unable to access internet from DMZ server - Page 2

mudasir05 · ‎03-30-2015

Hello All,

I have a Server connected to the Vlan on 2960 switch which is connected to the ASA 5545.

The Server is accessed from outside as iam able to ping its public ip as well as able to ssh it,however the problem is iam not able to access the Internet from the Server.

I am using ASA version 9.1,also i created access-list and Nat rule through Public Server feature of the ASDM.

kindly help where iam wrong.

Thanks

mudasir05 · ‎04-01-2015

thanks Jon for the info....

will try this definitely on my router and will let u know..

Vibhor Amrodia · ‎04-02-2015

Hi,

Yes , I think we already have the ASA code 9.4.1 which supports PBR. SO , an upgrade should help you out with this issue :)

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html

Thanks and Regards,

Vibhor Amrodia

Jon Marshall · ‎03-31-2015

Okay I think the problem is you have two outside interfaces.

Your default route is pointing to the outside interface.

So when the server initiates the connection you have setup a static to the Jeraisy interface IP but the ASA routes the traffic to the outside interface and there is no translation for your server.

You cannot have multiple default routes via different interfaces.

So what you may have to do is -

1) setup static PAT translations for the ports you want using the Jeraisy interface

2) then setup up a dynamic NAT for the server to the outside interface for traffic it initiates.

You won't, unless Vibhor knows a way, be able to use the Jeraisy ISP for traffic initiated from the server.

Unless of course you wanted to use contexts in which case you could have the server DMZ and the Jeraisy outside interface in their own context.

Jon

mudasir05 · ‎03-31-2015

thanks Jon,

if somehow I setup the static PAT translations and Dynamic NAT then in that case also I have to configure the static route.....am I right?