06-15-2012 05:24 AM - edited 03-11-2019 04:19 PM
Hi all, I lake many others am having trouble with a web server in a DMZ. I can't hit it from the public side and I can't hit the public from the DMZ web server machine. My SMTP and HTTPS to a different machine work flawlessly. Could some please provide some suggestions?
Thanks in advance for your help:
ASA Version 7.2(3)
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.2.10.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 111.222.333.444 255.255.255.252
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.1.1.1 255.255.255.0
!
access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq https
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit icmp any any
access-list DMZToOutside extended permit tcp any any
access-list DMZToOutside extended permit icmp any any
access-group inbound in interface outside
access-group DMZToOutside in interface DMZ
global (outside) 1 interface
nat (inside) 1 10.2.10.0 255.255.255.0
static (inside,outside) tcp interface smtp 10.2.10.11 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 10.2.10.11 https netmask 255.255.255.255
static (DMZ,outside) tcp interface www 10.1.1.10 www netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
06-15-2012 05:27 AM
The configuration looks OK to me.
Are you getting any hit count on the access-list inbound when you are trying to access it from the internet?
Can you telnet on port 80 to the public IP?
Does the web server happen to have 2 NICs?
06-15-2012 06:13 AM
Thanks for the speedy reply.
I am seeing the hit count increment when trying to access from the internet.
Telnet to the public ip on port 80 does not connect, but does increment the hit count.
The web server has just one NIC.
I can access the webserver via http from the DMZ
06-15-2012 06:22 AM
Assuming that your web server has ip address of 10.1.1.10, what is its subnet mask, and what is its default gateway?
06-15-2012 06:27 AM
IP: 10.1.1.10
subnet mask: 255.255.255.255
default gateway: 10.1.1.1
06-15-2012 06:32 AM
subnet mask is incorrect, it should have been 255.255.255.0
06-15-2012 06:55 AM
Thanks, I made that change. It didn't resolve the issues. I added nat (DMZ) 0.0.0.0 0.0.0.0 and can now browse the internet from the web server. I still can't access the web server from the public side.
06-15-2012 07:03 AM
You mean you add "nat (DMZ) 1 0 0" and it can browse the internet?
If you add "nat (DMZ) 0 0 0" it won't NAT it to a public IP and internet won't work from that host.
Pls "clear xlate" and see if you can browse from the internet.
06-15-2012 07:07 AM
My apologies, I did add "nat (DMZ) 1 0 0" and can browse the 'net. I've "clear xlate" and can still browse.
Still no luck hitting the web server from the public side though. It's it the weekend yet?
06-15-2012 07:10 AM
What's the website? maybe i have better luck
Yeah... weekend already
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide