DMZ access from inside vlans

Unanswered Question
Jul 13th, 2010
User Badges:

Dear All,


After searching through the forum i could not find a solution and is obliged to ask for help.


I have a cisco ASA 5510 connected to a cisco 3560 switch which has vlans (see configs).

I want to access the servers in the dmz from each of the vlans.Actually a ping to  172.100.0.200 from the switch succeeds.But when trying the ping from the pc in vlans it does not succeed.A ping sourcing from an SVI also do not succeed.Int Gi0/22 is connected to the inside interface of asa, i have tried static nat (with ip address and access-list) without success


Please help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Tue, 07/13/2010 - 15:35
User Badges:
  • Cisco Employee,

Hello,


You do not have NAT rules for rest of the VLAN segments. Please try the following:


access-list nat0_outbound permit ip any 172.100.0.0 255.255.255.0


Hope this helps.


Regards,


NT

kolawole1 Wed, 07/14/2010 - 10:20
User Badges:

Thanks a lot.I can now access the servers

in dmz by address only

.When accessing by name, it does not work.The server url name is mtp:8081/helpdesk.Is there any way to configure this on ASA ?Thanks.

Nagaraja Thanthry Wed, 07/14/2010 - 10:36
User Badges:
  • Cisco Employee,

Hello,


What is the location of your WINS server? If it is on the inside of the firewall, then you need to configure a static NAT rule so that the hosts can communicate with the WINS server.


static (inside,dmz) netmask 255.255.255.255


Hope this helps.


Regards,


NT

kolawole1 Wed, 07/14/2010 - 12:11
User Badges:

The WINS/DNS server is on the inside interface (in the server vlan behind the 192.168.104.0 network)
For AD replication to work with other partners, the servers in the server vlan are having the ip address of the ISA server
as their default gateway, not the server vlan svion the switch.


A ping from the ASA to the wins server does not succeed even though a route was created on the ISA server for network 192.168.104.0/24
and 172.100.0.0 that point to the server svi on the 3560 switch.


What should i do to be able to ping from the asa to the wins server ?

Thanks


Here is the setup


server vlan 172.31.0.0/24-----------                                switch int gi0/22------               ASA eth0/2----------     ASA DMZ interface


def gateway = ISA server IP address 172.31.0.16        switch   ip 192.168.104.2         ip 192.168.104.1      172.100.0.1/24

Nagaraja Thanthry Wed, 07/14/2010 - 14:52
User Badges:
  • Cisco Employee,

Hello,


I think the first step would be to make sure that your ISA server has a

route to rest of the network. Once it has the route, I think adding that

static statement I had mentioned earlier would do the trick. Please check

the ISA device (or you can do a tracert from the WINS server as well) and

see where the packets are getting dropped.


Regards,


NT

Actions

This Discussion