Cannot access DMZ port 80 & 443 from INSIDE after configuring dual ISP

rgbatucan · ‎09-27-2012

Hello,

I add the below configuration in our ASA config so I can use the ISP2 to browse the internet using port 80 & 443 only.

route ISP1 0 0 1.1.1.2 // Default route pointing to ISP1

route ISP2 0 0 2.2.2.2 2 // Default route with Metric 2 via ISP2

static (ISP2,inside) tcp 0.0.0.0 80 0.0.0.0 80

static (ISP2,inside) tcp 0.0.0.0 443 0.0.0.0 443

sysopt noproxyarp inside

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

The above config works well BUT I have some problem, the USERS cannot access anymore the application servers in DMZ using port 80 & 443. Could it be the static NAT? Or do I need to add a new ACL for ISP 2?

I appreciate any feedback. Thank you.

Harish Balakrishnan · ‎09-27-2012

Hello

It will be definitely to play with NAT andf ACL.

If you have a seperate public IP address to NAT the DMZ server, then you can do following

static (inside,ISP2) tcp http http netmask 255.255.55.255

access-list outside_in extended permit tcp any host eq 80

access-group outside_in in interface outside

Now If you dont have seperate public IP and you do want to use ISP2 interface IP to forward the packet to inside then

static (inside,outside) tcp interface http http netmask 255.255.55.255

access-list outside_in extended permit tcp any interface outside eq 80

access-group outside_in in interface outside

do the same for port 443 as well

Please rate all helpful posts

Harish.

rgbatucan · ‎09-27-2012

Hi Harish,

Thank you for your reply.

I don't have a separate public IP for the DMZ servers.

For your second recommendation, it didn't work. We have multiple servers with different IP's that needs http and https.

The static nat limits only to 1 server, but still didn't work.

Still trying to figure out here.

Restie

Harish Balakrishnan · ‎09-27-2012

are your sevrs in DMZ or inside ? I was under imression that the servers are in inside, could you post the ASA configuration

?

rgbatucan · ‎09-27-2012

all the servers are in DMZ. please see attched diagram in attachments.

I'm trying NAT exemption now as per Karsten.

Thank you Harish.

Harish Balakrishnan · ‎09-27-2012

ok.. in that case that nat has to be constructed a sbelow

static (dmz,outside) tcp interface http http netmask 255.255.55.255

access-list outside_in extended permit tcp any interface outside eq 80

access-group outside_in in interface outside

but I think this is not possible if you have multiple servers with same service but possible with multiple servers with different service

for example 192.168.100.1 - FTP, 192.168.100.2 - SMTP etc...

Harish.

Karsten Iwen · ‎09-27-2012

At least you need a translation-rule from the inside to the DMZ because you have a nat-statement on the inside interface. Have you tried to configure NAT-exemption for the insede->DMZ-traffic?

Sent from Cisco Technical Support iPad App

rgbatucan · ‎10-01-2012

Hi Karsten,

Thank you for your reply. I added the below command.

access-list 110 permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list 110

But still i can't access the servers port 80 & 443.