12-04-2007 10:10 AM - edited 02-21-2020 01:49 AM
I have a problem with my firewall, I've followed all the information on the cisco site about how to allow a certain set of ports. But I still can not get to my web server on my dmz, I have even created a acl that allows all. But I can't get by the implicit deny acl.I have the correct static nat and access-group according to cisco site. So i'm not sure anymore. I didn't original build this box, and I'm not security person so I've become quite frustrated.
12-04-2007 10:28 AM
Hi
Could you possibly post the config.
Assuming access is from outside as an example
Web server on DMZ = 192.168.5.10
Outside interface of ASA = 195.166.71.10
static (DMZ,outside) tcp interface 80 192.168.5.10 80
access-list from_outside permit tcp any host 195.166.71.10 eq http
access-group from_outside in interface outside
The above example assumes you are Natting the private address of the web server on the DMZ to the IP address of the pix outside interface.
HTH
Jon
12-04-2007 10:43 AM
12-04-2007 11:19 AM
clear configure access-list DMZ_access_in
access-list outside_in permit tcp any host 69.11.97.143 eq 80
access-group outside_in in interface outside
12-04-2007 11:23 AM
12-04-2007 11:33 AM
nat (DMZ) 101 0 0
in your current setup, you cannot initiate traffic from your dmz to the inside, just fyi.
12-04-2007 12:48 PM
unfortunately changing the nat statement didn't work. I thank you for your help.
I had made the change from my static nat to nat (dmz 101 0 0. But it got worse,No I'm back to getting reject by implicit deny. before I replace nat of dmz at the very least I was seeing tcp syn timeouts .
I just wanted to get the outside interface to allow web.
12-04-2007 04:41 PM
Inspite of using interface ip address,can we try to use another public ip?
If not,try commands-
access-list DMZ_access_in extended permit tcp any interface outside eq www
static (DMZ,outside) tcp interface 80 192.168.2.249 80
12-04-2007 04:43 PM
Inspite of using interface ip address,can we try to use another public ip?
If not,try commands-
access-list DMZ_access_in extended permit tcp any interface outside eq www
static (DMZ,outside) tcp interface 80 192.168.2.249 80
12-05-2007 07:22 AM
Hello and thanks for suggestions,
Unfortunately nothing suggested has worked properly.I have reached a point where I may just try a rebuilt of the system. I will keep you all informed.
12-05-2007 09:16 AM
Hello
I have attempted a rebuilt ?fw and here is the log I now get when trying to get to DMZ SERVER,
connection denied from 142.165.31.5/1248 to 69.11.97.143/80 flags SYN on interface Outside.
Thanks again for the help
12-05-2007 09:17 AM
Hi
Can you post your updated config
Jon
12-05-2007 10:04 AM
Hi
here are my 2 latest syslog events when trying to connect to dmz server
302013 142.165.31.5 69.11.97.143 Built inbound TCP connection 6059 for Outside:142.165.31.5/1541 (142.165.31.5/1541) to DMZ:69.11.97.143/80 (69.11.97.143/80)
6 Dec 05 2007 10:25:26 110003 Routing failed to locate next hop for TCP from Outside:142.165.31.5/1541 to DMZ:69.11.97.143/80.
12-05-2007 10:06 AM
12-05-2007 10:23 AM
Hi
Change
"static (DMZ,Outside) interface 69.11.97.143 netmask 255.255.255.255"
to
static (DMZ,Outside) interface 192.168.2.x netmask 255.255.255.255
where 192.168.2.x is the address of the web server.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: