06-16-2008 11:52 PM - edited 03-11-2019 06:00 AM
Hi,
I am not able to access DMZ from outside. Attached the running config of firewall.
I think it might be some routing issue, any suggestions.
Solved! Go to Solution.
06-17-2008 02:16 AM
You mean this IP? 1.1.27..113
Try to add this in your DMZ ACL:
access-list DMZ1_access_in extended permit ip host 192.168.5.111 any
You can make it more secure after doing the initial testing.
Secondly fix your static as per my last post.
Regards
Farrukh
06-17-2008 01:34 AM
Hi,
Some questions:
- Did you try to ping from outside your host in DMZ?
- When you try to access to host in DMZ do you see log messages on firewall?
- Did you set up the defaul gateway on host in DMZ?
Best regards.
Massimiliano.
06-17-2008 01:49 AM
1. i am not able to ping from out side to DMZ nat ip.
2. no
3. Yes
06-17-2008 01:58 AM
Hi,
- From outside did you ping the ip address of the firewall's interface outside?
- From host in DMZ did you have access to hosts in Internet?
06-17-2008 02:06 AM
First of all your access-list is wrong:
access-list DMZ1_access_in extended permit ip host 1.1.27.113 any
access-list DMZ1_access_in extended permit icmp host 1.1.27.113 any
The 1.1.27.113 will never be seen on the DMZ side, it will only see the pre-nat local IP.
Secondly one of your static's is incorrect:
static (inside,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255
This should be 192.168.1.101 OR
static (DMZ1,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255
Thirdly, why have you put two default routes?
Regards
06-17-2008 02:19 AM
Hi,
thanks a lot, i will implement the config as you said n try to ping from outside.
Regards.
06-17-2008 02:09 AM
all global ip are responding from out side, except DMZ NAT IP.
06-17-2008 02:16 AM
You mean this IP? 1.1.27..113
Try to add this in your DMZ ACL:
access-list DMZ1_access_in extended permit ip host 192.168.5.111 any
You can make it more secure after doing the initial testing.
Secondly fix your static as per my last post.
Regards
Farrukh
06-17-2008 08:16 PM
Thank you Farrukh, it is working now. I think the only problem was ACL_DMZ and that is what it was not comming out of the FW.
06-17-2008 02:25 AM
Hi,
Just do some logging and icmp debugging in ASA then post it here.
did u try a telnet to a server.
Regards
06-17-2008 02:30 AM
Omair the issue is with the ACL and the static.
Regards
Farrukh
06-17-2008 02:51 AM
Agreed but I hope that he changed the config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide