12-14-2007 11:20 AM - edited 03-12-2019 05:51 PM
Hi,
I have a webserver in the dmz which is accessible from the outside. However, I am unable to access interenet from the web server. Help!
12-14-2007 11:33 AM
Hi Nathan
Add the following
nat (dmz) 101 0 0
Regards
12-14-2007 11:41 AM
You shouldn't need that as it should go out as 12.xx.xx.88. Check that it is using the correct dns server as defined in object-group ISP_DNS.
12-14-2007 11:49 AM
I've verified the 12.xx.xx.71 address for DNS. The webserver is pointing to it for its DNS. I see the connection in the log:
6 Dec 14 2007 12:42:10 302015 12.xx.xx.71 172.16.0.176 Built outbound UDP connection 140732 for outside:12.xx.xx.71/53 (12.xx.xx.71/53) to dmz:172.16.0.176/1044 (12.xx.xx.88/1044)
But it isn't working. It's definately a DNS problem, things are working by IP.
12-14-2007 12:07 PM
Correct, I directly looked at NAT statements, missed the static.
Natan, what happens when you run nslookup in webserver and query a web site for example www.experts-exchange.com and can you ping 64.156.132.140 ?
Please post the output of nslookup
12-14-2007 12:12 PM
nslookup returns invalid domain server. It looks like the traffic is going out to the domain server but maybe it's not getting nated correctly coming back?
I can resolve web sites directly by IP but I don't let ICMP through.
12-14-2007 12:20 PM
do you have dns max length inspection in your config? Can you post the nslookup output when you query a web site? Assuming that your inside lan can correctly resolve DNS, try assigning the dns server of lan clients to DMZ
12-14-2007 12:57 PM
No max length inspection.
nslookup www.google.com > nslookup.txt
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 12.xx.xx.71
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Try assigning dns server of lan clients to dmz, the interface address?
12-14-2007 12:26 PM
Your "outside_access_in" ACL does not allow your ISP DNS in.
12-14-2007 12:39 PM
It wouldn't have to as this is being initiated from the dmz.
12-14-2007 12:58 PM
I don't show it hitting the ACL in the log.
12-15-2007 05:55 AM
"Try assigning dns server of lan clients to dmz, the interface address?"
Do your clients has the IP address of ASA interface as preferred DNS server? ASA can not be a DNS server and shouldnt be assigned as preferred DNS server.
Call your ISP and ask for DNS server addresses. Then assign these public DNS server addresses as preferred DNS server to your web server.
12-17-2007 10:12 AM
I'm using the ISP provided public DNS server's on the webserver. There's an ACL set to allow this, but nothing seems to be hitting it.
12-17-2007 05:58 PM
Interesting. Even if it's not showing up in the log, try adding a rule to allow dns replies to outside_access_in. Other than that, all I can think of is an oddball NAT issue. Try removing the static (dmz,inside) map.
Beyond that... grab a tap and a sniffer.
12-18-2007 02:44 AM
Nathan,
Please post the output of following command
packet-tracer input DMZ udp 172.16.0.176 domain 12.xx.xx.71 domain detailed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide