cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

277
Views
0
Helpful
9
Replies
Highlighted
Beginner
Beginner

Unable to Reach to Server in DMZ Zone - ASA 5506X

Hi !!
Greetings !!

I am unable to get to the Server placed in DMZ Zone from Internet. However, I am able to reach from INSIDE Zone.

I have attached the configuration file of ASA.

 

Please help !!! I have to solve it as I have already committed to my client. I have already spent a week solving the issue but with no result. PLEASE PLEASE PLEASE !!!

9 REPLIES 9
Highlighted
VIP Advisor

Re: Unable to Reach to Server in DMZ Zone - ASA 5506X

Hi,
Are you attempting to connect to the DMZ server using it's real IP address or the NAT ip address?
Highlighted
Beginner
Beginner

Re: Unable to Reach to Server in DMZ Zone - ASA 5506X

Thanks for your reply !!

I can access the real IP address 172.16.1.3 from INSIDE Zone. But I am unable to get through NATED IP from Public Internet. I am trying from different ISP and not the ISP where the ASA is connected to,

Highlighted
VIP Advisor

Re: Unable to Reach to Server in DMZ Zone - ASA 5506X

Please run packet-tracer from the CLI and provide the full output for review. E.g:-

"packet-input outside tcp 8.8.8.8 3000 172.16.1.3 80"

Replace "80" with which ever port your server is listening on
Highlighted
VIP Advocate

Re: Unable to Reach to Server in DMZ Zone - ASA 5506X

Hi

Check this guide 

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Highlighted
Beginner
Beginner

Re: Unable to Reach to Server in DMZ Zone - ASA 5506X

 

Hi all !!

I am able to get to the server now. Actually there may be some problem in the server itself which is Ubuntu Server. Now for testing we are using a Windows Desktop.

Now I am able to get to the Windows Desktop HTTP Server. I wonder what is the issue in Ubuntu Server.

Now there is an issue. I am unable to ping​ the server whereas I have configured ICMP inspection and allowed everything from outside using ACL.

If you all can please solve the Ping issue.

Regards..

Highlighted
VIP Advisor

Re: Unable to Reach to Server in DMZ Zone - ASA 5506X

Check the local firewall on the Ubuntu server. You can completely disable the ubuntu firewall using the command "ufw disable". Alternatively permit the required traffic. UFW examples:- https://help.ubuntu.com/community/UFW

 

 

Highlighted
Beginner
Beginner

Re: Unable to Reach to Server in DMZ Zone - ASA 5506X

Thanks Rob !!

Yes but I am able to ping and open the http server from INSIDE network. This implies that the firewall is not the issue.

I wonder why the server is behaving like that.

Regards..

Highlighted
VIP Advisor

Re: Unable to Reach to Server in DMZ Zone - ASA 5506X

No, it does not imply that is not the issue. Just because you can ping it from the local inside network doesn't mean to say that the the local ubuntu firewall is not configured to drop ping from a foreign network - hence why I asked to simply check if it was enabled. You appear to be permitting all inbound traffic on the ASA so that's unlikely to blocking the traffic, you need to perform more troubleshooting - run packet-tracer and take a packet capture on the ASA.
Highlighted
Beginner
Beginner

Re: Unable to Reach to Server in DMZ Zone - ASA 5506X

Thanks Rob !!

As per your direction, I will definitely check and disable it exclusively.

I will let you know 😊

Regards..