09-27-2010 12:06 AM - edited 03-11-2019 11:45 AM
Hello, there may be some problems with the ASA's config, but I can find where are the problems.
Below is the basic config for this ASA:
Inside ip address : 192.168.10.1/24
Outside ip address: 120.195.153.151/26
DMZ ip address: 192.168.30.1/24
Web server ip address: 192.168.30.5/24
I wanna complete the tasks , the status of which are as below:
1. Inside ping Web server successfully
2. Inside ping www.cisco.com successfully
3. DMZ ping www.cisco.com successfully
4. Inside access web sites in web server through http://192.168.30.5 failed
5. Outside access web sites in web server through http://120.195.153.151 failed
Please get the detailed config in the attached file, and kindly help have a check to find where are the problems.thanks!
Solved! Go to Solution.
09-27-2010 02:18 AM
You would need to remove the following line as follows:
no static (inside,DMZ) 192.168.30.0 192.168.10.0 netmask 255.255.255.0
Replace with the following:
static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
Then you would need to "clear xlate" to clear existing translation.
The above will fix issue# 4.
The following will fix issue# 5:
static (DMZ,outside) tcp interface 80 192.168.30.5 80 netmask 255.255.255.255
Then you would need to "clear xlate" to clear existing translation.
Hope that helps.
09-27-2010 03:06 AM
Can you try using a different public ip address (public ip address that has not been used elsewhere) instead?
Remove the existing translation first:
no static (dmz,outside) tcp interface www 192.168.30.5 www netmask 255.255.255.255
Then add the following line with the spare public ip address:
static (dmz,outside) 120.195.153.x 192.168.30.5 netmask 255.255.255.255
Then "clear xlate". You might also want to "clear arp" on both the ASA, and the upstream router.
09-27-2010 03:34 AM
Really? your outside subnet is /26, doesn't that mean you have the whole /26 subnet to use?
Anyway, in that case, let's continue to use the ASA interface ip address.
To troubleshoot further, please configure the following ACL line:
access-list 102 line 1 extended permit tcp any host 120.195.153.151 eq www
Then try to access it from the outside again, and then issue "show access-list 102", and check if you have any hitcount on the first line.
09-27-2010 06:39 AM
Can you share the output of "sh conn | i 192.168.30.5" as soon as you tried to access it from the outside.
09-27-2010 09:47 PM
OK, looking at this line:
TCP out 117.85.147.201:1378 in 192.168.30.5:80 idle 0:00:11 bytes 0 flags aB
Flags of aB means that ASA is receiving SYN packet from outside host towards the DMZ server, however, it never receives the SYN-ACK back.
Can you check what is the default gateway on the DMZ server (pls make sure that it's the ASA DMZ interface ip address).
09-27-2010 10:24 PM
Can you please run a packet capture on the outside and dmz interface of the ASA to see where the traffic breaks.
Also, if you can run the packet tracer on the ASA from the outside towards the dmz server public ip address and make sure that it passes through OK.
09-28-2010 03:23 AM
Please remove the existing capture first:
no capture outside type raw-data interface outside
no capture dmz type raw-data interface dmz
Please make it more specific so we can capture only the specific information:
(NB: assuming that you are testing from ip address: 117.85.147.201)
access-list cap-out permit tcp host 117.85.147.201 host 120.195.153.151
access-list cap-out permit tcp host 120.195.153.151 host 117.85.147.201
access-list cap-dmz permit tcp host 117.85.147.201 host 192.168.30.5
access-list cap-dmz permit tcp host 192.168.30.5 host 117.85.147.201
capture cap-out access-list cap-out interface outside
capture cap-dmz access-list cap-dmz interface dmz
Then test accessing the website from 117.85.147.201.
Then gather the output:
show cap cap-out
show cap cap-dmz
09-29-2010 09:42 PM
Great, and thanks for the update.
Pls kindly mark the post as answered.
09-27-2010 02:18 AM
You would need to remove the following line as follows:
no static (inside,DMZ) 192.168.30.0 192.168.10.0 netmask 255.255.255.0
Replace with the following:
static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
Then you would need to "clear xlate" to clear existing translation.
The above will fix issue# 4.
The following will fix issue# 5:
static (DMZ,outside) tcp interface 80 192.168.30.5 80 netmask 255.255.255.255
Then you would need to "clear xlate" to clear existing translation.
Hope that helps.
09-27-2010 02:57 AM
Hi, Jennifer
Thanks for your helps, now the issue #4 was fixed, but issue #5 still exists. need your kindly help to check again. thanks!
1. Inside ping Web server successfully
2. Inside ping www.cisco.com successfully
3. DMZ ping www.cisco.com successfully
4. Inside access web sites in web server through http://192.168.30.5 successfully
5. Outside access web sites in web server through http://120.195.153.151 failed
09-27-2010 03:06 AM
Can you try using a different public ip address (public ip address that has not been used elsewhere) instead?
Remove the existing translation first:
no static (dmz,outside) tcp interface www 192.168.30.5 www netmask 255.255.255.255
Then add the following line with the spare public ip address:
static (dmz,outside) 120.195.153.x 192.168.30.5 netmask 255.255.255.255
Then "clear xlate". You might also want to "clear arp" on both the ASA, and the upstream router.
09-27-2010 03:22 AM
I'm sorry to say that ISP only assigned one public ip address for me, I can not use any other address.
09-27-2010 03:34 AM
Really? your outside subnet is /26, doesn't that mean you have the whole /26 subnet to use?
Anyway, in that case, let's continue to use the ASA interface ip address.
To troubleshoot further, please configure the following ACL line:
access-list 102 line 1 extended permit tcp any host 120.195.153.151 eq www
Then try to access it from the outside again, and then issue "show access-list 102", and check if you have any hitcount on the first line.
09-27-2010 05:37 AM
Sorry for the late reply, I've tried to add the command as you advised, but still no luck.
Below is the output of 'sh access-list 102', quantity of hit count is no zero.
ciscoasa# sh access-list 102
access-list 102; 4 elements
access-list 102 line 1 extended permit tcp any host 120.195.153.151 eq www (hitc
nt=4)
access-list 102 line 2 extended permit icmp any any (hitcnt=682)
access-list 102 line 3 extended permit ip any any (hitcnt=145)
access-list 102 line 4 extended permit tcp any any eq www (hitcnt=0)
09-27-2010 06:39 AM
Can you share the output of "sh conn | i 192.168.30.5" as soon as you tried to access it from the outside.
09-27-2010 06:48 AM
Ok, please refer to the following output:
ciscoasa# sh conn | i 192.168.30.5
UDP out 117.85.147.201:1316 in 192.168.30.5:2792 idle 0:00:00 bytes 1014585 flag
s -
TCP out 114.243.120.255:5938 in 192.168.30.5:2790 idle 0:00:40 bytes 458 flags U
IO
TCP out 117.85.147.201:1378 in 192.168.30.5:80 idle 0:00:11 bytes 0 flags aB
09-27-2010 09:47 PM
OK, looking at this line:
TCP out 117.85.147.201:1378 in 192.168.30.5:80 idle 0:00:11 bytes 0 flags aB
Flags of aB means that ASA is receiving SYN packet from outside host towards the DMZ server, however, it never receives the SYN-ACK back.
Can you check what is the default gateway on the DMZ server (pls make sure that it's the ASA DMZ interface ip address).
09-27-2010 10:03 PM
The default gateway of DMZ server is 192.168.30.1 , which is the ip address of DMZ interface.
09-27-2010 10:24 PM
Can you please run a packet capture on the outside and dmz interface of the ASA to see where the traffic breaks.
Also, if you can run the packet tracer on the ASA from the outside towards the dmz server public ip address and make sure that it passes through OK.
09-27-2010 11:26 PM
Hi Jennifer,
Sorry for butting in but I'm curious. Do the following configuration mentioned above also applicable for ASA5510 with IOS version of 8.0 or 8.2?
Thanks.
09-27-2010 11:38 PM
I've runned the following commands:
1. capture outside inter outside
2. capture dmz inter dmz
and get the below output, seems no traffic breaks
capture outside type raw-data interface outside [Capturing - 330602 bytes]
capture dmz type raw-data interface dmz [Capturing - 465476 bytes]
09-28-2010 03:23 AM
Please remove the existing capture first:
no capture outside type raw-data interface outside
no capture dmz type raw-data interface dmz
Please make it more specific so we can capture only the specific information:
(NB: assuming that you are testing from ip address: 117.85.147.201)
access-list cap-out permit tcp host 117.85.147.201 host 120.195.153.151
access-list cap-out permit tcp host 120.195.153.151 host 117.85.147.201
access-list cap-dmz permit tcp host 117.85.147.201 host 192.168.30.5
access-list cap-dmz permit tcp host 192.168.30.5 host 117.85.147.201
capture cap-out access-list cap-out interface outside
capture cap-dmz access-list cap-dmz interface dmz
Then test accessing the website from 117.85.147.201.
Then gather the output:
show cap cap-out
show cap cap-dmz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide