Re: Cambodia cannot reach dmz server farm. permit ip any any didn't wo

tyr668 · ‎08-12-2023

my inside PCs is able to ping the server farm , use all the services in server farm. but the outside doesn't seem to be able to reach any services in server farm

there is an nat object configured to ensure that all internal pc gets translated . not sure whether it's this that's causing the issue

the nat translation counts only goes up if Main_Core Switch pings the ISP. other vlans IP ping to ISP will not increase the NAT translation count

i've attached the PKT file for reference

Flavio Miranda · ‎08-12-2023

Hi @tyr668

About the Camboja does not ping the server farm is related to route. If you look at the router SG, it does not have route to 172.16.2.192/28. The OSPF between Router and ASA do not work well. And if you add a static route on SG router, the ping is only partial success.

You improved the topology by not connecting two switches to the firewall but the firewall is still failing.

tyr668 · ‎08-12-2023

but if i add ospf dynamic route, doesn't it make the NAT at (dmz, outside) and (inside, outside) irrelvant ? because one of the requirements is to use the NAT

tyr668 · ‎08-12-2023

my cambodia pc is still unable to reach the web server via http / https and smtp even after i've added the routes. seems to be blocked at the firewall .

Flavio Miranda · ‎08-13-2023

I am not sure. I also did the test adding static route and I could ping but the ping is partial successfully

But you can add acl and test.

Flavio Miranda · ‎08-13-2023

I dont rhink dynamic routing interfere on NAT. But the ospf on Firewall is not advertising the dmz network anyway and the nat from inside to outside does not work. I beleive this is a PacketTracer issue as the config seems to be correct

Cambodia cannot reach dmz server farm. permit ip any any didn't work