topic Re: DMZ web server; traffic gets in, can't get out. in Network Security

DMZ web server; traffic gets in, can't get out.

shortnathan — Wed, 13 Mar 2019 00:51:09 GMT

Hi,

I have a webserver in the dmz which is accessible from the outside. However, I am unable to access interenet from the web server. Help!

Re: DMZ web server; traffic gets in, can't get out.

Alan Huseyin Kayahan — Fri, 14 Dec 2007 19:33:01 GMT

Hi Nathan

Add the following

nat (dmz) 101 0 0

Regards

Re: DMZ web server; traffic gets in, can't get out.

acomiskey — Fri, 14 Dec 2007 19:41:44 GMT

You shouldn't need that as it should go out as 12.xx.xx.88. Check that it is using the correct dns server as defined in object-group ISP_DNS.

Re: DMZ web server; traffic gets in, can't get out.

shortnathan — Fri, 14 Dec 2007 19:49:07 GMT

I've verified the 12.xx.xx.71 address for DNS. The webserver is pointing to it for its DNS. I see the connection in the log:

6 Dec 14 2007 12:42:10 302015 12.xx.xx.71 172.16.0.176 Built outbound UDP connection 140732 for outside:12.xx.xx.71/53 (12.xx.xx.71/53) to dmz:172.16.0.176/1044 (12.xx.xx.88/1044)

But it isn't working. It's definately a DNS problem, things are working by IP.

Re: DMZ web server; traffic gets in, can't get out.

Alan Huseyin Kayahan — Fri, 14 Dec 2007 20:07:57 GMT

Correct, I directly looked at NAT statements, missed the static.

Natan, what happens when you run nslookup in webserver and query a web site for example www.experts-exchange.com and can you ping 64.156.132.140 ?

Please post the output of nslookup

Re: DMZ web server; traffic gets in, can't get out.

shortnathan — Fri, 14 Dec 2007 20:12:23 GMT

nslookup returns invalid domain server. It looks like the traffic is going out to the domain server but maybe it's not getting nated correctly coming back?

I can resolve web sites directly by IP but I don't let ICMP through.

Re: DMZ web server; traffic gets in, can't get out.

Alan Huseyin Kayahan — Fri, 14 Dec 2007 20:20:51 GMT

do you have dns max length inspection in your config? Can you post the nslookup output when you query a web site? Assuming that your inside lan can correctly resolve DNS, try assigning the dns server of lan clients to DMZ

Re: DMZ web server; traffic gets in, can't get out.

oldcreek12 — Fri, 14 Dec 2007 20:26:37 GMT

Your "outside_access_in" ACL does not allow your ISP DNS in.

Re: DMZ web server; traffic gets in, can't get out.

acomiskey — Fri, 14 Dec 2007 20:39:42 GMT

It wouldn't have to as this is being initiated from the dmz.

Re: DMZ web server; traffic gets in, can't get out.

shortnathan — Fri, 14 Dec 2007 20:57:32 GMT

No max length inspection.

nslookup www.google.com > nslookup.txt

DNS request timed out.

timeout was 2 seconds.

Server: UnKnown

Address: 12.xx.xx.71

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

Try assigning dns server of lan clients to dmz, the interface address?

Re: DMZ web server; traffic gets in, can't get out.

shortnathan — Fri, 14 Dec 2007 20:58:17 GMT

I don't show it hitting the ACL in the log.

Re: DMZ web server; traffic gets in, can't get out.

Alan Huseyin Kayahan — Sat, 15 Dec 2007 13:55:16 GMT

"Try assigning dns server of lan clients to dmz, the interface address?"

Do your clients has the IP address of ASA interface as preferred DNS server? ASA can not be a DNS server and shouldnt be assigned as preferred DNS server.

Call your ISP and ask for DNS server addresses. Then assign these public DNS server addresses as preferred DNS server to your web server.

Re: DMZ web server; traffic gets in, can't get out.

shortnathan — Mon, 17 Dec 2007 18:12:29 GMT

I'm using the ISP provided public DNS server's on the webserver. There's an ACL set to allow this, but nothing seems to be hitting it.

Re: DMZ web server; traffic gets in, can't get out.

jfbeam — Tue, 18 Dec 2007 01:58:13 GMT

Interesting. Even if it's not showing up in the log, try adding a rule to allow dns replies to outside_access_in. Other than that, all I can think of is an oddball NAT issue. Try removing the static (dmz,inside) map.

Beyond that... grab a tap and a sniffer.

Re: DMZ web server; traffic gets in, can't get out.

Alan Huseyin Kayahan — Tue, 18 Dec 2007 10:44:44 GMT

Nathan,

Please post the output of following command

packet-tracer input DMZ udp 172.16.0.176 domain 12.xx.xx.71 domain detailed

Re: DMZ web server; traffic gets in, can't get out.

shortnathan — Wed, 19 Dec 2007 01:19:35 GMT

See attached.

Re: DMZ web server; traffic gets in, can't get out.

Alan Huseyin Kayahan — Wed, 19 Dec 2007 09:00:08 GMT

ASA allows the traffic, nothing is wrong.

Actually I doubt that 12.xx.xx.71 is a valid DNS server

12.xx.xx.90 is your interface IP and 12.xx.xx.71 is an IP that is in your range with 255.255.255.224 mask

I recommend you using another public DNS. For example

67.138.54.100

In TCP/IP properties of your server, set 67.138.54.100 as preferred DNS server. And in ASA, do the following modification

object-group network ISP_DNS

network-object host 67.138.54.100

Regards

Re: DMZ web server; traffic gets in, can't get out.

shortnathan — Wed, 19 Dec 2007 18:11:02 GMT

It's confusing because of the scrubbed config, the second and third octets of the DNS server are different from those of my /27. The DNS server has been verified working, our domain controllers are all using it from the inside interface.