Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10095
Views
0
Helpful
20
Replies

DMZ host is not accessible from outside/internet

drlbaluyut
Level 1
Level 1

‎02-14-2016 06:32 PM - edited ‎03-12-2019 12:18 AM

Hi

I cannot access my trend micro mobile device manager from outside using this link to download the mdm agent.

http://outside_interface_public_ip:8080/mobile

https://outside_interface_public_ip:4343/mobile

My mdm is a DMZ host with ip 172.29.29.2 and nat rule to translate 172.29.29.2 to outside_interface_public_ip

nat (DMZ,outside) static interface service 

I have access rule on outside to permit any to real ip of dmz host with service IP.

I did not permit specific port in the first place and use service IP for the meantime to allow all service.

Please help me.

Thanks

Labels:
0 Helpful
20 Replies 20

Marius Gunnerud
VIP
VIP
In response to drlbaluyut

‎02-24-2016 02:09 PM

I could be a problem with the routing of the public IP...but that is very unlikely.

in the ASDM realtime log viewer do you see any drops or asynchronous NAT...

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

drlbaluyut
Level 1
Level 1
In response to Marius Gunnerud

‎02-24-2016 03:07 PM

No async nat on viewer when pinging 8.8.8.8 from dmz host. But i can see the permit hit count increase on dmz access rules permit any any. Also. On the real time viewer, teardown icmp can be seen and no drop. It worked one day then the next morning it became intermittent up to not working at all.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to drlbaluyut

‎02-25-2016 03:32 AM

I suggest setting up a packet capture between the interfaces for the specific server

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

And see if you see traffic flow in both directions.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

drlbaluyut
Level 1
Level 1
In response to Marius Gunnerud

‎02-29-2016 05:00 PM

Hi

It is working again now. It cannot work when I set a specific TCP port 4343 in access-list for outside going in. After I changed to IP it worked. But I wonder why it cannot work after permitting only specific ports.

0 Helpful

Samer R. Saleem
Level 4
Level 4
In response to drlbaluyut

‎02-29-2016 11:23 PM

Hi,

1.check the inspection list on firewall

2. if it is working on [ IP ] check the ports that is in listening on both ends to see which port is in use and then check if its permitted on your firewall or not.

try capture traffic between the two hosts on firewall and analyze the traffic.

HTH

Samer.

0 Helpful

drlbaluyut
Level 1
Level 1
In response to Samer R. Saleem

‎02-15-2016 05:49 PM

I also cannot telnet to the public-address

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card