12-18-2009 02:40 PM - edited 03-11-2019 09:50 AM
i've got a 5505 with 7.2 code. I'm trying to get it's DMZ servers to communicate with inside and outside networks:
access-list outside_access_in extended permit tcp "outside users" "dmz server" eq 3389
static (dmz,outside) "dmz server outside" "dmz server" netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 "provider's ip"
Solved! Go to Solution.
12-18-2009 07:14 PM
Besides, the no nat-control has nothing to do with this, because you need NAT ir order to make your DMZ servers accessible from the Internet (unless you have routeable addresses configured on the server itself)...
I''ll suggest to try to get out to the Internet from the server itself (will discard any routing problem) and make sure the outside ACL points to the public IP of the server.
This should work, otherwise let us know what you see....
Thanks,
Federico.
12-18-2009 02:48 PM
Hi,
If you have this ASA and you want the DMZ servers to communicate with the inside and outside network, what you have to do is the following:
static (inside, DMZ) inside_LAN inside_LAN netmask
static (DMZ, outside) Public_IP_for_each_server Private_IP_for_each_server
Then, create an ACL for the outside and DMZ interfaces allowing the incoming traffic from the less security interfafces, to the more secure interfaces.
If you need a more detailed example, let me know.
Cheers,
Federico.
12-18-2009 03:11 PM
that's what I have configured. ACLs are opened-up. Including "no nat-control".
thanks, Kevin
12-18-2009 03:56 PM
For example, let's say that you want to allow any outside user to access server1 and server2 on the DMZ.
Server1 has private1 and public1 IP addresses
Server2 has private2 and public2 IP addresses
Then, the configuration will look like this:
static (dmz,outside) public1 private1
static (dmz,outside) public2 private2
The above commands is to create the translation, then the ACL to allow the incoming traffic from the Internet
access-list outside permit tcp any host public1 eq 3389
access-list outside permit tcp any host public2 eq 3389
Remember that you must apply the ACL to the outside interface
access-group outside in interface outside
With the above configuration, you should be able to enter via TCP port 3389 to both servers using their respective public address.
If it is not working, you can try adding another line on the outside ACL to allow PING
access-list outside permit icmp any host public1
And try to PING the server. If it PINGs, then you know is not a connectivity problem.
If it does not PING, then we can do more tests on the ASA, like using the Packet Tracer utility via ASDM or CLI to simulate the connection
and see what are the results on the ASA.
Make sure that on the outside ACL, there's not a deny statement on top of the permit statements that could be blocking the traffic.
Also try from the server itself to get out to the Internet and see if traffic flows that way.
Let me know please.
Federico.
12-18-2009 05:40 PM
What is broken? Who cannot access who?
access-list outside_access_in extended permit tcp "outside users" "dmz server" eq 3389
The above line should actually be as follows:
access-list outside_access_in extended permit tcp "outside users" "dmz server outside" eq 3389"
-KS
12-18-2009 07:14 PM
Besides, the no nat-control has nothing to do with this, because you need NAT ir order to make your DMZ servers accessible from the Internet (unless you have routeable addresses configured on the server itself)...
I''ll suggest to try to get out to the Internet from the server itself (will discard any routing problem) and make sure the outside ACL points to the public IP of the server.
This should work, otherwise let us know what you see....
Thanks,
Federico.
12-18-2009 07:57 PM
packet tracer helped. DMZ server (only one for now) having issue wasn't configured correctly.
RDP requests are hitting the server's public address, then hits server's dmz address, then the server sends a reset back out.
but thanks again, for suggesting packet tracert.
kevin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide