07-11-2008 08:22 AM - edited 03-11-2019 06:12 AM
Having trouble configuring web server in DMZ on ASA 5505 w/ security plus. Can access internal server from web server ok and can vnc to web server but web server can't access internet and internet users can't access web server.
Solved! Go to Solution.
07-11-2008 11:19 AM
so in this case
no static (dmz,outside) yyy.yyy.yyy.yyy 10.0.10.3 netmask 255.255.255.255
global(outside) 1 interface
static (dmz,outside) tcp interface 80 10.0.10.3 80
static (dmz,outside) tcp interface 5900 10.0.10.3 5900
static (dmz,outside) tcp interface 5349 10.0.10.3 5349
static (dmz,outside) tcp interface 5001 10.0.10.3 5001
static (dmz,outside) tcp interface 53 10.0.10.3 53
static (dmz,outside) udp interface 53 10.0.10.3 53
[Pls RATE if HELPS]
07-11-2008 08:45 AM
show the configuration...
07-11-2008 09:27 AM
07-11-2008 09:47 AM
access-list dmztoinside extended permit tcp host 10.0.10.3 host 10.0.20.3 eq www
access-list dmztoinside extended permit tcp host 10.0.10.3 host 10.0.20.3 eq 5900
access-list dmztoinside extended permit tcp host 10.0.10.3 host 10.0.20.3 eq 5349
access-list dmztoinside extended permit tcp host 10.0.10.3 host 10.0.20.3 eq 5001
access-list dmztoinside extended permit tcp host 10.0.10.3 host 10.0.20.3 eq domain
access-list dmztoinside extended permit udp host 10.0.10.3 host 10.0.20.3 eq domain
access-list dmztoinside extended deny ip any 10.0.0.0 255.0.0.0
access-list dmztoinside extended permit ip 10.0.10.0 255.255.255.0 any
no nat (inside) 1 10.0.10.0 255.255.255.0
nat (dmz) 1 10.0.10.0 255.255.255.0
no static (dmz,outside) 10.0.10.3 yyy.yyy.yyy.yyy netmask 255.255.255.255
static (dmz,outside) yyy.yyy.yyy.yyy 10.0.10.3 netmask 255.255.255.255
access-list outsidedmz extended permit tcp any host yyy.yyy.yyy.yyy eq www
access-list outsidedmz extended permit tcp any host yyy.yyy.yyy.yyy eq https
access-list outsidedmz extended permit tcp any host yyy.yyy.yyy.yyy eq ftp
07-11-2008 10:09 AM
Thanks, that has part of the problem resolved the web server in the dmz can now access the internet, however the internet still can not access the web server still get page can not be displayed.
07-11-2008 10:20 AM
The configuration looks fine, have you tried ftp maybe it's just an issue with browsing to the server. Try allowing remote desktop (both server and ASA) and see if that works also.
07-11-2008 10:36 AM
If I go to my internal server (10.0.20.3) I can open the web page on the dmz web server 10.0.10.3 ok. I can surf the internet using IE from dmz web server ok. If I attempt to access the webpage - http://12.214.95.51/Winnebago/index.asp I get a page can't be displayed. That tells me the web server is ok, but request still aren't making to web server is there any acl to direct all web ports to port 80 as I noticed my request originated on a dynamic port when viewed with net stat -an
Could be that PAT needs to be configured in some way to direct http traffic to web server 10.0.10.3 ??
07-11-2008 10:54 AM
what is yyy.yyy.yyy.yyy?
07-11-2008 10:56 AM
12.214.95.51
07-11-2008 11:02 AM
12.214.95.51
is it dhcp assigned ip address to outside interface?
07-11-2008 11:09 AM
Yes it is supposed to be a "sticky" ip address Media Comm uses them instead of assigning static ip supposedly the 5505 should always get the same ip re assigned. I have tried using the ip address assigned statically to the interface but that makes no difference internet works but can't access web server from internet.
07-11-2008 11:11 AM
can you verify the ip address on the interface with a show int ip bri
07-11-2008 11:34 AM
Yes the IP 12.214.95.51 is correct when checked with the sh int ip bri command
07-11-2008 11:19 AM
so in this case
no static (dmz,outside) yyy.yyy.yyy.yyy 10.0.10.3 netmask 255.255.255.255
global(outside) 1 interface
static (dmz,outside) tcp interface 80 10.0.10.3 80
static (dmz,outside) tcp interface 5900 10.0.10.3 5900
static (dmz,outside) tcp interface 5349 10.0.10.3 5349
static (dmz,outside) tcp interface 5001 10.0.10.3 5001
static (dmz,outside) tcp interface 53 10.0.10.3 53
static (dmz,outside) udp interface 53 10.0.10.3 53
[Pls RATE if HELPS]
07-11-2008 11:32 AM
That looks as if it has done it. I can't access the site from the inside but I had our store pull up the site http://12.214.95.51/winnebago/index.asp ok. Thanks for your help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: