02-23-2009 07:10 AM - edited 03-11-2019 07:55 AM
I'm in the testing phase of setting up an ASA 5520 and I'm having some issues getting the Outside network to talk to the DMZ. I set up a test using a web server on 172.20.175.110 (SCADADEV01) and I thought I had it NATed correctly and had the right ACL but I cannot seemed to get to from the test computer 10.80.1.16. Can you give me a little help. Attached is the config file.
02-23-2009 07:18 AM
Your NAT is incorrect, and your outside acl is incorrect.
I would configure something like - for testing:-
static (DMZ,outside) tcp interface www 172.20.175.110 www netmask 255.255.255.255
Then write the acl
access-list outside_access_in permit tcp any interface outside eq 80
HTH>
02-23-2009 08:02 AM
02-23-2009 08:09 AM
OK - when you say it did not work, how did you test it?
What debugging did you have enabled?
02-23-2009 08:39 AM
I simply opened up a browser on the outside client computer (10.80.1.16) and typed in the url 172.20.175.110 and it timed out. Doing this same test from a computer on the inside network works fine. How do you suggest I debug this?
02-23-2009 08:44 AM
OK - firstly,
You are typing the wrong IP address. You are natting on the firewall - so you will not be able to connect to the DMZ IP address, as this is not know on the outside.
Test again using the IP address "10.80.1.15"
Secondly - enable logging, then check the logs. You can also check to see if your access is being hit - show access-list. The you should check connectivity locally from a device in the DMZ.
HTH>
02-23-2009 08:57 AM
Yes, typing in 10.80.1.15 was successful from the outside client copmputer. I apologize for how green I am in doing this. Thanks for your patience. I will also follow your other suggestions. I think I can use the web example to fix the other connectivity problems I'm having. I appreciate the help.
02-23-2009 08:59 AM
I simply opened up a browser on the outside client computer (10.80.1.16) and typed in the url 172.20.175.110 and it timed out. Doing this same test from a computer on the inside network works fine. How do you suggest I debug this?
02-23-2009 09:09 AM
Should I ignore this post? As I think I have already answered it?
02-23-2009 09:28 AM
Yes. Ignor it. Not sure how it got sent.
02-23-2009 11:56 AM
np - glad to help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: