05-20-2013 12:02 PM - edited 03-11-2019 06:46 PM
i have not configured my Cisco ASA to allow the dmz server to be accessed from outside network. can any one please help me in this configuration , i am new to ASA. please Help.
My dmz network is 172.16.0.0/24
My Outside Network is 200.100.100.0/24
my dmz server address is 172.16.0.100.
i need to access my dmz server from 200.100.100.50 host from outside network
i have looked through documents which says i have to configure static(dmz,outside) and Access list i tried to understand them and i did some configurations but those didnt work
please give me appropriate cofiguration so that i can understand well.
05-20-2013 12:08 PM
Hi,
So to my understanding you only want to do a Static NAT for your "dmz" server?
And the public IP address you want to use for the "dmz" server is 200.100.100.50
Then you can use this configuration
static (dmz,outside) 200.100.100.50 172.16.0.100 netmask 255.255.255.255
access-list OUTSIDE-IN remark Allow connection to DMZ server
access-list OUTSIDE-IN permit tcp any host 200.100.100.50 eq 80
access-group OUTSIDE-IN in interface outside
The above configuration configure the Static NAT and also the ACL that is attached to the "outside" interface to allow TCP/80 = HTTP from the Internet to the "dmz" server. Naturally you open the services that are needed.
Hopefully this helps
Please remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers
Ask more if needed
- Jouni
05-21-2013 10:44 AM
thanks for the reply JouniForss
my problem is still there .
i am including some more details here , please help
my public ip of dmz server is 200.200.200.200
static (dmz,outside) 200.200.200.200 172.16.0.100 netmask 255.255.255.255
access-list OUT-IN remark Allow connection to DMZ server
access-list OUT-IN extended permit tcp any host 200.200.200.200 eq www
access-group OUT-IN in interface outside
i used these commands with your the help of ur post ...
but i still can't access my dmz server from internet or outside
i have included the file required for u to understand the topology and configurations plz help
refering to topology image
i have tried to access the website 200.200.200.200 from 200.100.100.50 (i.e) windows_xp_pro
05-21-2013 02:26 PM
Hi,
You should be able to confirm that the ASA rules are correct with the command "packet-tracer"
You can for example use
packet-tracer input outside tcp 200.100.100.50 12345 200.200.200.200 80
This should tell us what configurations/rules on the ASA are applied to this simulated connection/packet arriving on the ASA
For what I can see there shouldnt really be anything stopping this connection on the ASA. Naturally there can be several issues affecting the connectivity elsewhere.
For example
But try the "packet-tracer" command. It should pretty much tells us if the ASA has any problems related to the attempted connection
- Jouni
05-25-2013 07:51 AM
Thanks for the help Jouni .... problem is with me , with the routing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide