got sent.

Re: Need Help getting Outside network to talk to DMZ

andrew.prince — Mon, 23 Feb 2009 19:56:23 GMT

np - glad to help