Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa5510: dmz cannot access the internet

i have set up a dmz on the asa5510 with a web server in it. when i try to connect to the server from outside i see the SYN packet hit the server but the client never receives the SYN/ACK even though server definitely sends it. that made me try and access the internet from the web server and that didn't work either. here is what i have:

access-list outside_in extended permit tcp any host <my public IP> eq www

access-group outside_in in interface outside

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface www 10.10.5.13 www netmask 255.255.255.255

default route is set with:

ip address dhcp setroute

on the outside interface

can anyone see what might be wrong here? thanks in advance

p.s. inside interface (LAN) can access the internet with no problem

3 REPLIES
Gold

Re: asa5510: dmz cannot access the internet

at first glance, the config looks fine. what is the security level of the dmz interface? 0?

New Member

Re: asa5510: dmz cannot access the internet

thanks for response. security levels are:

outside: 0

dmz: 10

inside: 100

New Member

Re: asa5510: dmz cannot access the internet

here is an update:

i configured the web server to listen on port 5000 and added:

static (dmz,outside) tcp interface 5000 10.10.5.13 5000 netmask 255.255.255.255

access-list outside_in extended permit tcp any host eq 5000

and now i can access the web server from outside. i still cannot access the internet from that web server but what confuses me is that SYN/ACK packets hit the client when using port 5000 on the server and not when using port 80. any suggestions?

389
Views
0
Helpful
3
Replies