Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DMZ access

Hi,

I am not able to access DMZ from outside. Attached the running config of firewall.

I think it might be some routing issue, any suggestions.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: DMZ access

You mean this IP? 1.1.27..113

Try to add this in your DMZ ACL:

access-list DMZ1_access_in extended permit ip host 192.168.5.111 any

You can make it more secure after doing the initial testing.

Secondly fix your static as per my last post.

Regards

Farrukh

11 REPLIES

Re: DMZ access

Hi,

Some questions:

- Did you try to ping from outside your host in DMZ?

- When you try to access to host in DMZ do you see log messages on firewall?

- Did you set up the defaul gateway on host in DMZ?

Best regards.

Massimiliano.

Community Member

Re: DMZ access

1. i am not able to ping from out side to DMZ nat ip.

2. no

3. Yes

Re: DMZ access

Hi,

- From outside did you ping the ip address of the firewall's interface outside?

- From host in DMZ did you have access to hosts in Internet?

Re: DMZ access

First of all your access-list is wrong:

access-list DMZ1_access_in extended permit ip host 1.1.27.113 any

access-list DMZ1_access_in extended permit icmp host 1.1.27.113 any

The 1.1.27.113 will never be seen on the DMZ side, it will only see the pre-nat local IP.

Secondly one of your static's is incorrect:

static (inside,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255

This should be 192.168.1.101 OR

static (DMZ1,outside) 1.1.27.101 192.168.5.101 netmask 255.255.255.255

Thirdly, why have you put two default routes?

Regards

Community Member

Re: DMZ access

Hi,

thanks a lot, i will implement the config as you said n try to ping from outside.

Regards.

Community Member

Re: DMZ access

all global ip are responding from out side, except DMZ NAT IP.

Re: DMZ access

You mean this IP? 1.1.27..113

Try to add this in your DMZ ACL:

access-list DMZ1_access_in extended permit ip host 192.168.5.111 any

You can make it more secure after doing the initial testing.

Secondly fix your static as per my last post.

Regards

Farrukh

Community Member

Re: DMZ access

Thank you Farrukh, it is working now. I think the only problem was ACL_DMZ and that is what it was not comming out of the FW.

Community Member

Re: DMZ access

Hi,

Just do some logging and icmp debugging in ASA then post it here.

did u try a telnet to a server.

Regards

Re: DMZ access

Omair the issue is with the ACL and the static.

Regards

Farrukh

Community Member

Re: DMZ access

Agreed but I hope that he changed the config.

158
Views
0
Helpful
11
Replies
CreatePlease to create content