Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need Help getting Outside network to talk to DMZ

I'm in the testing phase of setting up an ASA 5520 and I'm having some issues getting the Outside network to talk to the DMZ. I set up a test using a web server on 172.20.175.110 (SCADADEV01) and I thought I had it NATed correctly and had the right ACL but I cannot seemed to get to from the test computer 10.80.1.16. Can you give me a little help. Attached is the config file.

10 REPLIES

Re: Need Help getting Outside network to talk to DMZ

Your NAT is incorrect, and your outside acl is incorrect.

I would configure something like - for testing:-

static (DMZ,outside) tcp interface www 172.20.175.110 www netmask 255.255.255.255

Then write the acl

access-list outside_access_in permit tcp any interface outside eq 80

HTH>

New Member

Re: Need Help getting Outside network to talk to DMZ

I simplified the config and tried your suggestion. But no joy. Attached is the modified config.

Re: Need Help getting Outside network to talk to DMZ

OK - when you say it did not work, how did you test it?

What debugging did you have enabled?

New Member

Re: Need Help getting Outside network to talk to DMZ

I simply opened up a browser on the outside client computer (10.80.1.16) and typed in the url 172.20.175.110 and it timed out. Doing this same test from a computer on the inside network works fine. How do you suggest I debug this?

Re: Need Help getting Outside network to talk to DMZ

OK - firstly,

You are typing the wrong IP address. You are natting on the firewall - so you will not be able to connect to the DMZ IP address, as this is not know on the outside.

Test again using the IP address "10.80.1.15"

Secondly - enable logging, then check the logs. You can also check to see if your access is being hit - show access-list. The you should check connectivity locally from a device in the DMZ.

HTH>

New Member

Re: Need Help getting Outside network to talk to DMZ

Yes, typing in 10.80.1.15 was successful from the outside client copmputer. I apologize for how green I am in doing this. Thanks for your patience. I will also follow your other suggestions. I think I can use the web example to fix the other connectivity problems I'm having. I appreciate the help.

New Member

Re: Need Help getting Outside network to talk to DMZ

I simply opened up a browser on the outside client computer (10.80.1.16) and typed in the url 172.20.175.110 and it timed out. Doing this same test from a computer on the inside network works fine. How do you suggest I debug this?

Re: Need Help getting Outside network to talk to DMZ

Should I ignore this post? As I think I have already answered it?

New Member

Re: Need Help getting Outside network to talk to DMZ

Yes. Ignor it. Not sure how it got sent.

Re: Need Help getting Outside network to talk to DMZ

np - glad to help

137
Views
0
Helpful
10
Replies