Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1615
Views
0
Helpful
5
Replies

Dmz Servers on vlan cannot access internet

WezMorris40
Level 1
Level 1

‎02-18-2011 06:31 AM - edited ‎03-06-2019 03:37 PM

Bit of background, we originally had a network running off 1 external line. Later on a second line was added, along with an isolated server on a VLAN.

I've been trying to integrate this vlan into our current network by running both lines through our ASA firewall. Ideally, our 1 DMZ and internal pcs should use the NTL line, and the new server & VLAN should use the BT one.

I've got the VLAN all set up and can remote desktop to it fine. However, the servers on that VLAN cannot access the internet and serve out websites.

I'm a bit of a beginner and not really sure how to test the connectivity through the ASDM. Included is the current network diagram and the config txt

(The isolated server has been moved onto the DMZ since the diagram was made)

Labels:
Preview file
44 KB
81770-Config1822011.txt.zip
0 Helpful
5 Replies 5

WezMorris40
Level 1
Level 1

‎02-18-2011 07:08 AM

Any suggestions? I'm running out of things to try

I've since discovered that the BT_Outside interface cannot ping anything inside VLAN30. Could this be a problem with routing between the native and that vlan?

0 Helpful

IAN WHITMORE
Level 4
Level 4
In response to WezMorris40

‎02-18-2011 08:14 AM

global (outside) 101 interface

global (BT_Outside) 103 interface

global (bt_dmz) 102 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

Let me get this straight. So your vlan 30 traffic enters the ASA on the vlan 30 interface 'bt_dmz' and should be trasnlated to the BT_Ooutside interface for internet access?

Then you need a nat (bt_dmz) statement and global (BT_Outisde) statement. You got the second one but there is no corresponding nat statement. You would need something like:

nat (bt_dmz) 103

At least that would be the start. From there you could check the logs - don't you use syslog-ng?

Let me know how it goes.

Regards,

Ian

0 Helpful

WezMorris40
Level 1
Level 1
In response to IAN WHITMORE

‎02-21-2011 02:18 AM

Yep, everything on the Vlan30 should server out on the BT_outside line and everything else should go out on the regular NTL line.

I just use the ASDM for the firewall, never encountered logs or syslog-ng. Is it worth getting, and how does it help?

0 Helpful

IAN WHITMORE
Level 4
Level 4
In response to WezMorris40

‎02-21-2011 02:53 AM

Well once you get syslog up and runnig it tells you where the packets are denied so you can change your access-lists accordingly. Otherwise it gives you other errors (Cisco releated of course) and then it's just a case of investigation / google.

But you will need some linux skills.

By the way, did you try my solution yet using the nat (bt_dmz) statement?

Regards,

Ian

0 Helpful

WezMorris40
Level 1
Level 1
In response to IAN WHITMORE

‎02-21-2011 03:27 AM

Ah fair enough. Don't spend enough time around Linux/Unix unfortunately.

I've not tried the nat fix yet, apparently there might be an issue where the ASA can't support 2 internet lines at the same time. Gonna try get that resolved/clarified first.

Will let you know how that goes!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card