04-11-2007 06:12 AM - edited 03-11-2019 02:58 AM
i have set up a dmz on the asa5510 with a web server in it. when i try to connect to the server from outside i see the SYN packet hit the server but the client never receives the SYN/ACK even though server definitely sends it. that made me try and access the internet from the web server and that didn't work either. here is what i have:
access-list outside_in extended permit tcp any host <my public IP> eq www
access-group outside_in in interface outside
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface www 10.10.5.13 www netmask 255.255.255.255
default route is set with:
ip address dhcp setroute
on the outside interface
can anyone see what might be wrong here? thanks in advance
p.s. inside interface (LAN) can access the internet with no problem
04-11-2007 08:03 AM
at first glance, the config looks fine. what is the security level of the dmz interface? 0?
04-11-2007 08:22 AM
thanks for response. security levels are:
outside: 0
dmz: 10
inside: 100
04-11-2007 08:47 AM
here is an update:
i configured the web server to listen on port 5000 and added:
static (dmz,outside) tcp interface 5000 10.10.5.13 5000 netmask 255.255.255.255
access-list outside_in extended permit tcp any host
and now i can access the web server from outside. i still cannot access the internet from that web server but what confuses me is that SYN/ACK packets hit the client when using port 5000 on the server and not when using port 80. any suggestions?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide