Routing Problem with Public IP's in DMZ on ASA5505 Sec+ Unlimited

Unanswered Question
Oct 29th, 2009

We have a new ASA5505 with the Security Plus Unlimited License. We are trying to setup two web servers in our DMZ with PUBLIC IP addresses (as required by our application). These machines CANNOT be NAT'ed in the DMZ.

Network Space (IP's have been sanitized from their production values):

Inside --

VPN Pool --

Outside -- (ISP Router is

Assigned IP Block from ISP (DMZ Addresses):

* As you'll see in the config, the inside addresses NAT outbound which works perfectly

* The DMZ hosts are configured with rules to allow inbound ICMP and HTTP traffic.

* Each server in the DMZ is using as it's gateway (which is the address bound to the DMZ interface on the ASA). Each server can ping each other as well as the gateway IP successfully.

* If you attempt to browse (HTTP) to a DMZ webserver from an outside computer, the ASA logs the traffic request (i.e.: Built inbound TCP connection 2140 for outside: ( to dmz: (, but nothing is ever served up

* There's also quite a few deny messages in the logs for people trying to connect to SSH and FTP, which makes me believe that the firewall portion is setup properly.

The strange thing is that we cannot connect to the internet FROM either of the webservers, nor can we ping the webservers by IP from outside, nor does it appear that any traffic is making it to the servers.

Pings from the ASA to the DMZ IP's work properly if over the DMZ interface. If you do a ping using the outside interface, the ASA logs an error: (Routing failed to locate next hop for icmp from NP Identity Ifc: to outside:

I'm apparently missing something on the routing between the DMZ Public IP's and the outside Interface. Any assistance would be appreciated!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 10/29/2009 - 13:15

1. Your webserver cannot browse the internet because of this...

access-list dmz_access_in extended permit icmp any object-group web_servers

access-group dmz_access_in in interface dmz

Since this acl is applied into the dmz interface, the acl is not written properly. The source address on any access list entry here would be the webservers themselves, not 'any'. Also, since the last line always is deny ip any any, your webservers won't get anywhere.

To get the pings working you need something like this instead....

access-list dmz_access_in extended permit icmp object-group web_servers any

access-group dmz_access_in in interface dmz

ckinsler Thu, 10/29/2009 - 14:16

Modifed my config as you suggested and it still is not working properly. I still can't ping from outside, nor is inbound traffic working. Pings using the ASA on outside interface still result in the routing failed message

access-list inside_nat0_outbound extended permit ip

access-list outside_access_in extended permit tcp any object-group web_servers eq www

access-list outside_access_in extended permit icmp any any

access-list dmz_access_in_1 extended permit icmp object-group web_servers any

access-list dmz_access_in_1 extended permit tcp object-group web_servers any eq www

ckinsler Fri, 10/30/2009 - 15:02

Found the issue - something was wrong with the gateway configuration on the web servers. They were both set to the proper IP, but apparently were not actually using them as configured. We redid the network config, verified the default gateway, and everything works now. Very strange indeed!


This Discussion