cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
186
Views
0
Helpful
2
Replies
Highlighted
Beginner

null

null

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

Re: Allowing outside TCP (www) to reach DMZ webserver via ASA Firewall [PACKET TRACER]

Hi,

 

    The problem seems to be an inconsistency between your outside interface network mask: "ip address 209.165.200.225 255.255.255.252" and the IP address you're NAT'ing into: "209.165.200.228".  If the ISP, your next-hop has the IP address of "209.165.200.226 255.255.255.252" , and the address you're NAT'ing into is into another /30 subnet, are you sure traffic from the Internet which is destined to 209.165.200.228 is even routed towards your ASA?

 

Regards,

Cristian Matei.

View solution in original post

2 REPLIES 2
Highlighted
VIP Advisor

Re: Allowing outside TCP (www) to reach DMZ webserver via ASA Firewall [PACKET TRACER]

Hi

Can you run the packet tracer command and share the output please:
packet-tracer input outside tcp 1.1.1.1 12345 209.165.200.228 80 detail

When someone tries to access your public IP from outside, do you see any traffic coming in in your logs?

If this acl OUTSIDE-to-DMZ applied to your outside interface?
I would avoid 2 default route. I would put a more specific route for inside zone. As you have ospf, you won't require the inside route because you should learn all your prefixes. Even for the outside, don't you learn the default route from ospf?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Rising star

Re: Allowing outside TCP (www) to reach DMZ webserver via ASA Firewall [PACKET TRACER]

Hi,

 

    The problem seems to be an inconsistency between your outside interface network mask: "ip address 209.165.200.225 255.255.255.252" and the IP address you're NAT'ing into: "209.165.200.228".  If the ISP, your next-hop has the IP address of "209.165.200.226 255.255.255.252" , and the address you're NAT'ing into is into another /30 subnet, are you sure traffic from the Internet which is destined to 209.165.200.228 is even routed towards your ASA?

 

Regards,

Cristian Matei.

View solution in original post