Cisco ASA5520 DMZ problem

Answered Question
Feb 19th, 2007

Hello,

I have a problem with my web server on DMZ behind Cisco ASA5520. On the outside interface I have pppoe dsl connection (I get static IP address), I made a dynamic NAT for my inside network and a static NAT for DMZ. I did also a PAT from outside interface port 8080 to web-server (DMZ) port 8081. Under access-group outside-in I created ACL which allow group of IPs to access outside interface on port 8080. I tried with packet tracer but it doesn't allow the traffic throught (it goes to the implicit rule instead of my rule).

Does anyone know how to solve the problem?

Regards, Jan

I have this problem too.
0 votes
Correct Answer by vitripat about 9 years 7 months ago

Could you provide the outputs of following commands-

show run static

show run access-group

show run access-list

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
vitripat Mon, 02/19/2007 - 18:13

Could you provide the outputs of following commands-

show run static

show run access-group

show run access-list

logar.jan Tue, 02/20/2007 - 05:22

access-list outside_access_in extended permit tcp object-group Web_server-access interface outside object-group web_server-service

access-group outside_access_in in interface outside

object-group network Web_server-access

description Allowed hosts

network-object host xxx.xxx.xxx.xxx

object-group service web_server-service tcp

port-object eq 8080

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.10.10.0 255.255.255.0

static (dmz,outside) tcp y.y.y.y 8080 172.16.0.2 8081 netmask 255.255.255.255

The problem I guess is in transtated IP address. I have a pppoe connection (username, pass) but I get static IP - always the same. I think Cisco has a problem with static ACL (doesn't know, that this is his outside IP address)... I also tried to make ACL with IP address y.y.y.y (instead interface outside) but it also doesn't work. I saw via ASDM it is possible to make a static nat translation to outside interface IP (without entering any address). I haven't try it yet, cause the FW is in production.

Does anyone know a right solution for this please?

Regards, Jan

vitripat Tue, 02/20/2007 - 09:16

Jan,

Your access-list and access-group configuration is fine. Assuming that y.y.y.y is the IP address you get on the outside interface. I'm not sure if you have already used following static command, but try using static command like this-

Remove the existing static command first-

no static (dmz,outside) tcp y.y.y.y 8080 172.16.0.2 8081

Add new-

static (dmz,outside) tcp interface 8080 172.16.0.2 8081

clear xlate local 172.16.0.2

Now try if you are able to access the server from host xxx.xxx.xxx.xxx

If not, let me know if there are syslogs enabled on PIX and if we can view the portion of logs when you try to make a connection.

logar.jan Tue, 02/20/2007 - 09:42

Thank you very much. That was solution to my problem...in ASDM it was like I said in post before.

Regards, Jan

Actions

This Discussion