Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ's don't cooperate

Hi all, I lake many others am having trouble with a web server in a DMZ.  I can't hit it from the public side and I can't hit the public from the DMZ web server machine.  My SMTP and HTTPS to a different machine work flawlessly.   Could some please provide some suggestions?

Thanks in advance for your help:

ASA Version 7.2(3)

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.2.10.1 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 111.222.333.444 255.255.255.252

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 10.1.1.1 255.255.255.0

!

access-list inbound extended permit tcp any interface outside eq smtp

access-list inbound extended permit tcp any interface outside eq https

access-list inbound extended permit tcp any interface outside eq www

access-list inbound extended permit icmp any any

access-list DMZToOutside extended permit tcp any any

access-list DMZToOutside extended permit icmp any any

access-group inbound in interface outside

access-group DMZToOutside in interface DMZ

global (outside) 1 interface

nat (inside) 1 10.2.10.0 255.255.255.0

static (inside,outside) tcp interface smtp 10.2.10.11 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 10.2.10.11 https netmask 255.255.255.255

static (DMZ,outside) tcp interface www 10.1.1.10 www netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 111.222.333.443 1

Everyone's tags (2)
9 REPLIES
Cisco Employee

DMZ's don't cooperate

The configuration looks OK to me.

Are you getting any hit count on the access-list inbound when you are trying to access it from the internet?

Can you telnet on port 80 to the public IP?

Does the web server happen to have 2 NICs?

New Member

DMZ's don't cooperate

Thanks for the speedy reply.

I am seeing the hit count increment when trying to access from the internet.

Telnet to the public ip on port 80 does not connect, but does increment the hit count.

The web server has just one NIC.

I can access the webserver via http from the DMZ

Cisco Employee

DMZ's don't cooperate

Assuming that your web server has ip address of 10.1.1.10, what is its subnet mask, and what is its default gateway?

New Member

DMZ's don't cooperate

IP: 10.1.1.10

subnet mask: 255.255.255.255

default gateway: 10.1.1.1

Cisco Employee

DMZ's don't cooperate

subnet mask is incorrect, it should have been 255.255.255.0

New Member

DMZ's don't cooperate

Thanks, I made that change.  It didn't resolve the issues.  I added nat (DMZ) 0.0.0.0 0.0.0.0 and can now browse the internet from the web server.  I still can't access the web server from the public side.

Cisco Employee

DMZ's don't cooperate

You mean you add "nat (DMZ) 1 0 0" and it can browse the internet?

If you add "nat (DMZ) 0 0 0" it won't NAT it to a public IP and internet won't work from that host.

Pls "clear xlate" and see if you can browse from the internet.

New Member

DMZ's don't cooperate

My apologies, I did add "nat (DMZ) 1 0 0" and can browse the 'net.  I've "clear xlate" and can still browse.

Still no luck hitting the web server from the public side though.  It's it the weekend yet?

Cisco Employee

DMZ's don't cooperate

What's the website? maybe i have better luck

Yeah...  weekend already

334
Views
0
Helpful
9
Replies
CreatePlease login to create content