cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5830
Views
0
Helpful
17
Replies

ASA 5510 - outside and inside can not access web server in DMZ

cole xu
Level 1
Level 1

Hello, there may be some problems with the ASA's config, but I can find where are the problems.

Below is the basic config for this ASA:

Inside ip address : 192.168.10.1/24

Outside ip address:  120.195.153.151/26

DMZ ip address:       192.168.30.1/24

Web server ip address:  192.168.30.5/24

I wanna complete the tasks , the status of which are as below:

1.  Inside ping Web server        successfully

2.  Inside ping www.cisco.com  successfully

3.  DMZ   ping  www.cisco.com  successfully

4.  Inside access web sites in web server through http://192.168.30.5    failed

5.  Outside access web sites in web server through http://120.195.153.151 failed

Please get the detailed config in the attached file, and kindly help have a check to find where are the problems.thanks!

8 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to remove the following line as follows:

no static (inside,DMZ) 192.168.30.0 192.168.10.0 netmask 255.255.255.0

Replace with the following:

static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

Then you would need to "clear xlate" to clear existing translation.

The above will fix issue# 4.

The following will fix issue# 5:

static (DMZ,outside) tcp interface 80 192.168.30.5 80 netmask 255.255.255.255

Then you would need to "clear xlate" to clear existing translation.

Hope that helps.

View solution in original post

Can you try using a different public ip address (public ip address that has not been used elsewhere) instead?

Remove the existing translation first:

no static (dmz,outside) tcp interface www 192.168.30.5 www netmask 255.255.255.255

Then add the following line with the spare public ip address:

static (dmz,outside) 120.195.153.x 192.168.30.5 netmask 255.255.255.255

Then "clear xlate". You might also want to "clear arp" on both the ASA, and the upstream router.

View solution in original post

Really? your outside subnet is /26, doesn't that mean you have the whole /26 subnet to use?

Anyway, in that case, let's continue to use the ASA interface ip address.

To troubleshoot further, please configure the following ACL line:

access-list 102 line 1 extended permit tcp any host 120.195.153.151 eq www

Then try to access it from the outside again, and then issue "show access-list 102", and check if you have any hitcount on the first line.

View solution in original post

Can you share the output of "sh conn | i 192.168.30.5" as soon as you tried to access it from the outside.

View solution in original post

OK, looking at this line:

TCP out 117.85.147.201:1378 in 192.168.30.5:80 idle 0:00:11 bytes 0 flags aB

Flags of aB means that ASA is receiving SYN packet from outside host towards the DMZ server, however, it never receives the SYN-ACK back.

Can you check what is the default gateway on the DMZ server (pls make sure that it's the ASA DMZ interface ip address).

View solution in original post

Can you please run a packet capture on the outside and dmz interface of the ASA to see where the traffic breaks.

Also, if you can run the packet tracer on the ASA from the outside towards the dmz server public ip address and make sure that it passes through OK.

View solution in original post

Please remove the existing capture first:

no capture outside type raw-data interface outside
no capture dmz type raw-data interface dmz

Please make it more specific so we can capture only the specific information:

(NB: assuming that you are testing from ip address: 117.85.147.201)

access-list cap-out permit tcp host 117.85.147.201 host 120.195.153.151

access-list cap-out permit tcp host 120.195.153.151 host 117.85.147.201


access-list cap-dmz permit tcp host 117.85.147.201 host 192.168.30.5

access-list cap-dmz permit tcp host 192.168.30.5 host 117.85.147.201

capture cap-out access-list cap-out interface outside

capture cap-dmz access-list cap-dmz interface dmz

Then test accessing the website from 117.85.147.201.

Then gather the output:

show cap cap-out

show cap cap-dmz

View solution in original post

Great, and thanks for the update.

Pls kindly mark the post as answered.

View solution in original post

17 Replies 17

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to remove the following line as follows:

no static (inside,DMZ) 192.168.30.0 192.168.10.0 netmask 255.255.255.0

Replace with the following:

static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

Then you would need to "clear xlate" to clear existing translation.

The above will fix issue# 4.

The following will fix issue# 5:

static (DMZ,outside) tcp interface 80 192.168.30.5 80 netmask 255.255.255.255

Then you would need to "clear xlate" to clear existing translation.

Hope that helps.

