asa5510: dmz cannot access the internet

Unanswered Question

i have set up a dmz on the asa5510 with a web server in it. when i try to connect to the server from outside i see the SYN packet hit the server but the client never receives the SYN/ACK even though server definitely sends it. that made me try and access the internet from the web server and that didn't work either. here is what i have:


access-list outside_in extended permit tcp any host <my public IP> eq www

access-group outside_in in interface outside


global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0


static (dmz,outside) tcp interface www 10.10.5.13 www netmask 255.255.255.255


default route is set with:

ip address dhcp setroute

on the outside interface


can anyone see what might be wrong here? thanks in advance


p.s. inside interface (LAN) can access the internet with no problem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Wed, 04/11/2007 - 08:03
User Badges:
  • Blue, 1500 points or more

at first glance, the config looks fine. what is the security level of the dmz interface? 0?



here is an update:


i configured the web server to listen on port 5000 and added:


static (dmz,outside) tcp interface 5000 10.10.5.13 5000 netmask 255.255.255.255

access-list outside_in extended permit tcp any host eq 5000


and now i can access the web server from outside. i still cannot access the internet from that web server but what confuses me is that SYN/ACK packets hit the client when using port 5000 on the server and not when using port 80. any suggestions?

Actions

This Discussion