02-01-2012 09:59 AM - edited 03-11-2019 03:22 PM
I have a server in the dmz and I cannot access it via port 80 from the web. I can ping the public ip without any problem but for some reason web and rdp cannot be accessed. The web server on the inside interface is working fine.
Anyone have any ideas?
ASA Version 7.2(3)
!
hostname ARLASA01
enable password 1fek2L2MjEGCSJe1 encrypted
names
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.17 255.255.255.248
!
interface Vlan10
nameif inside
security-level 100
ip address 172.29.60.220 255.255.255.0
!
interface Vlan198
nameif guest
security-level 50
ip address 192.168.60.220 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 10,198
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd C688xmE.agblrBe. encrypted
ftp mode passive
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any host 2.2.2.18 eq www
access-list acl_out extended permit tcp any host 2.2.2.18 eq https
access-list acl_out extended permit tcp any host 2.2.2.18 eq lotusnotes
access-list acl_out extended permit tcp any host 2.2.2.19 eq www
access-list acl_out extended permit tcp any host 2.2.2.19 eq 3389
access-list acl_out extended permit tcp any host 2.2.2.19 range 5500 5505
pager lines 24
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.29.60.0 255.255.255.0
nat (guest) 1 192.168.60.0 255.255.255.0
static (inside,outside) 2.2.2.18 172.29.60.232 netmask 255.255.255.255
static (guest,outside) 2.2.2.19 192.168.60.250 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.22 1
route inside 172.27.0.0 255.255.0.0 172.29.60.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 4.2.2.2
!
dhcpd address 192.168.60.20-192.168.60.100 guest
dhcpd enable guest
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username comms password eiE0IOA.TSSAU935 encrypted
prompt hostname context ASA Version 7.2(3)
!
hostname ARLASA01
enable password 1fek2L2MjEGCSJe1 encrypted
names
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.17 255.255.255.248
!
interface Vlan10
nameif inside
security-level 100
ip address 172.29.60.220 255.255.255.0
!
interface Vlan198
nameif guest
security-level 50
ip address 192.168.60.220 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 10,198
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd C688xmE.agblrBe. encrypted
ftp mode passive
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any host 2.2.2.18 eq www
access-list acl_out extended permit tcp any host 2.2.2.18 eq https
access-list acl_out extended permit tcp any host 2.2.2.18 eq lotusnotes
access-list acl_out extended permit tcp any host 2.2.2.19 eq www
access-list acl_out extended permit tcp any host 2.2.2.19 eq 3389
access-list acl_out extended permit tcp any host 2.2.2.19 range 5500 5505
pager lines 24
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.29.60.0 255.255.255.0
nat (guest) 1 192.168.60.0 255.255.255.0
static (inside,outside) 2.2.2.18 172.29.60.232 netmask 255.255.255.255
static (guest,outside) 2.2.2.19 192.168.60.250 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.22 1
route inside 172.27.0.0 255.255.0.0 172.29.60.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 4.2.2.2
!
dhcpd address 192.168.60.20-192.168.60.100 guest
dhcpd enable guest
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username comms password eiE0IOA.TSSAU935 encrypted
prompt hostname context
02-01-2012 10:08 AM
Hello,
Are you able to ping 192.168.60.250 from the ASA?
Can you ping 192.168.60.220 from the server?
Please provide the following;
packet-tracer input outside tcp 4.2.2.2 1025 2.2.2.19 80
Regards,
Julio
02-01-2012 10:23 AM
Please post output of -
packet-tracer input outside tcp 1.2.3.4 1024 2.2.2.18 80 detailed.
Does not look like any issue with config still want to confirm.
Thanks
Ajay
02-01-2012 10:27 AM
Thanks. I will have to get that when I get back in the office.
02-01-2012 10:30 AM
Hello,
Ok, just let us know!
02-02-2012 05:16 AM
Here are two traces I did this morning. The capin is pre-nat on the guest
interface and the capout is post-nat on the outside. I attempted to reach
the server on port 80 from 66.54.184.254.
ARLASA01(config)# sh capture capin
12 packets captured
1: 02:27:21.032331 802.1Q vlan#198 P0 66.54.184.254.51336 >
192.168.60.250.80: S 3243178106:3243178106(0) win 8192
Date: 02/01/2012 12:30 PM
02-02-2012 06:16 AM
what gateway address you have on the DMZ web server sitting on the network "guest" ?
02-02-2012 06:29 AM
192.168.60.220
02-02-2012 10:57 AM
capture asp type asp-drop all
then try the connection and provide us the following:
sh cap asp | include 2.2.2.18
sh cap asp | include 2.2.2.19
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide