Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5510 - outside and inside can not access web server in DMZ

Hello, there may be some problems with the ASA's config, but I can find where are the problems.

Below is the basic config for this ASA:

Inside ip address : 192.168.10.1/24

Outside ip address:  120.195.153.151/26

DMZ ip address:       192.168.30.1/24

Web server ip address:  192.168.30.5/24

I wanna complete the tasks , the status of which are as below:

1.  Inside ping Web server        successfully

2.  Inside ping www.cisco.com  successfully

3.  DMZ   ping  www.cisco.com  successfully

4.  Inside access web sites in web server through http://192.168.30.5    failed

5.  Outside access web sites in web server through http://120.195.153.151 failed

Please get the detailed config in the attached file, and kindly help have a check to find where are the problems.thanks!

Everyone's tags (6)
8 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

You would need to remove the following line as follows:

no static (inside,DMZ) 192.168.30.0 192.168.10.0 netmask 255.255.255.0

Replace with the following:

static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

Then you would need to "clear xlate" to clear existing translation.

The above will fix issue# 4.

The following will fix issue# 5:

static (DMZ,outside) tcp interface 80 192.168.30.5 80 netmask 255.255.255.255

Then you would need to "clear xlate" to clear existing translation.

Hope that helps.

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Can you try using a different public ip address (public ip address that has not been used elsewhere) instead?

Remove the existing translation first:

no static (dmz,outside) tcp interface www 192.168.30.5 www netmask 255.255.255.255

Then add the following line with the spare public ip address:

static (dmz,outside) 120.195.153.x 192.168.30.5 netmask 255.255.255.255

Then "clear xlate". You might also want to "clear arp" on both the ASA, and the upstream router.

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Really? your outside subnet is /26, doesn't that mean you have the whole /26 subnet to use?

Anyway, in that case, let's continue to use the ASA interface ip address.

To troubleshoot further, please configure the following ACL line:

access-list 102 line 1 extended permit tcp any host 120.195.153.151 eq www

Then try to access it from the outside again, and then issue "show access-list 102", and check if you have any hitcount on the first line.

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Can you share the output of "sh conn | i 192.168.30.5" as soon as you tried to access it from the outside.

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

OK, looking at this line:

TCP out 117.85.147.201:1378 in 192.168.30.5:80 idle 0:00:11 bytes 0 flags aB

Flags of aB means that ASA is receiving SYN packet from outside host towards the DMZ server, however, it never receives the SYN-ACK back.

Can you check what is the default gateway on the DMZ server (pls make sure that it's the ASA DMZ interface ip address).

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Can you please run a packet capture on the outside and dmz interface of the ASA to see where the traffic breaks.

Also, if you can run the packet tracer on the ASA from the outside towards the dmz server public ip address and make sure that it passes through OK.

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Please remove the existing capture first:

no capture outside type raw-data interface outside
no capture dmz type raw-data interface dmz

Please make it more specific so we can capture only the specific information:

(NB: assuming that you are testing from ip address: 117.85.147.201)

access-list cap-out permit tcp host 117.85.147.201 host 120.195.153.151

access-list cap-out permit tcp host 120.195.153.151 host 117.85.147.201


access-list cap-dmz permit tcp host 117.85.147.201 host 192.168.30.5

access-list cap-dmz permit tcp host 192.168.30.5 host 117.85.147.201

capture cap-out access-list cap-out interface outside

capture cap-dmz access-list cap-dmz interface dmz

Then test accessing the website from 117.85.147.201.

Then gather the output:

show cap cap-out

show cap cap-dmz

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Great, and thanks for the update.

Pls kindly mark the post as answered.

17 REPLIES
Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

You would need to remove the following line as follows:

no static (inside,DMZ) 192.168.30.0 192.168.10.0 netmask 255.255.255.0

Replace with the following:

static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

Then you would need to "clear xlate" to clear existing translation.

The above will fix issue# 4.

The following will fix issue# 5:

static (DMZ,outside) tcp interface 80 192.168.30.5 80 netmask 255.255.255.255

Then you would need to "clear xlate" to clear existing translation.

Hope that helps.

New Member

Re: ASA 5510 - outside and inside can not access web server in D

Hi, Jennifer

Thanks for your helps, now the issue #4 was fixed, but issue #5 still exists. need your kindly help to check again. thanks!

1.  Inside ping Web server        successfully

2.  Inside ping www.cisco.com  successfully

3.  DMZ   ping  www.cisco.com  successfully

4.  Inside access web sites in web server through http://192.168.30.5    successfully

5.  Outside access web sites in web server through http://120.195.153.151 failed

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Can you try using a different public ip address (public ip address that has not been used elsewhere) instead?

Remove the existing translation first:

no static (dmz,outside) tcp interface www 192.168.30.5 www netmask 255.255.255.255

Then add the following line with the spare public ip address:

static (dmz,outside) 120.195.153.x 192.168.30.5 netmask 255.255.255.255

Then "clear xlate". You might also want to "clear arp" on both the ASA, and the upstream router.

New Member

Re: ASA 5510 - outside and inside can not access web server in D

I'm sorry to say that ISP only assigned one public ip address for me, I can not use any other address.

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Really? your outside subnet is /26, doesn't that mean you have the whole /26 subnet to use?

Anyway, in that case, let's continue to use the ASA interface ip address.

To troubleshoot further, please configure the following ACL line:

access-list 102 line 1 extended permit tcp any host 120.195.153.151 eq www

Then try to access it from the outside again, and then issue "show access-list 102", and check if you have any hitcount on the first line.

New Member

Re: ASA 5510 - outside and inside can not access web server in D

Sorry for the late reply, I've tried to add the command as you advised, but still no luck.

Below is the output of 'sh access-list 102', quantity of hit count is no zero.

ciscoasa# sh access-list 102
access-list 102; 4 elements
access-list 102 line 1 extended permit tcp any host 120.195.153.151 eq www (hitc
nt=4)
access-list 102 line 2 extended permit icmp any any (hitcnt=682)
access-list 102 line 3 extended permit ip any any (hitcnt=145)
access-list 102 line 4 extended permit tcp any any eq www (hitcnt=0)

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Can you share the output of "sh conn | i 192.168.30.5" as soon as you tried to access it from the outside.

New Member

Re: ASA 5510 - outside and inside can not access web server in D

Ok, please refer to the following output:

ciscoasa# sh conn | i 192.168.30.5
UDP out 117.85.147.201:1316 in 192.168.30.5:2792 idle 0:00:00 bytes 1014585 flag
s -
TCP out 114.243.120.255:5938 in 192.168.30.5:2790 idle 0:00:40 bytes 458 flags U
IO
TCP out 117.85.147.201:1378 in 192.168.30.5:80 idle 0:00:11 bytes 0 flags aB

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

OK, looking at this line:

TCP out 117.85.147.201:1378 in 192.168.30.5:80 idle 0:00:11 bytes 0 flags aB

Flags of aB means that ASA is receiving SYN packet from outside host towards the DMZ server, however, it never receives the SYN-ACK back.

Can you check what is the default gateway on the DMZ server (pls make sure that it's the ASA DMZ interface ip address).

New Member

Re: ASA 5510 - outside and inside can not access web server in D

The default gateway of DMZ server is 192.168.30.1 , which is the ip address of DMZ interface.

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Can you please run a packet capture on the outside and dmz interface of the ASA to see where the traffic breaks.

Also, if you can run the packet tracer on the ASA from the outside towards the dmz server public ip address and make sure that it passes through OK.

New Member

Re: ASA 5510 - outside and inside can not access web server in D

Hi Jennifer,

Sorry for butting in but I'm curious. Do the following configuration mentioned above also applicable for ASA5510 with IOS version of 8.0 or 8.2?

Thanks.

New Member

Re: ASA 5510 - outside and inside can not access web server in D

I've runned the following commands:

1. capture outside inter outside

2. capture dmz inter dmz

and get the below output, seems no traffic breaks

capture outside type raw-data interface outside [Capturing - 330602 bytes]
capture dmz type raw-data interface dmz [Capturing - 465476 bytes]

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Please remove the existing capture first:

no capture outside type raw-data interface outside
no capture dmz type raw-data interface dmz

Please make it more specific so we can capture only the specific information:

(NB: assuming that you are testing from ip address: 117.85.147.201)

access-list cap-out permit tcp host 117.85.147.201 host 120.195.153.151

access-list cap-out permit tcp host 120.195.153.151 host 117.85.147.201


access-list cap-dmz permit tcp host 117.85.147.201 host 192.168.30.5

access-list cap-dmz permit tcp host 192.168.30.5 host 117.85.147.201

capture cap-out access-list cap-out interface outside

capture cap-dmz access-list cap-dmz interface dmz

Then test accessing the website from 117.85.147.201.

Then gather the output:

show cap cap-out

show cap cap-dmz

New Member

Re: ASA 5510 - outside and inside can not access web server in D

Hi, jennifer

Thanks a lot for your help . I think I have found where is the problem , just got reply from telecom company, the port 80 is blocked by them.

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Great, and thanks for the update.

Pls kindly mark the post as answered.

Cisco Employee

Re: ASA 5510 - outside and inside can not access web server in D

Thank you..

3765
Views
0
Helpful
17
Replies
CreatePlease to create content