asa5510: dmz cannot access the internet

george · ‎04-11-2007

i have set up a dmz on the asa5510 with a web server in it. when i try to connect to the server from outside i see the SYN packet hit the server but the client never receives the SYN/ACK even though server definitely sends it. that made me try and access the internet from the web server and that didn't work either. here is what i have:

access-list outside_in extended permit tcp any host <my public IP> eq www

access-group outside_in in interface outside

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface www 10.10.5.13 www netmask 255.255.255.255

default route is set with:

ip address dhcp setroute

on the outside interface

can anyone see what might be wrong here? thanks in advance

p.s. inside interface (LAN) can access the internet with no problem

srue · ‎04-11-2007

at first glance, the config looks fine. what is the security level of the dmz interface? 0?

george · ‎04-11-2007

thanks for response. security levels are:

outside: 0

dmz: 10

inside: 100

george · ‎04-11-2007

here is an update:

i configured the web server to listen on port 5000 and added:

static (dmz,outside) tcp interface 5000 10.10.5.13 5000 netmask 255.255.255.255

access-list outside_in extended permit tcp any host eq 5000

and now i can access the web server from outside. i still cannot access the internet from that web server but what confuses me is that SYN/ACK packets hit the client when using port 5000 on the server and not when using port 80. any suggestions?