10-29-2009 12:45 PM - edited 03-11-2019 09:34 AM
We have a new ASA5505 with the Security Plus Unlimited License. We are trying to setup two web servers in our DMZ with PUBLIC IP addresses (as required by our application). These machines CANNOT be NAT'ed in the DMZ.
Network Space (IP's have been sanitized from their production values):
Inside -- 192.168.2.1/24
VPN Pool -- 192.168.1.1/24
Outside -- 71.1.2.246/30 (ISP Router is 71.1.2.245)
Assigned IP Block from ISP (DMZ Addresses): 71.1.6.160/29
* As you'll see in the config, the inside addresses NAT outbound which works perfectly
* The DMZ hosts are configured with rules to allow inbound ICMP and HTTP traffic.
* Each server in the DMZ is using 71.1.6.161 as it's gateway (which is the address bound to the DMZ interface on the ASA). Each server can ping each other as well as the gateway IP successfully.
* If you attempt to browse (HTTP) to a DMZ webserver from an outside computer, the ASA logs the traffic request (i.e.: Built inbound TCP connection 2140 for outside:152.71.13.29/37768 (152.71.13.29/37768) to dmz:71.1.6.163/80 (71.1.6.163/80)), but nothing is ever served up
* There's also quite a few deny messages in the logs for people trying to connect to SSH and FTP, which makes me believe that the firewall portion is setup properly.
The strange thing is that we cannot connect to the internet FROM either of the webservers, nor can we ping the webservers by IP from outside, nor does it appear that any traffic is making it to the servers.
Pings from the ASA to the DMZ IP's work properly if over the DMZ interface. If you do a ping using the outside interface, the ASA logs an error: (Routing failed to locate next hop for icmp from NP Identity Ifc:71.1.2.246/0 to outside:71.1.6.163/0)
I'm apparently missing something on the routing between the DMZ Public IP's and the outside Interface. Any assistance would be appreciated!
Thanks!
10-29-2009 01:15 PM
1. Your webserver cannot browse the internet because of this...
access-list dmz_access_in extended permit icmp any object-group web_servers
access-group dmz_access_in in interface dmz
Since this acl is applied into the dmz interface, the acl is not written properly. The source address on any access list entry here would be the webservers themselves, not 'any'. Also, since the last line always is deny ip any any, your webservers won't get anywhere.
To get the pings working you need something like this instead....
access-list dmz_access_in extended permit icmp object-group web_servers any
access-group dmz_access_in in interface dmz
10-29-2009 02:16 PM
Modifed my config as you suggested and it still is not working properly. I still can't ping from outside, nor is inbound traffic working. Pings using the ASA on outside interface still result in the routing failed message
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.224
access-list outside_access_in extended permit tcp any object-group web_servers eq www
access-list outside_access_in extended permit icmp any any
access-list dmz_access_in_1 extended permit icmp object-group web_servers any
access-list dmz_access_in_1 extended permit tcp object-group web_servers any eq www
10-30-2009 03:02 PM
Found the issue - something was wrong with the gateway configuration on the web servers. They were both set to the proper IP, but apparently were not actually using them as configured. We redid the network config, verified the default gateway, and everything works now. Very strange indeed!
10-29-2009 01:20 PM
double post for some reason...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: