Re: web server cant be reachable from internet in dmz on ASA 5525

hiprecy123 · ‎08-15-2019

Yesterday I tried to set a DMZ on Cisco ASA 5525

And i have a server in DMZ already with 192.168.10.20

I have also a public IP of 154.72.196.42 from my ISP

So when i hit the ISP IP via internet to access my web server in DMZ it gives me an error that :

The request URL could not be retrieved

But when i place my PC in the middle of ISP and my firewall hit the same public IP i can reach my web server via HTTP port

i have done all my configs including NAT and ACCESS-LIST

How can i resolve this ??

Please help

the down are my configurations

interface Gigabit Ethernet/2
name if DMZ
security-level 50
IP address 192.168.10.2 255.255.255.0
!
interface Gigabit Ethernet/3
name-if OUTSIDE
security-level 0
IP address 154.72.196.43 255.255.255.248
!

object network Web Server
host 192.168.10.20
object network Web Global
host 154.72.196.42
access-list OUTSIDE_access_in extended permit tcp any object Web Server eq WWW
access-list OUTSIDE_access_in extended permit tcp any object Web Server eq https
access-list OUTSIDE_access_in extended permit icmp any object Web Server echo
pager lines 24
mtu DMZ 1500
mtu OUTSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (OUTSIDE,DMZ) source static any any destination static WebGlobal WebServer
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 154.76.196.41 1

Rob Ingram · ‎08-15-2019

Hi,

Remove that NAT rule you have defined there. Add this:-

object network Web Server
host 192.168.10.20
nat (dmz,outside) static 154.72.196.43

Run "show nat" and confirm this new NAT rule is above any dynamic NAT rules defined. Provide the output if unsure.

HTH