DMZ access

Answered Question
Jun 16th, 2008
User Badges:

Hi,


I am not able to access DMZ from outside. Attached the running config of firewall.

I think it might be some routing issue, any suggestions.




Attachment: 
Correct Answer by Farrukh Haroon about 8 years 10 months ago

You mean this IP? 1.1.27..113


Try to add this in your DMZ ACL:


access-list DMZ1_access_in extended permit ip host 192.168.5.111 any


You can make it more secure after doing the initial testing.


Secondly fix your static as per my last post.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
massimiliano.se... Tue, 06/17/2008 - 01:34
User Badges:
  • Silver, 250 points or more

Hi,

Some questions:


- Did you try to ping from outside your host in DMZ?

- When you try to access to host in DMZ do you see log messages on firewall?

- Did you set up the defaul gateway on host in DMZ?


Best regards.

Massimiliano.

dinesh.das Tue, 06/17/2008 - 01:49
User Badges:

1. i am not able to ping from out side to DMZ nat ip.

2. no

3. Yes

massimiliano.se... Tue, 06/17/2008 - 01:58
User Badges:
  • Silver, 250 points or more

Hi,

- From outside did you ping the ip address of the firewall's interface outside?

- From host in DMZ did you have access to hosts in Internet?



Farrukh Haroon Tue, 06/17/2008 - 02:06
User Badges:
  • Red, 2250 points or more

First of all your access-list is wrong:


access-list DMZ1_access_in extended permit ip host 1.1.27.113 any

access-list DMZ1_access_in extended permit icmp host 1.1.27.113 any


The 1.1.27.113 will never be seen on the DMZ side, it will only see the pre-nat local IP.


Secondly one of your static's is incorrect:


static (inside,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255


This should be 192.168.1.101 OR


static (DMZ1,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255


Thirdly, why have you put two default routes?


Regards


dinesh.das Tue, 06/17/2008 - 02:19
User Badges:

Hi,


thanks a lot, i will implement the config as you said n try to ping from outside.


Regards.

dinesh.das Tue, 06/17/2008 - 02:09
User Badges:

all global ip are responding from out side, except DMZ NAT IP.

Correct Answer
Farrukh Haroon Tue, 06/17/2008 - 02:16
User Badges:
  • Red, 2250 points or more

You mean this IP? 1.1.27..113


Try to add this in your DMZ ACL:


access-list DMZ1_access_in extended permit ip host 192.168.5.111 any


You can make it more secure after doing the initial testing.


Secondly fix your static as per my last post.


Regards


Farrukh

dinesh.das Tue, 06/17/2008 - 20:16
User Badges:

Thank you Farrukh, it is working now. I think the only problem was ACL_DMZ and that is what it was not comming out of the FW.

nomair_83 Tue, 06/17/2008 - 02:25
User Badges:
  • Bronze, 100 points or more

Hi,

Just do some logging and icmp debugging in ASA then post it here.

did u try a telnet to a server.


Regards


Farrukh Haroon Tue, 06/17/2008 - 02:30
User Badges:
  • Red, 2250 points or more

Omair the issue is with the ACL and the static.


Regards


Farrukh

nomair_83 Tue, 06/17/2008 - 02:51
User Badges:
  • Bronze, 100 points or more

Agreed but I hope that he changed the config.




Actions

This Discussion