Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2040
Views
0
Helpful
5
Replies

Cannot access my web server located on DMZ

Go to solution
Rowlands Price
Level 1
Level 1

‎06-03-2018 09:04 PM - edited ‎02-21-2020 07:50 AM

Dear Support

 

Recently i installed a web server on my DMZ zone.

My network is with two firewalls, one sophos and Cisco ASA 5525 (cf network design attached)

 

The server in dmz has ASA ip like default-gateway, the webserver reach internet easly and from Internet we can also reach the webserver installed in dmz

 

My isssue is that from inside network we cannot reach the webserver, we have this error message

 

Deny TCP(no connection) from 10.4.11.3/8080 to 192.192.0.10/58495 flags SYN ACK on interface inside

Inbound TCP connection denied from 10.4.11.3/8080 to 192.192.0.10/59535 flags SYN ACK on interface inside

 

can anybody help us how can we reach our webserver from inside

 

Regards

Labels:
Preview file
36 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Florin Barhala
Level 6
Level 6

‎06-05-2018 03:35 AM

The simplest solution would be that you add a static route on the DMZ server for 192.192.0.0/24 or /16 with next-hop 10.4.11.2.

Now the trick would be, what if you had 100 DMZ servers instead of just one, or what if you cannot alter DMZ server network config. In this case I have two more ideas
- setup a policy based routing policy on the Sophos firewall and ask that traffic with src LAN and destination 10.4.11.3 go to next-hop 10.4.11.1
- play with ASA TCP Bypass config; here's a very good example.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎06-03-2018 10:48 PM

Can you send the config of the inner ASA. so we can check your ACL and NAT?

 

cheers

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
Rowlands Price
Level 1
Level 1
In response to Dennis Mink

‎06-03-2018 11:58 PM

Dear Dennis

 

attache is the asa config

 

Regards

Preview file
6 KB
0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6

‎06-05-2018 03:35 AM

The simplest solution would be that you add a static route on the DMZ server for 192.192.0.0/24 or /16 with next-hop 10.4.11.2.

Now the trick would be, what if you had 100 DMZ servers instead of just one, or what if you cannot alter DMZ server network config. In this case I have two more ideas
- setup a policy based routing policy on the Sophos firewall and ask that traffic with src LAN and destination 10.4.11.3 go to next-hop 10.4.11.1
- play with ASA TCP Bypass config; here's a very good example.

0 Helpful

Go to solution
Rowlands Price
Level 1
Level 1
In response to Florin Barhala

‎06-05-2018 04:06 AM

Many Thanks Florian

 

So you are right, if we have a lot server in dmz, it will be difficult to manage.

 

I think the best and simply way is to use a third interface on the ASA and all dmz servers will be hosted behind the third ASA interfaces.

 

what do you think about this ?

 

so all traffic from inside network will enter asa before going to dmz server.

 

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to Rowlands Price

‎06-05-2018 05:02 AM

That would also make it!
But consider if sophos firewall is required for any DMZ service. If I were you, I would pick the easy way for now or the 3rd option and get "deeper" with Cisco ASA : ))
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card