asa5510: dmz cannot access the internet

Unanswered Question

i have set up a dmz on the asa5510 with a web server in it. when i try to connect to the server from outside i see the SYN packet hit the server but the client never receives the SYN/ACK even though server definitely sends it. that made me try and access the internet from the web server and that didn't work either. here is what i have:

access-list outside_in extended permit tcp any host <my public IP> eq www

access-group outside_in in interface outside

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1

nat (dmz) 1

static (dmz,outside) tcp interface www www netmask

default route is set with:

ip address dhcp setroute

on the outside interface

can anyone see what might be wrong here? thanks in advance

p.s. inside interface (LAN) can access the internet with no problem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Wed, 04/11/2007 - 08:03
User Badges:
  • Blue, 1500 points or more

at first glance, the config looks fine. what is the security level of the dmz interface? 0?

here is an update:

i configured the web server to listen on port 5000 and added:

static (dmz,outside) tcp interface 5000 5000 netmask

access-list outside_in extended permit tcp any host eq 5000

and now i can access the web server from outside. i still cannot access the internet from that web server but what confuses me is that SYN/ACK packets hit the client when using port 5000 on the server and not when using port 80. any suggestions?


This Discussion