accessing dmz webserver form outside network?

manee a · ‎05-20-2013

i have not configured my Cisco ASA to allow the dmz server to be accessed from outside network. can any one please help me in this configuration , i am new to ASA. please Help.

My dmz network is 172.16.0.0/24

My Outside Network is 200.100.100.0/24

my dmz server address is 172.16.0.100.

i need to access my dmz server from 200.100.100.50 host from outside network

i have looked through documents which says i have to configure static(dmz,outside) and Access list i tried to understand them and i did some configurations but those didnt work

please give me appropriate cofiguration so that i can understand well.

Jouni Forss · ‎05-20-2013

Hi,

So to my understanding you only want to do a Static NAT for your "dmz" server?

And the public IP address you want to use for the "dmz" server is 200.100.100.50

Then you can use this configuration

static (dmz,outside) 200.100.100.50 172.16.0.100 netmask 255.255.255.255

access-list OUTSIDE-IN remark Allow connection to DMZ server

access-list OUTSIDE-IN permit tcp any host 200.100.100.50 eq 80

access-group OUTSIDE-IN in interface outside

The above configuration configure the Static NAT and also the ACL that is attached to the "outside" interface to allow TCP/80 = HTTP from the Internet to the "dmz" server. Naturally you open the services that are needed.

Hopefully this helps

Please remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers

Ask more if needed

- Jouni

manee a · ‎05-21-2013

thanks for the reply JouniForss

my problem is still there .

i am including some more details here , please help

my public ip of dmz server is 200.200.200.200

static (dmz,outside) 200.200.200.200 172.16.0.100 netmask 255.255.255.255

access-list OUT-IN remark Allow connection to DMZ server

access-list OUT-IN extended permit tcp any host 200.200.200.200 eq www

access-group OUT-IN in interface outside

i used these commands with your the help of ur post ...

but i still can't access my dmz server from internet or outside

i have included the file required for u to understand the topology and configurations plz help

refering to topology image

i have tried to access the website 200.200.200.200 from 200.100.100.50 (i.e) windows_xp_pro

Jouni Forss · ‎05-21-2013

Hi,

You should be able to confirm that the ASA rules are correct with the command "packet-tracer"

You can for example use

packet-tracer input outside tcp 200.100.100.50 12345 200.200.200.200 80

This should tell us what configurations/rules on the ASA are applied to this simulated connection/packet arriving on the ASA

For what I can see there shouldnt really be anything stopping this connection on the ASA. Naturally there can be several issues affecting the connectivity elsewhere.

For example

Test hosts routing/default gateway isnt correct
Servers routing/default gateway towards the connecting host isnt correct
There is some other routing problem in between
The server isnt listening on the port on which connection is attempted
etc

But try the "packet-tracer" command. It should pretty much tells us if the ASA has any problems related to the attempted connection

- Jouni

manee a · ‎05-25-2013

Thanks for the help Jouni .... problem is with me , with the routing