Solved: DMZ access

dinesh.das · ‎06-16-2008

Hi,

I am not able to access DMZ from outside. Attached the running config of firewall.

I think it might be some routing issue, any suggestions.

Farrukh Haroon · ‎06-17-2008

You mean this IP? 1.1.27..113

Try to add this in your DMZ ACL:

access-list DMZ1_access_in extended permit ip host 192.168.5.111 any

You can make it more secure after doing the initial testing.

Secondly fix your static as per my last post.

Regards

Farrukh

View solution in original post

massimiliano.serafino · ‎06-17-2008

Hi,

Some questions:

- Did you try to ping from outside your host in DMZ?

- When you try to access to host in DMZ do you see log messages on firewall?

- Did you set up the defaul gateway on host in DMZ?

Best regards.

Massimiliano.

dinesh.das · ‎06-17-2008

1. i am not able to ping from out side to DMZ nat ip.

2. no

3. Yes

massimiliano.serafino · ‎06-17-2008

Hi,

- From outside did you ping the ip address of the firewall's interface outside?

- From host in DMZ did you have access to hosts in Internet?

Farrukh Haroon · ‎06-17-2008

First of all your access-list is wrong:

access-list DMZ1_access_in extended permit ip host 1.1.27.113 any

access-list DMZ1_access_in extended permit icmp host 1.1.27.113 any

The 1.1.27.113 will never be seen on the DMZ side, it will only see the pre-nat local IP.

Secondly one of your static's is incorrect:

static (inside,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255

This should be 192.168.1.101 OR

static (DMZ1,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255

Thirdly, why have you put two default routes?

Regards

dinesh.das · ‎06-17-2008

Hi,

thanks a lot, i will implement the config as you said n try to ping from outside.

Regards.

dinesh.das · ‎06-17-2008

all global ip are responding from out side, except DMZ NAT IP.

Farrukh Haroon · ‎06-17-2008

You mean this IP? 1.1.27..113

Try to add this in your DMZ ACL:

access-list DMZ1_access_in extended permit ip host 192.168.5.111 any

You can make it more secure after doing the initial testing.

Secondly fix your static as per my last post.

Regards

Farrukh

dinesh.das · ‎06-17-2008

Thank you Farrukh, it is working now. I think the only problem was ACL_DMZ and that is what it was not comming out of the FW.

nomair_83 · ‎06-17-2008

Hi,

Just do some logging and icmp debugging in ASA then post it here.

did u try a telnet to a server.

Regards

Farrukh Haroon · ‎06-17-2008

Omair the issue is with the ACL and the static.

Regards

Farrukh

nomair_83 · ‎06-17-2008

Agreed but I hope that he changed the config.