DMZ web server; traffic gets in, can't get out.

Unanswered Question
Dec 14th, 2007


I have a webserver in the dmz which is accessible from the outside. However, I am unable to access interenet from the web server. Help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 12/14/2007 - 11:41

You shouldn't need that as it should go out as 12.xx.xx.88. Check that it is using the correct dns server as defined in object-group ISP_DNS.

shortnathan Fri, 12/14/2007 - 11:49

I've verified the 12.xx.xx.71 address for DNS. The webserver is pointing to it for its DNS. I see the connection in the log:

6 Dec 14 2007 12:42:10 302015 12.xx.xx.71 Built outbound UDP connection 140732 for outside:12.xx.xx.71/53 (12.xx.xx.71/53) to dmz: (12.xx.xx.88/1044)

But it isn't working. It's definately a DNS problem, things are working by IP.

husycisco Fri, 12/14/2007 - 12:07

Correct, I directly looked at NAT statements, missed the static.

Natan, what happens when you run nslookup in webserver and query a web site for example and can you ping ?

Please post the output of nslookup

shortnathan Fri, 12/14/2007 - 12:12

nslookup returns invalid domain server. It looks like the traffic is going out to the domain server but maybe it's not getting nated correctly coming back?

I can resolve web sites directly by IP but I don't let ICMP through.

husycisco Fri, 12/14/2007 - 12:20

do you have dns max length inspection in your config? Can you post the nslookup output when you query a web site? Assuming that your inside lan can correctly resolve DNS, try assigning the dns server of lan clients to DMZ

shortnathan Fri, 12/14/2007 - 12:57

No max length inspection.

nslookup > nslookup.txt

DNS request timed out.

timeout was 2 seconds.

Server: UnKnown

Address: 12.xx.xx.71

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

Try assigning dns server of lan clients to dmz, the interface address?

jiangu Fri, 12/14/2007 - 12:26

Your "outside_access_in" ACL does not allow your ISP DNS in.

acomiskey Fri, 12/14/2007 - 12:39

It wouldn't have to as this is being initiated from the dmz.

husycisco Sat, 12/15/2007 - 05:55

"Try assigning dns server of lan clients to dmz, the interface address?"

Do your clients has the IP address of ASA interface as preferred DNS server? ASA can not be a DNS server and shouldnt be assigned as preferred DNS server.

Call your ISP and ask for DNS server addresses. Then assign these public DNS server addresses as preferred DNS server to your web server.

shortnathan Mon, 12/17/2007 - 10:12

I'm using the ISP provided public DNS server's on the webserver. There's an ACL set to allow this, but nothing seems to be hitting it.

jfbeam Mon, 12/17/2007 - 17:58

Interesting. Even if it's not showing up in the log, try adding a rule to allow dns replies to outside_access_in. Other than that, all I can think of is an oddball NAT issue. Try removing the static (dmz,inside) map.

Beyond that... grab a tap and a sniffer.

husycisco Tue, 12/18/2007 - 02:44


Please post the output of following command

packet-tracer input DMZ udp domain 12.xx.xx.71 domain detailed

husycisco Wed, 12/19/2007 - 01:00

ASA allows the traffic, nothing is wrong.

Actually I doubt that 12.xx.xx.71 is a valid DNS server

12.xx.xx.90 is your interface IP and 12.xx.xx.71 is an IP that is in your range with mask

I recommend you using another public DNS. For example

In TCP/IP properties of your server, set as preferred DNS server. And in ASA, do the following modification

object-group network ISP_DNS

network-object host


shortnathan Wed, 12/19/2007 - 10:11

It's confusing because of the scrubbed config, the second and third octets of the DNS server are different from those of my /27. The DNS server has been verified working, our domain controllers are all using it from the inside interface.


This Discussion