Hi, Jennifer

Thanks for your helps, now the issue #4 was fixed, but issue #5 still exists. need your kindly help to check again. thanks!

1.  Inside ping Web server        successfully

2.  Inside ping www.cisco.com  successfully

3.  DMZ   ping  www.cisco.com  successfully

4.  Inside access web sites in web server through http://192.168.30.5    successfully

5.  Outside access web sites in web server through http://120.195.153.151 failed

Can you try using a different public ip address (public ip address that has not been used elsewhere) instead?

Remove the existing translation first:

no static (dmz,outside) tcp interface www 192.168.30.5 www netmask 255.255.255.255

Then add the following line with the spare public ip address:

static (dmz,outside) 120.195.153.x 192.168.30.5 netmask 255.255.255.255

Then "clear xlate". You might also want to "clear arp" on both the ASA, and the upstream router.

I'm sorry to say that ISP only assigned one public ip address for me, I can not use any other address.

Really? your outside subnet is /26, doesn't that mean you have the whole /26 subnet to use?

Anyway, in that case, let's continue to use the ASA interface ip address.

To troubleshoot further, please configure the following ACL line:

access-list 102 line 1 extended permit tcp any host 120.195.153.151 eq www

Then try to access it from the outside again, and then issue "show access-list 102", and check if you have any hitcount on the first line.

Sorry for the late reply, I've tried to add the command as you advised, but still no luck.

Below is the output of 'sh access-list 102', quantity of hit count is no zero.

ciscoasa# sh access-list 102
access-list 102; 4 elements
access-list 102 line 1 extended permit tcp any host 120.195.153.151 eq www (hitc
nt=4)
access-list 102 line 2 extended permit icmp any any (hitcnt=682)
access-list 102 line 3 extended permit ip any any (hitcnt=145)
access-list 102 line 4 extended permit tcp any any eq www (hitcnt=0)

Can you share the output of "sh conn | i 192.168.30.5" as soon as you tried to access it from the outside.

Ok, please refer to the following output:

ciscoasa# sh conn | i 192.168.30.5
UDP out 117.85.147.201:1316 in 192.168.30.5:2792 idle 0:00:00 bytes 1014585 flag
s -
TCP out 114.243.120.255:5938 in 192.168.30.5:2790 idle 0:00:40 bytes 458 flags U
IO
TCP out 117.85.147.201:1378 in 192.168.30.5:80 idle 0:00:11 bytes 0 flags aB

OK, looking at this line:

TCP out 117.85.147.201:1378 in 192.168.30.5:80 idle 0:00:11 bytes 0 flags aB

Flags of aB means that ASA is receiving SYN packet from outside host towards the DMZ server, however, it never receives the SYN-ACK back.

Can you check what is the default gateway on the DMZ server (pls make sure that it's the ASA DMZ interface ip address).

The default gateway of DMZ server is 192.168.30.1 , which is the ip address of DMZ interface.

Can you please run a packet capture on the outside and dmz interface of the ASA to see where the traffic breaks.

Also, if you can run the packet tracer on the ASA from the outside towards the dmz server public ip address and make sure that it passes through OK.

Hi Jennifer,

Sorry for butting in but I'm curious. Do the following configuration mentioned above also applicable for ASA5510 with IOS version of 8.0 or 8.2?

Thanks.

I've runned the following commands:

1. capture outside inter outside

2. capture dmz inter dmz

and get the below output, seems no traffic breaks

capture outside type raw-data interface outside [Capturing - 330602 bytes]
capture dmz type raw-data interface dmz [Capturing - 465476 bytes]

Please remove the existing capture first:

no capture outside type raw-data interface outside
no capture dmz type raw-data interface dmz

Please make it more specific so we can capture only the specific information:

(NB: assuming that you are testing from ip address: 117.85.147.201)

access-list cap-out permit tcp host 117.85.147.201 host 120.195.153.151

access-list cap-out permit tcp host 120.195.153.151 host 117.85.147.201


access-list cap-dmz permit tcp host 117.85.147.201 host 192.168.30.5

access-list cap-dmz permit tcp host 192.168.30.5 host 117.85.147.201

capture cap-out access-list cap-out interface outside

capture cap-dmz access-list cap-dmz interface dmz

Then test accessing the website from 117.85.147.201.

Then gather the output:

show cap cap-out

show cap cap-dmz

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: