DMZ Deployment problems

Answered Question
Dec 20th, 2008

have to configure a cisco ASA 5510 for my web server, i did all the config by the manual, but typeing my outside ip i get page could not be found,

i enabled and configured a DMZ interface where i connected my web server, (interface ip 10.0.10.1)

1. I added a NAT rule between DMZ and inside interface ex.: (10.0.10.30 ->78.52.39.51) with enabled PAT port 80

2. A NAT rule betwen the inside and DMZ interfaces (10.0.10.0 -> 10.0.10.0)

3. Address translation rule betwen the outside and DMZ interfaces that translates its public ip of the DMZ to its privat ip, ex.: (75.52.39.51 -> 10.10.10.30)

DMZ interface IP:10.0.10.1

Web_Server IP:10.0.10.5

Local network IP:198.162.0.1 ->

Static outside ip: ex.: 75.52.39.51

Help please

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 7 years 11 months ago

Adem, could specify whether the solution worked or not to assist you fruther, if worked PLS rate post as resolved.

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
JORGE RODRIGUEZ Sat, 12/20/2008 - 14:14

Adem,

Review DMZ implementation, visit this link

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/dmz.html

it could be something simple to correct, make sure your webserver is indeed listening on port 80, also look at ASDM real time log while trying to access webserver from outside, log can provide information usefull for troubleshooting the problem.

If still issues PLS post the firewall configuration .

Regards

adem.zuberi Sun, 12/21/2008 - 04:13

I configured the asa according to:

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/dmz.html

but no success.

Running config:

ASA Version 8.0(3)6

!

hostname ciscoasa

names

name 10.1.1.0 adrespul

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/1

shutdown

nameif DMZ

security-level 10

ip address 10.30.30.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif outside

security-level 100

ip address 212.xxx.xxx.xxx 255.255.255.248

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list nadvor_access_in extended permit icmp any any

access-list nadvor_access_in extended permit tcp any eq www host 212.xxx.xxx.xxx

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

asdm history enable

arp timeout 14400

global (outside) 1 10.1.1.15-10.1.1.253 netmask 255.0.0.0

global (outside) 101 interface

global (DMZ) 200 interface

nat (inside) 101 0.0.0.0 0.0.0.0

static (DMZ,outside) tcp interface www 10.30.30.30 www netmask 255.255.255.255

static (DMZ,inside) 10.30.30.30 xxx.xxx.xxx.xxx netmask 255.255.255.255

static (inside,DMZ) interface 10.30.30.1 netmask 255.255.255.255

access-group nadvor_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

SYSLOG MESSAGE:

conn from inside:

3 Feb 24 2008 23:38:50 710003 192.168.0.8 212.xxx.xxx.xxx TCP access denied by ACL from 192.168.0.8/3764 to inside:212.xxx.xxx.xxx/80

Conn from outside:

4 Feb 24 2008 23:41:12 106023 Deny tcp src outside:77.xxx.xxx.xxx/64589 dst DMZ:212.xxx.xxx.xxx/80 by access-group "nadvor_access_in" [0x0, 0x0]

JORGE RODRIGUEZ Sun, 12/21/2008 - 07:43

Conn from outside:

4 Feb 24 2008 23:41:12 106023 Deny tcp src outside:77.xxx.xxx.xxx/64589 dst DMZ:212.xxx.xxx.xxx/80 by access-group "nadvor_access_in" [0x0, 0x0]

remove

no access-list nadvor_access_in extended permit tcp any eq www host 212.xxx.xxx.xxx

add

access-list nadvor_access_in extended permit tcp any interface outside eq www log

conn from inside:

3 Feb 24 2008 23:38:50 710003 192.168.0.8 212.xxx.xxx.xxx TCP access denied by ACL from 192.168.0.8/3764 to inside:212.xxx.xxx.xxx/80

This one is trikie as you are tryng U-turn or better said hairpining using outside interface IP address, not a spared public IP per say.

You can try if your web server is 10.30.30.30 in DMZ.

static (DMZ,DMZ) 212.xxx.xxx.xxx 10.30.30.30 netmask 255.255.255.255

PLS try and post results

Regards

adem.zuberi Sun, 12/21/2008 - 09:10

Thanks for your reply it works from outside after i did as u suggested, but not from inside

Thanks again

JORGE RODRIGUEZ Sun, 12/21/2008 - 10:44

Can you post the logs from when you try connecting from inside to 212.xxx.xxx.xxx, is the log same as before?

JORGE RODRIGUEZ Sun, 12/21/2008 - 13:08

I Have tested your configuration .

PLS remove this static - but you can leave as is if any host from DMZ tries accessing 10.30.30.30 through public IP

static (DMZ,DMZ) 212.xxx.xxx.xxx 10.30.30.30 netmask 255.255.255.255

From inside to DMZ to access 10.30.30.30 via public IP you need this nat entry.

static (DMZ,inside) 212.xxx.xxx.xxx 10.30.30.30 netmask 255.255.255.255

Regards

PLS rate post if it helps

Correct Answer
JORGE RODRIGUEZ Sun, 12/21/2008 - 15:44

Adem, could specify whether the solution worked or not to assist you fruther, if worked PLS rate post as resolved.

Regards

Actions

This Discussion