Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
0
Helpful
1
Replies

Can't access web server located in DMZ from inside network

Go to solution
clarenceclay
Beginner
Beginner

‎01-12-2017 06:49 PM - edited ‎03-05-2019 07:50 AM

Hi Cisco expert, 

Below is my ASA running config. I'm able to ping the host 10.1.100.1 in DMZ from inside host 10.10.1.1 but unable to browse or view its web content. Could anybody enlighten me what gone wrong. 

Thank you. 

: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 1
!
interface Ethernet0/4
 switchport access vlan 1
!
interface Ethernet0/5
 switchport access vlan 1
!
interface Ethernet0/6
 switchport access vlan 1
!
interface Ethernet0/7
 switchport access vlan 1
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.252
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 219.93.30.130 255.255.255.224
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.1.100.14 255.255.255.240
!
!
route outside 0.0.0.0 0.0.0.0 219.93.30.129 1
route inside 192.168.2.0 255.255.255.252 192.168.1.2 1
route inside 10.10.1.0 255.255.255.0 192.168.2.2 1
!
access-list DMZ extended permit tcp 10.10.1.0 255.255.255.0 host 10.1.100.1 eq www
!
!
access-group DMZ in interface dmz
!
!
!
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum 512
policy-map global_policy
 class inspection_default
 inspect icmp 
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
dhcpd enable inside
!
dhcpd auto_config outside
!
!
!
!
!
Labels:
Preview file
2 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎01-12-2017 07:03 PM

the thing is,  you access list is applied to the DMZ interface inbound,  that will never get hit on port 80 (www).  the return traffic from 10.1.100.1 to 10.10.10.0/24 will never use port 80 in response.

that access list seems to need to applied to the inside interface

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎01-12-2017 07:03 PM

the thing is,  you access list is applied to the DMZ interface inbound,  that will never get hit on port 80 (www).  the return traffic from 10.1.100.1 to 10.10.10.0/24 will never use port 80 in response.

that access list seems to need to applied to the inside interface

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents