We have a new ASA5505 with the Security Plus Unlimited License. We are trying to setup two web servers in our DMZ with PUBLIC IP addresses (as required by our application). These machines CANNOT be NAT'ed in the DMZ.
Network Space (IP's have been sanitized from their production values):
Inside -- 192.168.2.1/24
VPN Pool -- 192.168.1.1/24
Outside -- 22.214.171.124/30 (ISP Router is 126.96.36.199)
Assigned IP Block from ISP (DMZ Addresses): 188.8.131.52/29
* As you'll see in the config, the inside addresses NAT outbound which works perfectly
* The DMZ hosts are configured with rules to allow inbound ICMP and HTTP traffic.
* Each server in the DMZ is using 184.108.40.206 as it's gateway (which is the address bound to the DMZ interface on the ASA). Each server can ping each other as well as the gateway IP successfully.
* If you attempt to browse (HTTP) to a DMZ webserver from an outside computer, the ASA logs the traffic request (i.e.: Built inbound TCP connection 2140 for outside:220.127.116.11/37768 (18.104.22.168/37768) to dmz:22.214.171.124/80 (126.96.36.199/80)), but nothing is ever served up
* There's also quite a few deny messages in the logs for people trying to connect to SSH and FTP, which makes me believe that the firewall portion is setup properly.
The strange thing is that we cannot connect to the internet FROM either of the webservers, nor can we ping the webservers by IP from outside, nor does it appear that any traffic is making it to the servers.
Pings from the ASA to the DMZ IP's work properly if over the DMZ interface. If you do a ping using the outside interface, the ASA logs an error: (Routing failed to locate next hop for icmp from NP Identity Ifc:188.8.131.52/0 to outside:184.108.40.206/0)
I'm apparently missing something on the routing between the DMZ Public IP's and the outside Interface. Any assistance would be appreciated!