Hi All, I have a firewall (Cisco ASA 5520) running; acting as Internet edge with interfaces going to DMZ, Internet and LAN. I have been able to copy/translate the config from the 5520 to 5515-X; LAN users can get to the internet, but sessions going from the LAN browser to the DMZ webserver gets reset, also access to the webserver isn't possible from the internet. Here is a capture of the activity done on the 5515-X box. Does anyone have an idea why the reset is coming from the webserver? Because it appears that the 5515-X is passing traffic normally. DMZ webserver public IP address: 126.96.36.199.80 The attached capture is a session from firewall showing sessions of my attempts trying to reach the webserver from the internet. Strangely, LAN users cannot reach the webserver from their web browser.
... View more
Hello everyone, I want to migrate a client network from ASA 8.2 to 9.1. Presently, the 8.2 box takes LAN users to the internet, and to a webserver in the DMZ. The DMZ server is assessed both from the LAN with a private IP address and from the internet using its public IP address. After translating the current 8.2 config, LAN users can assess the internet, but cannot browse the webserver in the DMZ; but 'weirdly' can ping it; so icmp is going to the webserver from the LAN, but can't be reached by http. Kindly share a sample config, if you have conquered this before. Bear in mind that NAT is different in 9.1 compared to 8.2. Here is a part of the config. interface GigabitEthernet0/0 nameif outsideif security-level 0 ip address outside-if 255.255.255.248 ! interface GigabitEthernet0/1 nameif insideif security-level 100 ip address inside-if 255.255.255.248 ! interface GigabitEthernet0/2 nameif dmzif security-level 50 ip address dmz-if 255.255.255.0 ! object network DMZ-webserver host 192.168.0.4 ! object network DMZ-webserver_public_IP host 1XX.2X.4.13 ! access-list outsideacl extended permit tcp any object DMZ-webserver eq www access-list dmzacl extended permit ip any any ! nat (dmzif,outsideif) source static DMZ-webserver DMZ-webserver_public_IP object network inside-lan_outside nat (insideif,outsideif) dynamic interface route outsideif 0.0.0.0 0.0.0.0 outside-router 1 route insideif 10.0.0.0 255.0.0.0 inside-router 1 There are no other access-lists in the running config. Many thanks in advance.
... View more