ASA 5505 DMZ configuration

Answered Question
Jul 11th, 2008
User Badges:

Having trouble configuring web server in DMZ on ASA 5505 w/ security plus. Can access internal server from web server ok and can vnc to web server but web server can't access internet and internet users can't access web server.

Correct Answer by a.alekseev about 8 years 9 months ago

so in this case

no static (dmz,outside) yyy.yyy.yyy.yyy 10.0.10.3 netmask 255.255.255.255

global(outside) 1 interface

static (dmz,outside) tcp interface 80 10.0.10.3 80

static (dmz,outside) tcp interface 5900 10.0.10.3 5900

static (dmz,outside) tcp interface 5349 10.0.10.3 5349

static (dmz,outside) tcp interface 5001 10.0.10.3 5001

static (dmz,outside) tcp interface 53 10.0.10.3 53

static (dmz,outside) udp interface 53 10.0.10.3 53


[Pls RATE if HELPS]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
a.alekseev Fri, 07/11/2008 - 08:45
User Badges:
  • Gold, 750 points or more

show the configuration...

a.alekseev Fri, 07/11/2008 - 09:47
User Badges:
  • Gold, 750 points or more

access-list dmztoinside extended permit tcp host 10.0.10.3 host 10.0.20.3 eq www

access-list dmztoinside extended permit tcp host 10.0.10.3 host 10.0.20.3 eq 5900

access-list dmztoinside extended permit tcp host 10.0.10.3 host 10.0.20.3 eq 5349

access-list dmztoinside extended permit tcp host 10.0.10.3 host 10.0.20.3 eq 5001

access-list dmztoinside extended permit tcp host 10.0.10.3 host 10.0.20.3 eq domain

access-list dmztoinside extended permit udp host 10.0.10.3 host 10.0.20.3 eq domain

access-list dmztoinside extended deny ip any 10.0.0.0 255.0.0.0

access-list dmztoinside extended permit ip 10.0.10.0 255.255.255.0 any

no nat (inside) 1 10.0.10.0 255.255.255.0

nat (dmz) 1 10.0.10.0 255.255.255.0

no static (dmz,outside) 10.0.10.3 yyy.yyy.yyy.yyy netmask 255.255.255.255

static (dmz,outside) yyy.yyy.yyy.yyy 10.0.10.3 netmask 255.255.255.255

access-list outsidedmz extended permit tcp any host yyy.yyy.yyy.yyy eq www

access-list outsidedmz extended permit tcp any host yyy.yyy.yyy.yyy eq https

access-list outsidedmz extended permit tcp any host yyy.yyy.yyy.yyy eq ftp

czone51334 Fri, 07/11/2008 - 10:09
User Badges:

Thanks, that has part of the problem resolved the web server in the dmz can now access the internet, however the internet still can not access the web server still get page can not be displayed.

kwillacey Fri, 07/11/2008 - 10:20
User Badges:
  • Bronze, 100 points or more

The configuration looks fine, have you tried ftp maybe it's just an issue with browsing to the server. Try allowing remote desktop (both server and ASA) and see if that works also.

czone51334 Fri, 07/11/2008 - 10:36
User Badges:

If I go to my internal server (10.0.20.3) I can open the web page on the dmz web server 10.0.10.3 ok. I can surf the internet using IE from dmz web server ok. If I attempt to access the webpage - http://12.214.95.51/Winnebago/index.asp I get a page can't be displayed. That tells me the web server is ok, but request still aren't making to web server is there any acl to direct all web ports to port 80 as I noticed my request originated on a dynamic port when viewed with net stat -an


Could be that PAT needs to be configured in some way to direct http traffic to web server 10.0.10.3 ??

a.alekseev Fri, 07/11/2008 - 11:02
User Badges:
  • Gold, 750 points or more

12.214.95.51

is it dhcp assigned ip address to outside interface?

czone51334 Fri, 07/11/2008 - 11:09
User Badges:

Yes it is supposed to be a "sticky" ip address Media Comm uses them instead of assigning static ip supposedly the 5505 should always get the same ip re assigned. I have tried using the ip address assigned statically to the interface but that makes no difference internet works but can't access web server from internet.

kwillacey Fri, 07/11/2008 - 11:11
User Badges:
  • Bronze, 100 points or more

can you verify the ip address on the interface with a show int ip bri

czone51334 Fri, 07/11/2008 - 11:34
User Badges:

Yes the IP 12.214.95.51 is correct when checked with the sh int ip bri command

Correct Answer
a.alekseev Fri, 07/11/2008 - 11:19
User Badges:
  • Gold, 750 points or more

so in this case

no static (dmz,outside) yyy.yyy.yyy.yyy 10.0.10.3 netmask 255.255.255.255

global(outside) 1 interface

static (dmz,outside) tcp interface 80 10.0.10.3 80

static (dmz,outside) tcp interface 5900 10.0.10.3 5900

static (dmz,outside) tcp interface 5349 10.0.10.3 5349

static (dmz,outside) tcp interface 5001 10.0.10.3 5001

static (dmz,outside) tcp interface 53 10.0.10.3 53

static (dmz,outside) udp interface 53 10.0.10.3 53


[Pls RATE if HELPS]

kwillacey Fri, 07/11/2008 - 12:25
User Badges:
  • Bronze, 100 points or more

For that you would need to change

static (inside,dmz) 10.0.20.3 10.0.0.3 netmask 255.255.255.255 to


static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

Actions

This Discussion