Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DMZ on ASA 8.2

Hi, 

 

I'm trying to configure DMZ on ASA . 

bellow is configuration for DMZ, but access not works from outside to the web server.

and web server cant ping gateway (dmz)172.16.80.1.

 

what  miss in this configuration?

Thanks in Advance

11 REPLIES
Bronze

Hi, enter the following

Hi,

 

enter the following command and see what the output is:

 

packet-trace input outside tcp host 10.0.0.1 eq 1025 172.16.80.30 eq 80

 

(assuming the router is 10.0.0.1)

 

Let me know how you get on

 

Best wishes

 

Mike

 

Bronze

Have a look at this link too:

Have a look at this link too:

 

http://ccie-or-null.net/2011/11/15/packet-flow-through-a-cisco-asa/

 

best wishes

 

Mike

Bronze

Ok,That looks liek access

Ok,

That looks liek access from the outside to the dmz

 is good, now try the same thing in reverse, whereby you need to enter the following:

 

packet-trace input dmz tcp host 172.16.80.30 eq 80 host 10.0.0.1 eq 1025

 

and paste that in.

 

cheers

 

Mike

Community Member

Phase: 1Type: ACCESS


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.0.0    255.255.255.248 OUTSIDE

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (DMZ,OUTSIDE) 172.16.80.30 172.16.80.30 netmask 255.255.255.255
  match ip DMZ host 172.16.80.30 OUTSIDE any
    static translation to 172.16.80.30
    translate_hits = 1, untranslate_hits = 172
Additional Information:
Static translate 172.16.80.30/0 to 172.16.80.30/0 using netmask 255.255.255.255

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,OUTSIDE) 172.16.80.30 172.16.80.30 netmask 255.255.255.255
  match ip DMZ host 172.16.80.30 OUTSIDE any
    static translation to 172.16.80.30
    translate_hits = 1, untranslate_hits = 172
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 44047626, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

Bronze

Hi Zak, So it doesn't look

Hi Zak,

 

So it doesn't look like a firewal problem, just prove this completely by removing the firewall from the topology and see if you can ping from the router to the server successfully.

If this is ok - then it may be a nat issue on the firewall, and you may have to nat to a different address.

when you are trying to ping - what does the firewall log say?

 

Cheers

 

Mike

 

Community Member

I connected the laptop

I connected the laptop directly to GE0 / 2 port on the ASA. i cant ping ASA and from ASA i cant ping laptop. 

Bronze

Hi Zak, Enter the command

Hi Zak,

 

Enter the command 'debug icmp trace' on the ASA CLI. and then try pinging direct from the laptop again - this will tell us whether the pings are even being received by the ASA. I am assuming you have modified your outside in ACL to permit icmp traffic to the outside interface from your laptop ip address?

 

If after all, the pings are not being received - it may be worth checking the laptop you are using for testing - maybe trying another one.

 

Of course the main problem initially was that you couldn't browse to the web server located in the DMZ, have you tried putting your laptop in the DMZ vlan (80) and ensuring that you can browse to the webserver without a firewall in between?

 

 

Very best wishes

 

 

Mike

Community Member

Hi mike,i cant ping ASA,

Hi mike,

i cant ping ASA, problem is that laptop cant see gateway(asa). 

--ASA--

interface GigabitEthernet0/2.80
 vlan 80
 nameif DMZ
 security-level 50
 ip address 172.16.80.1 255.255.255.0

 

--Laptop--

IP 172.16.80.10

GW. 172.16.80.1

mask 255.255.255.0

 

Bronze

Hi Zak, Do you mean there is

Hi Zak,

 

Do you mean there is something wrong with your laptop, something wrong with the network connection between laptop and asa, or the asa is not responding to pings?

 

Best wishes

 

Mike

Community Member

Hi Mike, When i connect

Hi Mike,

 

When i connect laptop to ASA, interface on ASA comes UP.

 

but i cant ping laptop from asa and vise versa.

what i miss?

Community Member

Hi Mike,  Phase: 1Type:

Hi Mike,

 

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (DMZ,OUTSIDE) 172.16.80.30 172.16.80.30 netmask 255.255.255.255
  match ip DMZ host 172.16.80.30 OUTSIDE any
    static translation to 172.16.80.30
    translate_hits = 0, untranslate_hits = 166
Additional Information:
NAT divert to egress interface DMZ
Untranslate 172.16.80.30/0 to 172.16.80.30/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Out-Inside in interface OUTSIDE
access-list Out-Inside extended permit tcp any host 172.16.80.30 eq www
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
service-policy global_policy global
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (DMZ,OUTSIDE) 172.16.80.30 172.16.80.30 netmask 255.255.255.255
  match ip DMZ host 172.16.80.30 OUTSIDE any
    static translation to 172.16.80.30
    translate_hits = 0, untranslate_hits = 166
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,OUTSIDE) 172.16.80.30 172.16.80.30 netmask 255.255.255.255
  match ip DMZ host 172.16.80.30 OUTSIDE any
    static translation to 172.16.80.30
    translate_hits = 0, untranslate_hits = 166
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 44036154, packet dispatched to next module

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

166
Views
0
Helpful
11
Replies
CreatePlease to create content