Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2202
Views
0
Helpful
9
Replies

Unable to Reach to Server in DMZ Zone - ASA 5506X

PND
Level 1
Level 1

‎07-30-2020 11:36 AM

Hi !!
Greetings !!

I am unable to get to the Server placed in DMZ Zone from Internet. However, I am able to reach from INSIDE Zone.

I have attached the configuration file of ASA.

 

Please help !!! I have to solve it as I have already committed to my client. I have already spent a week solving the issue but with no result. PLEASE PLEASE PLEASE !!!

Preview file
4 KB
0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎07-30-2020 11:56 AM

Hi,
Are you attempting to connect to the DMZ server using it's real IP address or the NAT ip address?
0 Helpful

PND
Level 1
Level 1
In response to Rob Ingram

‎07-31-2020 12:41 AM

Thanks for your reply !!

I can access the real IP address 172.16.1.3 from INSIDE Zone. But I am unable to get through NATED IP from Public Internet. I am trying from different ISP and not the ISP where the ASA is connected to,

0 Helpful

Rob Ingram
VIP
VIP
In response to PND

‎07-31-2020 12:56 AM

Please run packet-tracer from the CLI and provide the full output for review. E.g:-

"packet-input outside tcp 8.8.8.8 3000 172.16.1.3 80"

Replace "80" with which ever port your server is listening on
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎07-31-2020 12:59 AM

Hi

Check this guide 

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

PND
Level 1
Level 1
In response to Deepak Kumar

‎08-01-2020 06:50 AM

 

Hi all !!

I am able to get to the server now. Actually there may be some problem in the server itself which is Ubuntu Server. Now for testing we are using a Windows Desktop.

Now I am able to get to the Windows Desktop HTTP Server. I wonder what is the issue in Ubuntu Server.

Now there is an issue. I am unable to ping​ the server whereas I have configured ICMP inspection and allowed everything from outside using ACL.

If you all can please solve the Ping issue.

Regards..

0 Helpful

Rob Ingram
VIP
VIP
In response to PND

‎08-01-2020 08:54 AM

Check the local firewall on the Ubuntu server. You can completely disable the ubuntu firewall using the command "ufw disable". Alternatively permit the required traffic. UFW examples:- https://help.ubuntu.com/community/UFW

 

 

0 Helpful

PND
Level 1
Level 1
In response to Rob Ingram

‎08-01-2020 09:37 AM

Thanks Rob !!

Yes but I am able to ping and open the http server from INSIDE network. This implies that the firewall is not the issue.

I wonder why the server is behaving like that.

Regards..

0 Helpful

Rob Ingram
VIP
VIP
In response to PND

‎08-01-2020 10:37 AM

No, it does not imply that is not the issue. Just because you can ping it from the local inside network doesn't mean to say that the the local ubuntu firewall is not configured to drop ping from a foreign network - hence why I asked to simply check if it was enabled. You appear to be permitting all inbound traffic on the ASA so that's unlikely to blocking the traffic, you need to perform more troubleshooting - run packet-tracer and take a packet capture on the ASA.
0 Helpful

PND
Level 1
Level 1
In response to Rob Ingram

‎08-01-2020 11:08 AM

Thanks Rob !!

As per your direction, I will definitely check and disable it exclusively.

I will let you know 😊

Regards..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card