×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA Firewall Problem DMZ access and NAT

Unanswered Question
Feb 19th, 2010
User Badges:

ASA Firewall Problem DMZ access and NAT


clients in INSIDE can't access private ip in DMZ zone

clients in INSIDE can't access NAT ip in from DMZ and inside zone


can't ssh from internet to outside interface


i have command

ssh 0.0.0.0 0.0.0.0 outside


thank for best support

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 02/20/2010 - 12:44
User Badges:
  • Green, 3000 points or more

Hi,


For clients in INSIDE to access DMZ host, just need dynamic NAT (if using NAT) and verify there's no ACL on the INSIDE blocking the traffic.


To allow SSH to the outside, you also have to have the crypto rsa keys, which are derived from the name/domain of the ASA.


Could you attach the sh run?


Federico.

samart_sri Sun, 02/21/2010 - 11:24
User Badges:

Thank very mush Federico.

for ssh issue i use "crypto key generate rsa" again it's ok.


but now client from inside can't access to dmz network and clients device can't use ip nat to access server [but i can use private ip for access]


sample

server ip : 192.168.3.31 => nat 110.21.12.131


clients from inside can access into 192.168.3.31 but can't access 110.21.12.131


clients must use public ip because clients call website from public web its use publice ip


i attach show run for your analyze


Thank you very much for best support

Samart

Kureli Sankar Sun, 02/21/2010 - 13:46
User Badges:
  • Cisco Employee,

Samart,

The inside hosts should address the DMZ hosts NOT using the public address.


Pls. fix this probelm and have DNS resolve to the private address and not public.

If this is not possible then you can add the following.


static (dmz,inside)  110.21.12.131 192.168.3.31 net 255.255.255.255


This should work.


-KS

samart_sri Sun, 02/21/2010 - 18:08
User Badges:

Thank Kusankar,


          i can't have dns server and i try to use static (dmz,inside)  110.21.12.131 192.168.3.31 net 255.255.255.255 but inside's clients don't access to dmz-network.please help me. and server in inside-network its nat already. inside's clients don't access them via nat ip [public ip] but can access via private ip its ok.


thank you best support.

samart.

Federico Coto F... Sun, 02/21/2010 - 21:08
User Badges:
  • Green, 3000 points or more

If the inside network wants to reach server 192.168.3.31 on DMZ via its public IP 110.21.12.131, then all you need is the static that KS suggested:

static (dmz,inside)  110.21.12.131 192.168.3.31


I assume from your post, that the inside clients resolve the IP 110.21.12.131 for your DMZ server, and that's
why you want to reach the server from the inside using the public IP...


The above static statement should do it....

Could you verify that the DNS response that you're getting for your server is the public IP?
Can you PING 110.21.12.131 from the inside network?


From the configuration, it should work, if still does not work, please use the Packet Tracer utility from CLI or ASDM and that will show you which process in the ASA is denying the traffic (or check the logs)


Federico.

samart_sri Sun, 02/21/2010 - 22:10
User Badges:

Thank Federico,


          Because , user access website then click link to access service [the link in url link public IP don't link to dns name of server] , if user stay @ office always use access to website and click link in web for acess not input private IP to access.


Thank you for best support.

Samart.

Attachment: 
Federico Coto F... Mon, 02/22/2010 - 13:28
User Badges:
  • Green, 3000 points or more

Let's  make sure that is not a problem with the server itself...


With the STATIC in place, you should be able to PING the public IP from the INSIDE network. Is this working?


If not, could you post the results from the packet tracer utility?


Federico.

Actions

This Discussion