Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8378
Views
24
Helpful
20
Replies

Access problem from Inside to DMZ and outside to DMZ

Go to solution
El Rondo
Level 1
Level 1

‎06-14-2017 12:48 AM - edited ‎03-12-2019 02:35 AM

hi ,

I know this question may have been asked before but I could not find the best solution for my problem.

I have been assigned a task of maintaining a Cisco ASA 5510 couples days ago. My knowledge is very limited on firewalling kind of rules.
Recently I need to create DMZ zone for hosting one of my webserver. I have configure and connect another L3 cisco C3750 to that ASA DMZ port and my webserver was ported onto that switch. Original config was ok whereby (inside) can access internet as usual by using pooling static public ip.

My webserver can access internet (outside) and (inside) including ping, remote desktop but however (inside) cannot access webserver (DMZ) including ping, https or http. And (outside) Internet also cannot access my webserver too. I,ve been doing review a lot of references from the Internet, try and error since then but unfortunately my problem remain unchanged.

Really appreciate any experts guide me how to solve my problem here. Sorry for my bad english here.

My ASA Version is 7.2(3) and Hardware is 5510. This platform has a Base license.

Attached is my configuration to what I think was only related to my subject matter. All my public ip has been masked in the config.

Inside is 172.31.1.0/24
webserver private ip is 172.31.2.3
webserver public ip (NAT) is 20.20.20.49
DMZ Subnet is 172.31.2.0/24
DMZ Switch is 172.31.2.10

Labels:
Preview file
17 KB
0 Helpful
20 Replies 20

Go to solution
El Rondo
Level 1
Level 1
In response to El Rondo

‎06-20-2017 12:35 AM

herewith attached a piece my DMZ switch config. I not configuring any ip address to the port connected to ASA. just config for L2 and no any VLAN has been assigned. Is that ok ?

interface FastEthernet1/0/1
 description # connect to WEBSVR
 switchport mode access
 spanning-tree portfast

interface FastEthernet1/0/23
 description # trunk to ASA
 switchport mode access
 switchport nonegotiate

interface Vlan1
 ip address 172.31.2.10 255.255.255.0
 no ip route-cache
!
ip default-gateway 172.31.2.1
no ip classless
ip http server
!

0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to El Rondo

‎06-20-2017 07:35 AM

Technically it should work the way you have it configured. But it may not be the best design, you are using default vlan 1 for server access port and usually that should be avoided.

Go to solution
El Rondo
Level 1
Level 1
In response to cofee

‎06-20-2017 08:55 PM

my ASA configured with no nat control. is there something that I should care about?

0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to El Rondo

‎06-21-2017 02:25 AM

"no nat control" should not affect anything since you have nat commands present in your configuration and that supersedes disabling nat control. If NAT was completely disabled your inside users wouldn't have able to access internet.

Please read this thread for better understanding:

https://supportforums.cisco.com/discussion/11018091/disabling-nat-control-live-firewall

https://supportforums.cisco.com/document/11936941/lets-briefly-talk-about-what-nat-control

0 Helpful

Go to solution
El Rondo
Level 1
Level 1
In response to cofee

‎07-03-2017 10:43 PM

Hi coffee,

thanks a lot for your helps. really appreciate for the assiatance. finally I found the root cause of my problems. there were 4 workarounds I had done to overcome my case.

1. below static net will just do the tricks to allow traffic from inside to dmz.

static (Inside,dmz) 172.31.1.0 172.31.1.0 netmask 255.255.255.0

2. below is to allow outside to access our web server in DMZ.

static (DMZ,Outside) WEBSVR-P WEBSVR netmask 255.255.255.255

3. enable svi on my L3 C3750 to enable my DMZ-SW route traffic to my ASA 5510 and vice versa.

vlan 2
 name DMZ

interface FastEthernet1/0/1
 description # connect to WEBSVR
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast

interface FastEthernet1/0/24
 description #connect to ASA
 switchport access vlan 2
 switchport mode access
 duplex full
 spanning-tree portfast

interface Vlan2
 ip address 172.31.2.10 255.255.255.0
 no ip proxy-arp
 no ip route-cache

ip default-gateway 172.31.2.1
ip classless
ip http server

4. And this last one really explode my head since I had done many testing to eliminate any irrelevant that cause why inside cannot ping or access web server.

Originally my web server was just a notebook (fujitsu) for testing purposes. Then I changed that notebook and replace with mine notebook. All ping echo, request reply were remain unchanged in the inbound traffic firewall as usual. As a result, my ping and traffic finally went through the web server. I really surprise with changing notebook then traffic suddenly allowed. I had no idea what fujitsu had done into that notebook even I had manually bypass the echo, request and reply.

I consider this issue can be closed since it took me few weeks to overcome this.

Thanks coffee you are really good problem solver in this discussion and put me into many ways of tracing the root cause. really appreciate that.

cheers

0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to El Rondo

‎07-04-2017 04:36 AM

Thanks for the update. I am glad you were able to figure it out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card