unable to access server located at dmz from outside

Answered Question
Jun 23rd, 2007
User Badges:

I am ruuning asa5510 box with ver 7.0 which was recently migrated from pix. This week, I created a new static address mapping from ASDM interface for my new web server located at dmz. Internal ip that I am using for web server is If I compare NAT and access-list config for other servers located at dmz, I don't see I missed anything. But this server is not accessible from outside.

The following is the relevant config that I am using. Please explain me how can I troubleshoot to resolve this problem.

static (dmz,outside) X.X.2.125 netmask

access-list acl_allow_in permit tcp any host X.X.2.125 eq www

access-list acl_allow_in in interface outside

Correct Answer by JBDanford2002 about 10 years 6 days ago

Definitely sounds like the application isnt designed correctly. Glad to see you got somewhere.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
JBDanford2002 Sat, 06/23/2007 - 16:39
User Badges:

Well first are you getting any hits on the access-list

"sh access-list acl_allow_in"

Second, I have written a a basic troubleshooting tutorial on my website. Normally I dont try to pimp my website out but in this case I will.

Troubleshooting Connections:


Capture Command:


Also verify the following are correct on the server: Network Mask and gateway. If you want to post your config (scrubbed) we can look at that also.

kcarjun2002 Sat, 06/23/2007 - 18:12
User Badges:

Thanks a lot for the detail info. I double checked the ip and subnet mask of the server. Yes, I get the hit count. It was showing 12.

Now I am doing other stuffs as mentioned in that troubleshooting site.

kcarjun2002 Sun, 06/24/2007 - 07:32
User Badges:

I get the message "Internet Explorer can not display the webpage". My web server is mapped with public ip xx.xx.2.125 and following is the capture info in outside interface while I try to access the web server from outside.

323: 00:51:04.387904 > xx.xx.2.125.80: S 3631916199:3631916199(0) win 16384

324: 00:51:04.441780 > xx.xx.2.125.80: . ack 3703879884 win 17640

325: 00:51:04.451255 > xx.xx.2.125.80: P 3631916200:3631916690(490) ack 3703879884 win 17640

326: 00:51:04.520496 > xx.xx.2.125.80: P 3631916690:3631917190(500) ack 3703880225 win 17299

327: 00:51:04.579010 > xx.xx.2.125.80: . ack 3703880438 win 17087

328: 00:51:04.580505 > xx.xx.2.125.80: F 3631917190:3631917190(0) ack 3703880438 win 17087

Does it give any sense?

JBDanford2002 Sun, 06/24/2007 - 09:03
User Badges:

Looks like your capture is set up for one way traffic. Try doing the capture again but set the capture on the DMZ interface and make the access-list look like this:

access-list cap_http permit ip any host

access-list cap_http permit ip host any

capture cap_http access-list cap_http interface dmz buffer 8000 circular-buffer

No try running the traffic. You should get both directions. From the capture you posted it does look like traffic is flowing. If you got on that server can you surf your own pages? Are you running apache or IIS?

kcarjun2002 Sun, 06/24/2007 - 10:01
User Badges:

Yes, I can access it both from inside network and server itself. Its running apache. I have a capture info. IP is the sql server located at inside network. This web server has to communicate with the sql server and mail server as well which is working fine.

JBDanford2002 Sun, 06/24/2007 - 10:08
User Badges:

Ok, looks like all we got was the SQL traffic. Lets try it again and get a little more definitive on the traffic flow. Assuming you are still coming from

no access-list cap_http

no cap cap_http

access-list cap_http permit ip host host

access-list cap_http permit ip host host

capture cap_http access-list cap_http interface dmz buffer 8000 circular-buffer

kcarjun2002 Sun, 06/24/2007 - 10:44
User Badges:

I did not see anything until I run the trafic.

11 packets captured

1: 14:41:36.383570 > S 208896751:208896751(0) win 16384

2: 14:41:36.383830 > S 1562039132:1562039132(0) ack 208896752 win 16384

3: 14:41:36.443443 > . ack 1562039133 win 17640

4: 14:41:36.451911 > P 208896752:208897187(435) ack 1562039133 win 17640

5: 14:41:36.454688 > P 1562039133:1562039541(408) ack 208897187 win 65100

6: 14:41:36.523822 > P 208897187:208897687(500) ack 1562039541 win 17232

7: 14:41:36.531268 > P 1562039541:1562039753(212) ack 208897687 win 65535

8: 14:41:36.531283 > F 1562039753:1562039753(0) ack 208897687 win 65535

9: 14:41:36.586380 > . ack 1562039754 win 17020

10: 14:41:36.587890 > F 208897687:208897687(0) ack 1562039754 win 17020

11: 14:41:36.587967 > . ack 208897688 win 65534

11 packets shown

JBDanford2002 Sun, 06/24/2007 - 10:59
User Badges:

This shows you have successful 2 way communication to the server on port 80. I would check the server out to ensure there are no problems. You said it works from internal and locally. Do you have a http.conf file anywhere?

kcarjun2002 Sun, 06/24/2007 - 11:39
User Badges:

Sorry, My web server is running in win2k3-IIS. Its accessible from inside and local and it can also accesss internet without any problem.

I am not sure what to check next.

JBDanford2002 Sun, 06/24/2007 - 11:47
User Badges:

I would double check the IIS permissions/settings and possibly the file security to the site. Is this server part of your domain? Maybe you dont have the correct permissions enabled for internet users to view. Do you control this box also?

Below is a good link on permissions:


kcarjun2002 Sun, 06/24/2007 - 12:37
User Badges:

This web server is not in any domain. As its accessible from other non-trusted machines, may be security is ok.

JBDanford2002 Sun, 06/24/2007 - 14:02
User Badges:

Do you use the same URL to get to the sire from the outside that you use on the inside?

kcarjun2002 Sun, 06/24/2007 - 15:24
User Badges:

I used local ip to access from inside and public ip while trying to access from outside.

JBDanford2002 Sun, 06/24/2007 - 15:36
User Badges:

Are there any redirects on the page? I would say at this point its not a firewall issue.

Correct Answer
JBDanford2002 Mon, 06/25/2007 - 01:44
User Badges:

Definitely sounds like the application isnt designed correctly. Glad to see you got somewhere.

satish_zanjurne Sat, 06/23/2007 - 22:59
User Badges:
  • Silver, 250 points or more


The static & access-list config is fine..if possible attach the complete config..


This Discussion