06-16-2008 11:52 PM - edited 03-11-2019 06:00 AM
Hi,
I am not able to access DMZ from outside. Attached the running config of firewall.
I think it might be some routing issue, any suggestions.
Solved! Go to Solution.
06-17-2008 02:16 AM
You mean this IP? 1.1.27..113
Try to add this in your DMZ ACL:
access-list DMZ1_access_in extended permit ip host 192.168.5.111 any
You can make it more secure after doing the initial testing.
Secondly fix your static as per my last post.
Regards
Farrukh
06-17-2008 01:34 AM
Hi,
Some questions:
- Did you try to ping from outside your host in DMZ?
- When you try to access to host in DMZ do you see log messages on firewall?
- Did you set up the defaul gateway on host in DMZ?
Best regards.
Massimiliano.
06-17-2008 01:49 AM
1. i am not able to ping from out side to DMZ nat ip.
2. no
3. Yes
06-17-2008 01:58 AM
Hi,
- From outside did you ping the ip address of the firewall's interface outside?
- From host in DMZ did you have access to hosts in Internet?
06-17-2008 02:06 AM
First of all your access-list is wrong:
access-list DMZ1_access_in extended permit ip host 1.1.27.113 any
access-list DMZ1_access_in extended permit icmp host 1.1.27.113 any
The 1.1.27.113 will never be seen on the DMZ side, it will only see the pre-nat local IP.
Secondly one of your static's is incorrect:
static (inside,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255
This should be 192.168.1.101 OR
static (DMZ1,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255
Thirdly, why have you put two default routes?
Regards
06-17-2008 02:19 AM
Hi,
thanks a lot, i will implement the config as you said n try to ping from outside.
Regards.
06-17-2008 02:09 AM
all global ip are responding from out side, except DMZ NAT IP.
06-17-2008 02:16 AM
You mean this IP? 1.1.27..113
Try to add this in your DMZ ACL:
access-list DMZ1_access_in extended permit ip host 192.168.5.111 any
You can make it more secure after doing the initial testing.
Secondly fix your static as per my last post.
Regards
Farrukh
06-17-2008 08:16 PM
Thank you Farrukh, it is working now. I think the only problem was ACL_DMZ and that is what it was not comming out of the FW.
06-17-2008 02:25 AM
Hi,
Just do some logging and icmp debugging in ASA then post it here.
did u try a telnet to a server.
Regards
06-17-2008 02:30 AM
Omair the issue is with the ACL and the static.
Regards
Farrukh
06-17-2008 02:51 AM
Agreed but I hope that he changed the config.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: