DMZ access

Answered Question
Jun 16th, 2008

Hi,

I am not able to access DMZ from outside. Attached the running config of firewall.

I think it might be some routing issue, any suggestions.

Attachment: 
I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 5 months ago

You mean this IP? 1.1.27..113

Try to add this in your DMZ ACL:

access-list DMZ1_access_in extended permit ip host 192.168.5.111 any

You can make it more secure after doing the initial testing.

Secondly fix your static as per my last post.

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
massimiliano.se... Tue, 06/17/2008 - 01:34

Hi,

Some questions:

- Did you try to ping from outside your host in DMZ?

- When you try to access to host in DMZ do you see log messages on firewall?

- Did you set up the defaul gateway on host in DMZ?

Best regards.

Massimiliano.

dinesh.das Tue, 06/17/2008 - 01:49

1. i am not able to ping from out side to DMZ nat ip.

2. no

3. Yes

massimiliano.se... Tue, 06/17/2008 - 01:58

Hi,

- From outside did you ping the ip address of the firewall's interface outside?

- From host in DMZ did you have access to hosts in Internet?

Farrukh Haroon Tue, 06/17/2008 - 02:06

First of all your access-list is wrong:

access-list DMZ1_access_in extended permit ip host 1.1.27.113 any

access-list DMZ1_access_in extended permit icmp host 1.1.27.113 any

The 1.1.27.113 will never be seen on the DMZ side, it will only see the pre-nat local IP.

Secondly one of your static's is incorrect:

static (inside,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255

This should be 192.168.1.101 OR

static (DMZ1,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255

Thirdly, why have you put two default routes?

Regards

dinesh.das Tue, 06/17/2008 - 02:19

Hi,

thanks a lot, i will implement the config as you said n try to ping from outside.

Regards.

Correct Answer
Farrukh Haroon Tue, 06/17/2008 - 02:16

You mean this IP? 1.1.27..113

Try to add this in your DMZ ACL:

access-list DMZ1_access_in extended permit ip host 192.168.5.111 any

You can make it more secure after doing the initial testing.

Secondly fix your static as per my last post.

Regards

Farrukh

dinesh.das Tue, 06/17/2008 - 20:16

Thank you Farrukh, it is working now. I think the only problem was ACL_DMZ and that is what it was not comming out of the FW.

nomair_83 Tue, 06/17/2008 - 02:25

Hi,

Just do some logging and icmp debugging in ASA then post it here.

did u try a telnet to a server.

Regards

Actions

This Discussion