cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1255
Views
0
Helpful
17
Replies

DMZ web server; traffic gets in, can't get out.

shortnathan
Level 1
Level 1

Hi,

I have a webserver in the dmz which is accessible from the outside. However, I am unable to access interenet from the web server. Help!

17 Replies 17

husycisco
Level 7
Level 7

Hi Nathan

Add the following

nat (dmz) 101 0 0

Regards

You shouldn't need that as it should go out as 12.xx.xx.88. Check that it is using the correct dns server as defined in object-group ISP_DNS.

I've verified the 12.xx.xx.71 address for DNS. The webserver is pointing to it for its DNS. I see the connection in the log:

6 Dec 14 2007 12:42:10 302015 12.xx.xx.71 172.16.0.176 Built outbound UDP connection 140732 for outside:12.xx.xx.71/53 (12.xx.xx.71/53) to dmz:172.16.0.176/1044 (12.xx.xx.88/1044)

But it isn't working. It's definately a DNS problem, things are working by IP.

Correct, I directly looked at NAT statements, missed the static.

Natan, what happens when you run nslookup in webserver and query a web site for example www.experts-exchange.com and can you ping 64.156.132.140 ?

Please post the output of nslookup

nslookup returns invalid domain server. It looks like the traffic is going out to the domain server but maybe it's not getting nated correctly coming back?

I can resolve web sites directly by IP but I don't let ICMP through.

do you have dns max length inspection in your config? Can you post the nslookup output when you query a web site? Assuming that your inside lan can correctly resolve DNS, try assigning the dns server of lan clients to DMZ

No max length inspection.

nslookup www.google.com > nslookup.txt

DNS request timed out.

timeout was 2 seconds.

Server: UnKnown

Address: 12.xx.xx.71

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

Try assigning dns server of lan clients to dmz, the interface address?

Your "outside_access_in" ACL does not allow your ISP DNS in.

It wouldn't have to as this is being initiated from the dmz.

I don't show it hitting the ACL in the log.

"Try assigning dns server of lan clients to dmz, the interface address?"

Do your clients has the IP address of ASA interface as preferred DNS server? ASA can not be a DNS server and shouldnt be assigned as preferred DNS server.

Call your ISP and ask for DNS server addresses. Then assign these public DNS server addresses as preferred DNS server to your web server.

I'm using the ISP provided public DNS server's on the webserver. There's an ACL set to allow this, but nothing seems to be hitting it.

jfbeam
Level 1
Level 1

Interesting. Even if it's not showing up in the log, try adding a rule to allow dns replies to outside_access_in. Other than that, all I can think of is an oddball NAT issue. Try removing the static (dmz,inside) map.

Beyond that... grab a tap and a sniffer.

Nathan,

Please post the output of following command

packet-tracer input DMZ udp 172.16.0.176 domain 12.xx.xx.71 domain detailed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: