Dear Sir,

  1.  default-gateway of servers 172.16.49.1

   2. I can ping dmz interface.

   3. But I can't ping ISP.

also i have using your suggested dns 4.2.2.2 but problem is staying.

Hi Debu,

Then the best way to troubleshoot this would be taking captures on the ASA, apply captures, trying the ISP router, chcek where the packets are dropping, or if you are getting any replies from the ISP router.

This should be your action plan:

1. Take captures on ASA

2. Take logs on ASA.

3. Try packet-tracer:

packet-tracer input dmz tcp 172.116.49.8 23456 4.2.2.2 80 detailed

This output should say allow.

Thanks,

Varun

Dear Sir,

  see the basic layout.......... can u tell me what is the exact configuration ?

Hi Debu,

You've got the correct configuration as far as I can see, so as asuggested earlier, take captures:

access-list cap permit host 172.16.49.8 any

access-list cap permit any host 172.16.49.8

access-list cap permit host  115.119.126.x1 any

access-list cap permit any host  115.119.126.x1

cap capo access-list cap interface outside

cap capd access-list cap interface dmz

after applying captures, ping 4.2.2.2 and the ISP router.

Do:

show cap capd

show cap capin

Check which side is not reply or dropping the packets.

Try packet-tracer as well:

packet-tracer input dmz tcp 172.116.49.8 23456 4.2.2.2 80 detailed

Are you able to ping the ISP router from the ASA??

Can you also provide the complete config from ASA, you can change the ip's if you want.

Hope this helps,

Thanks,

Varun

Dear Sir,   i have also send u the conf.txt file .. one thing is that inside network can access the internet as well as dmz network. And dmz network can access the inside network, but dmz can't access internet.

Hi Debu,

I havent received any file yet?

Varun

Dear Sir,

  Please see the configuration that I mention below....

ciscoasa# sh run

: Saved

:

ASA Version 8.2(3)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 172.16.50.1 AD

name 172.16.51.153 Anjan_MAC

name 172.16.50.5 BBerry

name 172.16.51.98 CMD-Sec-Sony

name 172.16.51.52 DevsankarIT-Manager

name 172.16.51.76 DilipBDesai

name 172.16.50.6 Exchange

name 172.16.51.46 Goutam

name 172.16.51.104 Harjinder

name 172.16.51.165 Helpdesk

name 172.16.51.74 ITR

name 172.16.50.4 IWSS

name 172.16.50.0 Inside50

name 172.16.51.0 Inside51

name 172.16.60.0 Inside60

name 172.16.50.3 MSSQL

name 172.16.51.60 Manish

name 172.16.51.23 NP1

name 172.16.51.28 NP2

name 172.16.50.2 OfficeScan

name 172.16.51.35 Rupa-DG

name 172.16.49.14 SRV1

name 172.16.49.15 SRV2

name 172.16.51.56 Sandip

name 172.16.51.145 SandipAgarwal

name 172.16.51.150 Siddhartha

name 172.16.51.191 Soumen

name 172.16.60.78 SoumenAdak

name 172.16.51.53 Sourav

name 172.16.51.115 Standby-DBD

name 115.119.126.19 StaticSRV1

name 115.119.126.20 StaticSRV2

name 172.16.51.239 VideoConferencing

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 115.119.126.18 255.255.255.240

!

interface Ethernet0/1

nameif dmz

security-level 50

ip address 172.16.49.1 255.255.255.0

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif manament-only

security-level 0

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

object-group network NetUsers

network-object host Harjinder

network-object host Standby-DBD

network-object host SandipAgarwal

network-object host Siddhartha

network-object host Anjan_MAC

network-object host Helpdesk

network-object host Soumen

network-object host NP1

network-object host NP2

network-object host Rupa-DG

network-object host Goutam

network-object host DevsankarIT-Manager

network-object host Sourav

network-object host Sandip

network-object host Manish

network-object host ITR

network-object host DilipBDesai

network-object host CMD-Sec-Sony

network-object host SoumenAdak

object-group network Servers

network-object host AD

network-object host OfficeScan

network-object host MSSQL

network-object host IWSS

network-object host BBerry

network-object host Exchange

access-list dmz_access_in extended permit ip host SRV1 any

access-list dmz_access_in extended permit ip host SRV2 any

access-list inside_access_in extended permit ip object-group NetUsers any

access-list inside_access_in extended permit ip object-group Servers any

access-list inside_access_in extended permit ip any 172.16.49.0 255.255.255.0

access-list outside_access_in extended permit ip any host StaticSRV1

access-list outside_access_in extended permit ip any host StaticSRV2

access-list outside_access_in extended permit icmp any any

access-list dmz_nat0_outbound extended permit ip 172.16.49.0 255.255.255.0 Inside50 255.255.255.0

access-list dmz_nat0_outbound extended permit ip 172.16.49.0 255.255.255.0 Inside51 255.255.255.0

access-list dmz_nat0_outbound extended permit ip 172.16.49.0 255.255.255.0 Inside60 255.255.255.0

access-list inside_nat0_outbound extended permit ip Inside50 255.255.255.0 172.16.49.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip Inside51 255.255.255.0 172.16.49.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip Inside60 255.255.255.0 172.16.49.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu dmz 1500

mtu inside 1500

mtu manament-only 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (dmz) 0 access-list dmz_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (dmz,outside) StaticSRV1 SRV1 netmask 255.255.255.255

static (dmz,outside) StaticSRV2 SRV2 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 115.119.126.17 1

route inside Inside50 255.255.255.0 192.168.2.2 1

route inside Inside51 255.255.255.0 192.168.2.2 1

route inside Inside60 255.255.255.0 192.168.2.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 manament-only

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f659e5e4c1a9c17206a23e6e527a1314

: end

ciscoasa#

Thanks...

Debabrata

Hi Deb,

Try this:

nat (dmz) 1 0.0.0.0 0.0.0.0

do:

clear local-host 172.16.49.15

clear local-host 172.16.49.14

Try accessing internet again.

Thanks,

Varun

Dear Sir,

   i have already try this and internet is coming but one problem is there.. i can't ping or access the dmz servers from outside ...

thanks....

Debabrata

Hi Deb,

If you do not take logs and captures you would never be able to know what is exactly happening on the ASA.

Previously you mentioned that the dmz server is not able to access the internet but now it seemed to have changed.

Debudas123 wrote:

I have two nos. of dmz servers and also have two separate public IP for static NAT
I have configure the following.. but i can't access the internet.

can you please explain what is the exact issue that you are facing:

1. accessing internet from dmz servers or

2. accessing dmz servers from the internet.

Varun

Dear SIr,

  I want to access both...

1. accessing internet from DMZ.

2. accessing DMZ servers from outside

thanks..

Debabrata

any update sir........

thanks

Debabrata

Hi Deb,

I have told you already a coupple of times to take captures and logs, without it troubleshooting woudl not be possible. Plesae try it.

Varun