https://community.cisco.com/t5/network-security/dmz-access/m-p/973741#M918305 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>thanks a lot, i will implement the config as you said n try to ping from outside.</P><P></P><P>Regards.</P></BODY></HTML> Tue, 17 Jun 2008 09:19:55 GMT dinesh.das 2008-06-17T09:19:55Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973734#M918278 <P>Hi,</P><P></P><P>I am not able to access DMZ from outside. Attached the running config of firewall.</P><P>I think it might be some routing issue, any suggestions. </P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 13:00:22 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973734#M918278 dinesh.das 2019-03-11T13:00:22Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973735#M918280 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Some questions:</P><P></P><P>- Did you try to ping from outside your host in DMZ?</P><P>- When you try to access to host in DMZ do you see log messages on firewall?</P><P>- Did you set up the defaul gateway on host in DMZ?</P><P></P><P>Best regards.</P><P>Massimiliano.</P></BODY></HTML> Tue, 17 Jun 2008 08:34:14 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973735#M918280 massimiliano.serafino 2008-06-17T08:34:14Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973736#M918284 <HTML><HEAD></HEAD><BODY><P>1. i am not able to ping from out side to DMZ nat ip.</P><P>2. no</P><P>3. Yes </P></BODY></HTML> Tue, 17 Jun 2008 08:49:52 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973736#M918284 dinesh.das 2008-06-17T08:49:52Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973737#M918288 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>- From outside did you ping the ip address of the firewall's interface outside?</P><P>- From host in DMZ did you have access to hosts in Internet?</P><P></P><P></P></BODY></HTML> Tue, 17 Jun 2008 08:58:50 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973737#M918288 massimiliano.serafino 2008-06-17T08:58:50Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973738#M918295 <HTML><HEAD></HEAD><BODY><P>First of all your access-list is wrong:</P><P></P><P>access-list DMZ1_access_in extended permit ip host 1.1.27.113 any</P><P>access-list DMZ1_access_in extended permit icmp host 1.1.27.113 any</P><P></P><P>The 1.1.27.113 will never be seen on the DMZ side, it will only see the pre-nat local IP.</P><P></P><P>Secondly one of your static's is incorrect:</P><P></P><P>static (inside,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255</P><P></P><P>This should be 192.168.1.101 OR </P><P></P><P>static (DMZ1,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255</P><P></P><P>Thirdly, why have you put two default routes?</P><P></P><P>Regards</P><P></P></BODY></HTML> Tue, 17 Jun 2008 09:06:09 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973738#M918295 Farrukh Haroon 2008-06-17T09:06:09Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973739#M918300 <HTML><HEAD></HEAD><BODY><P>all global ip are responding from out side, except DMZ NAT IP.</P></BODY></HTML> Tue, 17 Jun 2008 09:09:24 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973739#M918300 dinesh.das 2008-06-17T09:09:24Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973740#M918302 <HTML><HEAD></HEAD><BODY><P>You mean this IP? 1.1.27..113</P><P></P><P>Try to add this in your DMZ ACL:</P><P></P><P>access-list DMZ1_access_in extended permit ip host 192.168.5.111 any</P><P></P><P>You can make it more secure after doing the initial testing.</P><P></P><P>Secondly fix your static as per my last post.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 17 Jun 2008 09:16:10 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973740#M918302 Farrukh Haroon 2008-06-17T09:16:10Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973741#M918305 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>thanks a lot, i will implement the config as you said n try to ping from outside.</P><P></P><P>Regards.</P></BODY></HTML> Tue, 17 Jun 2008 09:19:55 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973741#M918305 dinesh.das 2008-06-17T09:19:55Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973742#M918307 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Just do some logging and icmp debugging in ASA then post it here.</P><P>did u try a telnet to a server.</P><P></P><P>Regards</P><P></P></BODY></HTML> Tue, 17 Jun 2008 09:25:39 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973742#M918307 nomair_83 2008-06-17T09:25:39Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973743#M918308 <HTML><HEAD></HEAD><BODY><P>Omair the issue is with the ACL and the static.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 17 Jun 2008 09:30:23 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973743#M918308 Farrukh Haroon 2008-06-17T09:30:23Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973744#M918310 <HTML><HEAD></HEAD><BODY><P>Agreed but I hope that he changed the config.</P><P></P><P></P><P></P></BODY></HTML> Tue, 17 Jun 2008 09:51:02 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973744#M918310 nomair_83 2008-06-17T09:51:02Z https://community.cisco.com/t5/network-security/dmz-access/m-p/973745#M918315 <HTML><HEAD></HEAD><BODY><P>Thank you Farrukh, it is working now. I think the only problem was ACL_DMZ and that is what it was not comming out of the FW.</P></BODY></HTML> Wed, 18 Jun 2008 03:16:22 GMT https://community.cisco.com/t5/network-security/dmz-access/m-p/973745#M918315 dinesh.das 2008-06-18T03:16:22Z