Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
10
Replies

Need Help getting Outside network to talk to DMZ

tharris
Level 1
Level 1

‎02-23-2009 07:10 AM - edited ‎03-11-2019 07:55 AM

I'm in the testing phase of setting up an ASA 5520 and I'm having some issues getting the Outside network to talk to the DMZ. I set up a test using a web server on 172.20.175.110 (SCADADEV01) and I thought I had it NATed correctly and had the right ACL but I cannot seemed to get to from the test computer 10.80.1.16. Can you give me a little help. Attached is the config file.

Labels:
Preview file
7 KB
0 Helpful
10 Replies 10

andrew.prince
Level 10
Level 10

‎02-23-2009 07:18 AM

Your NAT is incorrect, and your outside acl is incorrect.

I would configure something like - for testing:-

static (DMZ,outside) tcp interface www 172.20.175.110 www netmask 255.255.255.255

Then write the acl

access-list outside_access_in permit tcp any interface outside eq 80

HTH>

0 Helpful

tharris
Level 1
Level 1
In response to andrew.prince

‎02-23-2009 08:02 AM

I simplified the config and tried your suggestion. But no joy. Attached is the modified config.

Preview file
5 KB
0 Helpful

andrew.prince
Level 10
Level 10
In response to tharris

‎02-23-2009 08:09 AM

OK - when you say it did not work, how did you test it?

What debugging did you have enabled?

0 Helpful

tharris
Level 1
Level 1
In response to andrew.prince

‎02-23-2009 08:39 AM

I simply opened up a browser on the outside client computer (10.80.1.16) and typed in the url 172.20.175.110 and it timed out. Doing this same test from a computer on the inside network works fine. How do you suggest I debug this?

0 Helpful

andrew.prince
Level 10
Level 10
In response to tharris

‎02-23-2009 08:44 AM

OK - firstly,

You are typing the wrong IP address. You are natting on the firewall - so you will not be able to connect to the DMZ IP address, as this is not know on the outside.

Test again using the IP address "10.80.1.15"

Secondly - enable logging, then check the logs. You can also check to see if your access is being hit - show access-list. The you should check connectivity locally from a device in the DMZ.

HTH>

0 Helpful

tharris
Level 1
Level 1
In response to andrew.prince

‎02-23-2009 08:57 AM

Yes, typing in 10.80.1.15 was successful from the outside client copmputer. I apologize for how green I am in doing this. Thanks for your patience. I will also follow your other suggestions. I think I can use the web example to fix the other connectivity problems I'm having. I appreciate the help.

0 Helpful

tharris
Level 1
Level 1
In response to andrew.prince

‎02-23-2009 08:59 AM

I simply opened up a browser on the outside client computer (10.80.1.16) and typed in the url 172.20.175.110 and it timed out. Doing this same test from a computer on the inside network works fine. How do you suggest I debug this?

0 Helpful

andrew.prince
Level 10
Level 10
In response to tharris

‎02-23-2009 09:09 AM

Should I ignore this post? As I think I have already answered it?

0 Helpful

tharris
Level 1
Level 1
In response to andrew.prince

‎02-23-2009 09:28 AM

Yes. Ignor it. Not sure how it got sent.

0 Helpful

andrew.prince
Level 10
Level 10
In response to tharris

‎02-23-2009 11:56 AM

np - glad to help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card