02-19-2007 06:05 AM - edited 03-11-2019 02:35 AM
Hello,
I have a problem with my web server on DMZ behind Cisco ASA5520. On the outside interface I have pppoe dsl connection (I get static IP address), I made a dynamic NAT for my inside network and a static NAT for DMZ. I did also a PAT from outside interface port 8080 to web-server (DMZ) port 8081. Under access-group outside-in I created ACL which allow group of IPs to access outside interface on port 8080. I tried with packet tracer but it doesn't allow the traffic throught (it goes to the implicit rule instead of my rule).
Does anyone know how to solve the problem?
Regards, Jan
Solved! Go to Solution.
02-19-2007 06:13 PM
Could you provide the outputs of following commands-
show run static
show run access-group
show run access-list
02-19-2007 06:13 PM
Could you provide the outputs of following commands-
show run static
show run access-group
show run access-list
02-20-2007 05:22 AM
access-list outside_access_in extended permit tcp object-group Web_server-access interface outside object-group web_server-service
access-group outside_access_in in interface outside
object-group network Web_server-access
description Allowed hosts
network-object host xxx.xxx.xxx.xxx
object-group service web_server-service tcp
port-object eq 8080
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.10.10.0 255.255.255.0
static (dmz,outside) tcp y.y.y.y 8080 172.16.0.2 8081 netmask 255.255.255.255
The problem I guess is in transtated IP address. I have a pppoe connection (username, pass) but I get static IP - always the same. I think Cisco has a problem with static ACL (doesn't know, that this is his outside IP address)... I also tried to make ACL with IP address y.y.y.y (instead interface outside) but it also doesn't work. I saw via ASDM it is possible to make a static nat translation to outside interface IP (without entering any address). I haven't try it yet, cause the FW is in production.
Does anyone know a right solution for this please?
Regards, Jan
02-20-2007 09:16 AM
Jan,
Your access-list and access-group configuration is fine. Assuming that y.y.y.y is the IP address you get on the outside interface. I'm not sure if you have already used following static command, but try using static command like this-
Remove the existing static command first-
no static (dmz,outside) tcp y.y.y.y 8080 172.16.0.2 8081
Add new-
static (dmz,outside) tcp interface 8080 172.16.0.2 8081
clear xlate local 172.16.0.2
Now try if you are able to access the server from host xxx.xxx.xxx.xxx
If not, let me know if there are syslogs enabled on PIX and if we can view the portion of logs when you try to make a connection.
02-20-2007 09:42 AM
Thank you very much. That was solution to my problem...in ASDM it was like I said in post before.
Regards, Jan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide