01-24-2009 06:55 AM - edited 03-04-2019 12:57 AM
Hello All,
When trying to access my web server inside the dmz I'm getting the following message in the syslog and the connection fails:
Routing failed to locate next hop for TCP from outside:174.39.117.157/1341 to dmz:97.166.121.101/80
Appreciate any help with this.....
Solved! Go to Solution.
01-24-2009 08:37 AM
could you please post relevant config?
01-24-2009 08:16 AM
What is your IOS Software version and release?
I am not exactly sure Prior to which version , but in some software releases you should add static routes for the Hosted Webserver in the DMZ pointed to the DMZ Interface besides OFFcourse having your Nat correctly Configured with the appropriate Interface Access-list to permit the traffic from Outside to DMZ.
HTH
Mohamed
01-24-2009 08:37 AM
could you please post relevant config?
01-24-2009 02:19 PM
IU was able to fix that prior problem but maybe you can help with this one.
If I use outlook to send or receive email from inside vlan through outside vlan I get the folling syslog message:
6 Jan 24 2009 16:32:36 106015 75.180.132.77 98.122.121.101 Deny TCP (no connection) from 75.180.132.77/110 to xx.yyy.121.101/1502 flags RST ACK on interface outside
xx.yyy.121.101 is my outside IP address
75.180.132.77 is the roadrunner mail provider which I send mail through.
If I send mail from outside It is received by my mail server in the dmz vlan.
My Config:
ciscoasa> ena
Password:
ciscoasa# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name my.domain.com
enable password :*** Removed by me ***encrypted
passwd :*** Removed by me ***.:*** Removed by me ***encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.8.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name my.domain.com
access-list outside_access_in extended permit tcp any host xx.yyy.121.101
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface www 192.168.8.2 www netmask 255.255.255.255
static (dmz,outside) tcp interface smtp 192.168.8.2 smtp netmask 255.255.255.255
static (dmz,outside) tcp interface pop3 192.168.8.2 pop3 netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) 192.168.8.2 98.122.121.101 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.yyy.112.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:*** Removed by me ***
: end
Thanks in advance.....
01-24-2009 05:27 PM
Is 98.122.121.101 your outside address? If so, I was able to access www, smtp and pop3.
regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide