DMZ's don't cooperate

jaredbarnes · ‎06-15-2012

Hi all, I lake many others am having trouble with a web server in a DMZ. I can't hit it from the public side and I can't hit the public from the DMZ web server machine. My SMTP and HTTPS to a different machine work flawlessly. Could some please provide some suggestions?

Thanks in advance for your help:

ASA Version 7.2(3)

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.2.10.1 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 111.222.333.444 255.255.255.252

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 10.1.1.1 255.255.255.0

!

access-list inbound extended permit tcp any interface outside eq smtp

access-list inbound extended permit tcp any interface outside eq https

access-list inbound extended permit tcp any interface outside eq www

access-list inbound extended permit icmp any any

access-list DMZToOutside extended permit tcp any any

access-list DMZToOutside extended permit icmp any any

access-group inbound in interface outside

access-group DMZToOutside in interface DMZ

global (outside) 1 interface

nat (inside) 1 10.2.10.0 255.255.255.0

static (inside,outside) tcp interface smtp 10.2.10.11 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 10.2.10.11 https netmask 255.255.255.255

static (DMZ,outside) tcp interface www 10.1.1.10 www netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

Jennifer Halim · ‎06-15-2012

The configuration looks OK to me.

Are you getting any hit count on the access-list inbound when you are trying to access it from the internet?

Can you telnet on port 80 to the public IP?

Does the web server happen to have 2 NICs?

jaredbarnes · ‎06-15-2012

Thanks for the speedy reply.

I am seeing the hit count increment when trying to access from the internet.

Telnet to the public ip on port 80 does not connect, but does increment the hit count.

The web server has just one NIC.

I can access the webserver via http from the DMZ

Jennifer Halim · ‎06-15-2012

Assuming that your web server has ip address of 10.1.1.10, what is its subnet mask, and what is its default gateway?

jaredbarnes · ‎06-15-2012

IP: 10.1.1.10

subnet mask: 255.255.255.255

default gateway: 10.1.1.1

Jennifer Halim · ‎06-15-2012

subnet mask is incorrect, it should have been 255.255.255.0

jaredbarnes · ‎06-15-2012

Thanks, I made that change. It didn't resolve the issues. I added nat (DMZ) 0.0.0.0 0.0.0.0 and can now browse the internet from the web server. I still can't access the web server from the public side.

Jennifer Halim · ‎06-15-2012

You mean you add "nat (DMZ) 1 0 0" and it can browse the internet?

If you add "nat (DMZ) 0 0 0" it won't NAT it to a public IP and internet won't work from that host.

Pls "clear xlate" and see if you can browse from the internet.

jaredbarnes · ‎06-15-2012

My apologies, I did add "nat (DMZ) 1 0 0" and can browse the 'net. I've "clear xlate" and can still browse.

Still no luck hitting the web server from the public side though. It's it the weekend yet?

Jennifer Halim · ‎06-15-2012

What's the website? maybe i have better luck

Yeah... weekend already