cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1609
Views
0
Helpful
4
Replies

ASA 5510 - inside network cannot connect to web server in dmz using public ip address

I have tried everything I can think of and everything I found on the net, but nothing works.

I attached my config minus a few lines.

This is the relevant part of my config:

: Saved
:
ASA Version 8.2(5)
!
hostname ASA5510

names
name 12.33.204.205 store
name 172.16.1.17 websrv1
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
security-level 1
no ip address
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.1.253 255.255.255.0
!
interface Ethernet0/3
nameif outside
security-level 1
ip address 12.33.204.206 255.255.255.248
!
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list dmz_access_in extended permit ip any any
access-list dmz_access_out extended permit ip any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
icmp permit any outside
global (dmz) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) store websrv1 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group dmz_access_out out interface dmz
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 12.33.204.201 1
route inside 10.1.0.0 255.255.224.0 10.1.1.254 1

1 Accepted Solution

Accepted Solutions

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

Here is the guide:

https://community.cisco.com/t5/firewalls/nat-hairpin/td-p/1407782

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

Your access lists are permitting all IP traffic so they are not really restricting anything (except non-IP like icmp etc.).

Your NAT rules will make any server in the DMZ appear to be the interface address. Is that your intention?

Sorry for the long absence, I was on vacation.  Originally that was the intention, but now everything has changed.

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

Here is the guide:

https://community.cisco.com/t5/firewalls/nat-hairpin/td-p/1407782

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Sorry for the long absence, I was on vacation.  I tried hair-pinning and could not make it work.

The requirements have changed anyway so I no longer require outside access.  They can connect to the DMZ from the inside.

Thanks for your and everyone's help!

Review Cisco Networking for a $25 gift card