02-06-2011 11:42 PM - edited 03-11-2019 12:45 PM
Dear all,
I'm in newbie in CISCO firewalls. I have a problem with DMZ configuration. Our web server is using inside IP address and DMZ ip address also port is using 83. When i type from inside interface http://192.168.14:83 i can access to web server. Now i want it to enable access from internet using firewall public ip address(for example http://202.165.200.225:83). Please check below schema.
Any help would be appreciated
Solved! Go to Solution.
02-09-2011 11:50 PM
route add -p 10.2.16.0 mask 255.255.254.0 192.168.1.1
route add -p 10.2.2.0 mask 255.255.255.0 192.168.1.1
route add -p 10.2.5.0 mask 255.255.255.0 192.168.1.1
route add -p 166.166.0.0 mask 255.255.0.0 192.168.1.1
02-07-2011 12:23 AM
Which version of ASA are you using? and also is there typo in the ip address (web server dmz ip address you have 10.10.30.14), however, dmz interface ip address of the ASA is 10.30.30.1 (they are not in the same subnet), please kindly advise which is the correct subnet.
Also, assuming that you would like to access the web server from the Internet via its DMZ interface instead of the inside interface, right? You have default gateway on the web server pointing towards the ASA dmz interface ip address?
02-07-2011 01:27 AM
Asa version is
"ASA5510> show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51"
DMZ Web server IP address is 10.30.30.14. I draw it wrong.
I want to access web server from Inside and Internet. On the web server i manually configured 2 IP addresses and 2 gateways.
02-07-2011 01:36 AM
so i assume that you would like to use the DMZ ip address for access from the Internet?
If so, then here is the configuration:
static (dmz,outside) tcp interface 83 10.30.30.14 83 netmask 255.255.255.255
Also, on the access-list applied to your outside interface, you will have to add the following:
access-list
BTW, would applying 2 default gateways on the web server work? Does it detect automatically where the traffic is coming from and send the traffic towards the correct default gateway? Because if traffic is routed from ASA DMZ towards the web server DMZ interface, and if the reply goes outbound from web server inside interface towards ASA inside interface, ASA will drop the packet because of assymetric routing. Traffic needs to come in and out of the same interface pair as ASA keeps track of the connection state.
Hope that helps.
02-07-2011 01:54 AM
Sometimes our inside network is down. When i restart web server. network is come back. I suspect this problem related using 2 gateways on web server.
My current situation is: all salesmen come to office and synchronize their data via wireless using http://192.168.14:83. Now when they are out of office they want to synchronize data via internet http://202.165.200.225:83
I will test your configration and let you know.
Appriciate your help
Many Thanks
Amaraa
02-07-2011 02:03 AM
From my experience, having 2 default gateways might not work.
I would recommend that you configure default gateway towards the ASA DMZ interface ip address as this will be for inbound access from the Internet.
For the inside NIC of the web server, if the wireless ip subnet is also in 192.168.1.0/24 then you don't need to configure default gateway for that inside NIC because they are in the same subnet, so it will arp for the ip address. Otherwise, if your wireless is in different subnet, then you can configure static route for routing towards the inside NIC.
02-09-2011 02:06 AM
Our web server is also sending data over VPN via 192.168.1.14. If i remove gateway it cannot send data over VPN.
That's mean:
1st. I need to remove default gateway of 192.168.1.0/24 range
2n I need to write static route on 192.168.1.0/24 range. Is that correct.
"route add -p 192.168.1.14 mask 255.255.255.255 192.168.1.1"
02-09-2011 02:11 AM
1st/ yes, you are correct. You have to removed the default gateway for the 192.168.1.0/24 (inside subnet).
2nd/ no, you don't configure static route for 192.168.1.0/24 because that is directly connected subnet. What is your vpn ip pool? you will need to add route for your vpn ip pool subnet to point to 192.168.1.1
02-09-2011 11:27 PM
How to configure IP Pools and route on the firewall. Please kindly advice for me.
Thanks
Amaraa
02-09-2011 11:30 PM
No, you mentioned that it's also sending traffic towards the VPN, so you would need to find out what is the VPN remote LAN subnets, and configure route on the web server itself for the VPN remote LAN subnet to point towards the firewall inside interface.
02-09-2011 11:47 PM
I think this is remote VPN address. Now how to configure route on web server.
Thanks
Amaraa
02-09-2011 11:50 PM
route add -p 10.2.16.0 mask 255.255.254.0 192.168.1.1
route add -p 10.2.2.0 mask 255.255.255.0 192.168.1.1
route add -p 10.2.5.0 mask 255.255.255.0 192.168.1.1
route add -p 166.166.0.0 mask 255.255.0.0 192.168.1.1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide