cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2041
Views
0
Helpful
5
Replies

Cannot access my web server located on DMZ

Rowlands Price
Level 1
Level 1

Dear Support

 

Recently i installed a web server on my DMZ zone.

My network is with two firewalls, one sophos and Cisco ASA 5525 (cf network design attached)

 

The server in dmz has ASA ip like default-gateway, the webserver reach internet easly and from Internet we can also reach the webserver installed in dmz

 

My isssue is that from inside network we cannot reach the webserver, we have this error message

 

Deny TCP(no connection) from 10.4.11.3/8080 to 192.192.0.10/58495 flags SYN ACK on interface inside

Inbound TCP connection denied from 10.4.11.3/8080 to 192.192.0.10/59535 flags SYN ACK on interface inside

 

can anybody help us how can we reach our webserver from inside

 

Regards

1 Accepted Solution

Accepted Solutions

Florin Barhala
Level 6
Level 6

The simplest solution would be that you add a static route on the DMZ server for 192.192.0.0/24 or /16 with next-hop 10.4.11.2.

Now the trick would be, what if you had 100 DMZ servers instead of just one, or what if you cannot alter DMZ server network config. In this case I have two more ideas
- setup a policy based routing policy on the Sophos firewall and ask that traffic with src LAN and destination 10.4.11.3 go to next-hop 10.4.11.1
- play with ASA TCP Bypass config; here's a very good example.

View solution in original post

5 Replies 5

Dennis Mink
VIP Alumni
VIP Alumni

Can you send the config of the inner ASA. so we can check your ACL and NAT?

 

cheers

Please remember to rate useful posts, by clicking on the stars below.

Dear Dennis

 

attache is the asa config

 

Regards

Florin Barhala
Level 6
Level 6

The simplest solution would be that you add a static route on the DMZ server for 192.192.0.0/24 or /16 with next-hop 10.4.11.2.

Now the trick would be, what if you had 100 DMZ servers instead of just one, or what if you cannot alter DMZ server network config. In this case I have two more ideas
- setup a policy based routing policy on the Sophos firewall and ask that traffic with src LAN and destination 10.4.11.3 go to next-hop 10.4.11.1
- play with ASA TCP Bypass config; here's a very good example.

Many Thanks Florian

 

So you are right, if we have a lot server in dmz, it will be difficult to manage.

 

I think the best and simply way is to use a third interface on the ASA and all dmz servers will be hosted behind the third ASA interfaces.

 

what do you think about this ?

 

so all traffic from inside network will enter asa before going to dmz server.

 

That would also make it!
But consider if sophos firewall is required for any DMZ service. If I were you, I would pick the easy way for now or the 3rd option and get "deeper" with Cisco ASA : ))
Review Cisco Networking for a $25 gift card