ASA Firewall Problem DMZ access and NAT

Unanswered Question
Feb 19th, 2010

ASA Firewall Problem DMZ access and NAT

clients in INSIDE can't access private ip in DMZ zone

clients in INSIDE can't access NAT ip in from DMZ and inside zone

can't ssh from internet to outside interface

i have command

ssh 0.0.0.0 0.0.0.0 outside

thank for best support

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 02/20/2010 - 12:44

Hi,

For clients in INSIDE to access DMZ host, just need dynamic NAT (if using NAT) and verify there's no ACL on the INSIDE blocking the traffic.

To allow SSH to the outside, you also have to have the crypto rsa keys, which are derived from the name/domain of the ASA.

Could you attach the sh run?

Federico.

samart_sri Sun, 02/21/2010 - 11:24

Thank very mush Federico.

for ssh issue i use "crypto key generate rsa" again it's ok.

but now client from inside can't access to dmz network and clients device can't use ip nat to access server [but i can use private ip for access]

sample

server ip : 192.168.3.31 => nat 110.21.12.131

clients from inside can access into 192.168.3.31 but can't access 110.21.12.131

clients must use public ip because clients call website from public web its use publice ip

i attach show run for your analyze

Thank you very much for best support

Samart

Kureli Sankar Sun, 02/21/2010 - 13:46

Samart,

The inside hosts should address the DMZ hosts NOT using the public address.

Pls. fix this probelm and have DNS resolve to the private address and not public.

If this is not possible then you can add the following.

static (dmz,inside)  110.21.12.131 192.168.3.31 net 255.255.255.255

This should work.

-KS

samart_sri Sun, 02/21/2010 - 18:08

Thank Kusankar,

          i can't have dns server and i try to use static (dmz,inside)  110.21.12.131 192.168.3.31 net 255.255.255.255 but inside's clients don't access to dmz-network.please help me. and server in inside-network its nat already. inside's clients don't access them via nat ip [public ip] but can access via private ip its ok.

thank you best support.

samart.

Federico Coto F... Sun, 02/21/2010 - 21:08

If the inside network wants to reach server 192.168.3.31 on DMZ via its public IP 110.21.12.131, then all you need is the static that KS suggested:

static (dmz,inside)  110.21.12.131 192.168.3.31

I assume from your post, that the inside clients resolve the IP 110.21.12.131 for your DMZ server, and that's
why you want to reach the server from the inside using the public IP...


The above static statement should do it....

Could you verify that the DNS response that you're getting for your server is the public IP?
Can you PING 110.21.12.131 from the inside network?

From the configuration, it should work, if still does not work, please use the Packet Tracer utility from CLI or ASDM and that will show you which process in the ASA is denying the traffic (or check the logs)

Federico.

samart_sri Sun, 02/21/2010 - 22:10

Thank Federico,

          Because , user access website then click link to access service [the link in url link public IP don't link to dns name of server] , if user stay @ office always use access to website and click link in web for acess not input private IP to access.

Thank you for best support.

Samart.

Attachment: 
Federico Coto F... Mon, 02/22/2010 - 13:28

Let's  make sure that is not a problem with the server itself...

With the STATIC in place, you should be able to PING the public IP from the INSIDE network. Is this working?

If not, could you post the results from the packet tracer utility?

Federico.

Actions

This Discussion