cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1613
Views
0
Helpful
5
Replies

Dmz Servers on vlan cannot access internet

WezMorris40
Level 1
Level 1

Bit of background, we originally had a network running off 1 external line. Later on a second line was added, along with an isolated server on a VLAN.

I've been trying to integrate this vlan into our current network by running both lines through our ASA firewall. Ideally, our 1 DMZ and internal pcs should use the NTL line, and the new server & VLAN should use the BT one.

I've got the VLAN all set up and can remote desktop to it fine. However, the servers on that VLAN cannot access the internet and serve out websites.

I'm a bit of a beginner and not really sure how to test the connectivity through the ASDM. Included is the current network diagram and the config txt

(The isolated server has been moved onto the DMZ since the diagram was made)

5 Replies 5

WezMorris40
Level 1
Level 1

Any suggestions? I'm running out of things to try

I've since discovered that the BT_Outside interface cannot ping anything inside VLAN30. Could this be a problem with routing between the native and that vlan?

global (outside) 101 interface

global (BT_Outside) 103 interface

global (bt_dmz) 102 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

Let me get this straight. So your vlan 30 traffic enters the ASA on the vlan 30 interface 'bt_dmz' and should be trasnlated to the BT_Ooutside interface for internet access?

Then you need a nat (bt_dmz) statement and global (BT_Outisde) statement. You got the second one but there is no corresponding nat statement. You would need something like:

nat (bt_dmz) 103

At least that would be the start. From there you could check the logs - don't you use syslog-ng?

Let me know how it goes.

Regards,

Ian

Yep, everything on the Vlan30 should server out on the BT_outside line and everything else should go out on the regular NTL line.

I just use the ASDM for the firewall, never encountered logs or syslog-ng. Is it worth getting, and how does it help?

Well once you get syslog up and runnig it tells you where the packets are denied so you can change your access-lists accordingly. Otherwise it gives you other errors (Cisco releated of course) and then it's just a case of investigation / google.

But you will need some linux skills.

By the way, did you try my solution yet using the nat (bt_dmz) statement?

Regards,

Ian

Ah fair enough. Don't spend enough time around Linux/Unix unfortunately.

I've not tried the nat fix yet, apparently there might be an issue where the ASA can't support 2 internet lines at the same time. Gonna try get that resolved/clarified first.

Will let you know how that goes!

Review Cisco Networking for a $25 gift card