Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ web server; traffic gets in, can't get out.

Hi,

I have a webserver in the dmz which is accessible from the outside. However, I am unable to access interenet from the web server. Help!

17 REPLIES

Re: DMZ web server; traffic gets in, can't get out.

Hi Nathan

Add the following

nat (dmz) 101 0 0

Regards

Green

Re: DMZ web server; traffic gets in, can't get out.

You shouldn't need that as it should go out as 12.xx.xx.88. Check that it is using the correct dns server as defined in object-group ISP_DNS.

New Member

Re: DMZ web server; traffic gets in, can't get out.

I've verified the 12.xx.xx.71 address for DNS. The webserver is pointing to it for its DNS. I see the connection in the log:

6 Dec 14 2007 12:42:10 302015 12.xx.xx.71 172.16.0.176 Built outbound UDP connection 140732 for outside:12.xx.xx.71/53 (12.xx.xx.71/53) to dmz:172.16.0.176/1044 (12.xx.xx.88/1044)

But it isn't working. It's definately a DNS problem, things are working by IP.

Re: DMZ web server; traffic gets in, can't get out.

Correct, I directly looked at NAT statements, missed the static.

Natan, what happens when you run nslookup in webserver and query a web site for example www.experts-exchange.com and can you ping 64.156.132.140 ?

Please post the output of nslookup

New Member

Re: DMZ web server; traffic gets in, can't get out.

nslookup returns invalid domain server. It looks like the traffic is going out to the domain server but maybe it's not getting nated correctly coming back?

I can resolve web sites directly by IP but I don't let ICMP through.

Re: DMZ web server; traffic gets in, can't get out.

do you have dns max length inspection in your config? Can you post the nslookup output when you query a web site? Assuming that your inside lan can correctly resolve DNS, try assigning the dns server of lan clients to DMZ

New Member

Re: DMZ web server; traffic gets in, can't get out.

No max length inspection.

nslookup www.google.com > nslookup.txt

DNS request timed out.

timeout was 2 seconds.

Server: UnKnown

Address: 12.xx.xx.71

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

Try assigning dns server of lan clients to dmz, the interface address?

New Member

Re: DMZ web server; traffic gets in, can't get out.

Your "outside_access_in" ACL does not allow your ISP DNS in.

Green

Re: DMZ web server; traffic gets in, can't get out.

It wouldn't have to as this is being initiated from the dmz.

New Member

Re: DMZ web server; traffic gets in, can't get out.

I don't show it hitting the ACL in the log.

Re: DMZ web server; traffic gets in, can't get out.

"Try assigning dns server of lan clients to dmz, the interface address?"

Do your clients has the IP address of ASA interface as preferred DNS server? ASA can not be a DNS server and shouldnt be assigned as preferred DNS server.

Call your ISP and ask for DNS server addresses. Then assign these public DNS server addresses as preferred DNS server to your web server.

New Member

Re: DMZ web server; traffic gets in, can't get out.

I'm using the ISP provided public DNS server's on the webserver. There's an ACL set to allow this, but nothing seems to be hitting it.

New Member

Re: DMZ web server; traffic gets in, can't get out.

Interesting. Even if it's not showing up in the log, try adding a rule to allow dns replies to outside_access_in. Other than that, all I can think of is an oddball NAT issue. Try removing the static (dmz,inside) map.

Beyond that... grab a tap and a sniffer.

Re: DMZ web server; traffic gets in, can't get out.

Nathan,

Please post the output of following command

packet-tracer input DMZ udp 172.16.0.176 domain 12.xx.xx.71 domain detailed

New Member

Re: DMZ web server; traffic gets in, can't get out.

See attached.

Re: DMZ web server; traffic gets in, can't get out.

ASA allows the traffic, nothing is wrong.

Actually I doubt that 12.xx.xx.71 is a valid DNS server

12.xx.xx.90 is your interface IP and 12.xx.xx.71 is an IP that is in your range with 255.255.255.224 mask

I recommend you using another public DNS. For example

67.138.54.100

In TCP/IP properties of your server, set 67.138.54.100 as preferred DNS server. And in ASA, do the following modification

object-group network ISP_DNS

network-object host 67.138.54.100

Regards

New Member

Re: DMZ web server; traffic gets in, can't get out.

It's confusing because of the scrubbed config, the second and third octets of the DNS server are different from those of my /27. The DNS server has been verified working, our domain controllers are all using it from the inside interface.

170
Views
0
Helpful
17
Replies