Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
186
Views
0
Helpful
2
Replies
Highlighted
ja712565716
ja712565716 Beginner
Beginner
‎03-10-2020 04:52 PM
‎03-10-2020 04:52 PM

null

null

0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cristian Matei
Cristian Matei Rising star
Rising star
‎03-12-2020 01:33 AM
‎03-12-2020 01:33 AM

Re: Allowing outside TCP (www) to reach DMZ webserver via ASA Firewall [PACKET TRACER]

Hi,

 

    The problem seems to be an inconsistency between your outside interface network mask: "ip address 209.165.200.225 255.255.255.252" and the IP address you're NAT'ing into: "209.165.200.228".  If the ISP, your next-hop has the IP address of "209.165.200.226 255.255.255.252" , and the address you're NAT'ing into is into another /30 subnet, are you sure traffic from the Internet which is destined to 209.165.200.228 is even routed towards your ASA?

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
Reply
2 REPLIES 2
Highlighted
Francesco Molino
VIP Advisor Francesco Molino VIP Advisor
VIP Advisor
‎03-10-2020 08:29 PM
‎03-10-2020 08:29 PM

Re: Allowing outside TCP (www) to reach DMZ webserver via ASA Firewall [PACKET TRACER]

Hi

Can you run the packet tracer command and share the output please:
packet-tracer input outside tcp 1.1.1.1 12345 209.165.200.228 80 detail

When someone tries to access your public IP from outside, do you see any traffic coming in in your logs?

If this acl OUTSIDE-to-DMZ applied to your outside interface?
I would avoid 2 default route. I would put a more specific route for inside zone. As you have ospf, you won't require the inside route because you should learn all your prefixes. Even for the outside, don't you learn the default route from ospf?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Reply
Highlighted
Cristian Matei
Cristian Matei Rising star
Rising star
‎03-12-2020 01:33 AM
‎03-12-2020 01:33 AM

Re: Allowing outside TCP (www) to reach DMZ webserver via ASA Firewall [PACKET TRACER]

Hi,

 

    The problem seems to be an inconsistency between your outside interface network mask: "ip address 209.165.200.225 255.255.255.252" and the IP address you're NAT'ing into: "209.165.200.228".  If the ISP, your next-hop has the IP address of "209.165.200.226 255.255.255.252" , and the address you're NAT'ing into is into another /30 subnet, are you sure traffic from the Internet which is destined to 209.165.200.228 is even routed towards your ASA?

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
Reply
Latest Contents
Cisco Digital Network Architecture Center Template Editor To...
Created by Mohamed Alhenawy on 03-28-2020 10:29 AM
0
0
0
0
Cisco Digital Network Architecture Center Tools <Template Editor > In this article, we are going to talk about the Cisco Digital Network Architecture Center Template Editor tool.Cisco DNA Center gives us the flexibility and scalability to confi... view more
Community Live video- Cisco SD-WAN Policies: Leveraging the ...
Created by hiarteag on 03-27-2020 07:46 AM
0
5
0
5
Community Live- Cisco SD-WAN Policies: Leveraging the Full Power of Cisco SD-WAN (Live event - formerly known as Webcast-  Tuesday 24 March, 2020 at 10 am Pacific/ 1 pm Eastern / 6 pm Paris) This event had place on Tuesday 24th, March 2020 at 10hrs P... view more
Cisco 9200L IOS upgrade via USB
Created by gregorypierce1 on 03-26-2020 10:09 AM
7
0
7
0
IS there a way to upgrade the ios on a cisco 9200l switch using a usb drive instead of using a tftp server? If so could someone point me to the article or tell me how this can be done? These switches seem to be more complicated than previous switches. Tha... view more
Firepower 2110 Integration with SD-WAN Design Assistance
Created by gilbert.aispuro1 on 03-26-2020 03:10 AM
0
0
0
0
Hello,I'm needing to integrate the Cisco Firepower 2110 into our Data Center JUST to fulfill Site-to-Site and Remote Access VPN. My SD-WAN ISRs already have FW and IPS running, which is what I want since I have internet breakouts at my branches, so this D... view more
When needed to configure "Spanning-tree vlan X priority"?
Created by getaway51 on 03-24-2020 06:31 PM
3
0
3
0
Hi, Switch 1 and switch 2 connected via trunk. Both configured with new vlan 3.When creating new vlan 3, is it need to include "Spanning-tree vlan 3 priority 8192"- Sw 1 and "Spanning-tree vlan 3 priority 16384"-Sw 2?What will happen for those s... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Software Conformance Survey
Follow our Social Media Channels