Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1283
Views
0
Helpful
4
Replies

problem at DMZ

tulijulhas
Level 1
Level 1

‎12-24-2015 10:05 AM - edited ‎03-12-2019 12:04 AM

hi expert.

i am new at cisco asa. i tried to resolve my lab but fail. please help. at DMZ  has a web and dns server. public user not access my web server.

//

julhas

1 person had this problem
Labels:
Preview file
54 KB
0 Helpful
4 Replies 4

Shivapramod M
Level 1
Level 1

‎12-24-2015 05:48 PM

Hi Julhas,

Have you configured a static NAT on the ASA to translate a public IP to the server or real IP.

object network obj-10.10.10.10
host <server IP>
nat (DMZ,outside) static <mapped IP>

Can you provide the configuration of the ASA?

You can also take the packet tracer on the ASA to check the flow of the packet on the ASA.

packet-tracer input outside tcp 8.8.8.8 12345 <server mapped IP> 80

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful

tulijulhas
Level 1
Level 1
In response to Shivapramod M

‎12-24-2015 11:50 PM

Hi Shivapramod M,

As per my attached diagram, i have configured as below: 


:
ASA Version 8.4(2)
!
hostname ciscoasa

!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 20.20.20.1 255.255.255.248
!
interface GigabitEthernet1
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.248
!
interface GigabitEthernet2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network dmzwebserver
host 10.10.10.3
object network mydmzdnsserver
host 10.10.10.2
access-list 100 extended permit tcp any host 10.10.10.2 eq domain
access-list 100 extended permit tcp any host 10.10.10.3 eq www
access-list 100 extended permit tcp any host 20.20.20.3 eq www
access-list 100 extended permit tcp any host 20.20.20.4 eq domain

!
object network dmzwebserver
nat (dmz,outside) static 20.20.20.3 dns
object network mydmzdnsserver
nat (dmz,outside) static 20.20.20.4 dns
access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 20.20.20.2 1

!
class-map myclass
match default-inspection-traffic
!
!
policy-map mypolicy
class myclass
inspect icmp
inspect http
inspect dns
!
service-policy mypolicy global

: end

........................................

is the issue between ISP dns and dmz dns?????

pls see the attachment.

//

julhas

0 Helpful

Akshay Rastogi
Cisco Employee
Cisco Employee
In response to tulijulhas

‎12-25-2015 10:22 AM

Hi,

Julhas,

Remove the last two access-list which are pointing to the public ip.

Also i could see that you are using 'tcp' for dns access-list instead of 'udp'. Please change that. I guess that is the reason that your users might not able to resolve the ip.

Also check 'nslookup' on from the host for the website which you are trying to access and see if you are able to the site name to ip.

Hope it helps. 

Regards,

Akshay Rastogi

Remember to rate helpful posts.

0 Helpful

vedantratnnema201814016
Level 1
Level 1
In response to tulijulhas

‎05-17-2021 11:32 AM

Can you share the .pkt file with me

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card