Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
3
Replies

Problems with dmz-outside (nat)..on context

robert.rosa
Level 1
Level 1

‎02-28-2009 11:57 AM - edited ‎03-11-2019 07:58 AM

Hi:

Having problems trying to publish a webpage, the webserver 10.10.0.2 (on dmz), has the 1.1.1.170 (internet address).

can anyone help me?

[b]

please see the configuration:[/b]

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 131.15.3.10 RRC-PC

name 1.1.1.173 FTPSERVER-INTERNETADDRESS

name 1.1.1.170 WEBSERVER1-INTERNETADDRESS

name 1.1.1.171 WEBSERVER2-INTERNETADDRESS

name 10.10.0.2 WEBSERVER-IP-DMZ

!

interface Ethernet0

nameif OUTSIDE

security-level 0

ip address 1.1.1.172 255.255.255.248

!

interface Ethernet4

nameif DMZ

security-level 0

ip address 10.10.0.1 255.255.255.0

!

interface Ethernet5

nameif INSIDE

security-level 100

ip address 131.15.254.254 255.255.0.0

!

object-group service DM_INLINE_TCP_2 tcp

port-object eq ftp

port-object eq www

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq www

access-list DMZ_access_in extended permit tcp 10.10.0.0 255.255.255.0 131.15.0.0 255.255.0.0

access-list INSIDE_access_in extended permit ip host RRC-PC any

access-list INSIDE_access_in extended permit tcp 131.15.0.0 255.255.0.0 10.10.0.0 255.255.255.0

access-list OUTSIDE_access_in extended permit tcp any any

access-list OUTSIDE_access_in extended permit tcp any host WEBSERVER1-INTERNETADDRESS object-group DM_INLINE_TCP_1

access-list OUTSIDE_access_in extended permit tcp any host WEBSERVER2-INTERNETADDRESS object-group DM_INLINE_TCP_2

access-list OUTSIDE_access_in extended permit tcp any host FTPSERVER-INTERNETADDRESS eq ftp

pager lines 24

logging enable

logging asdm informational

mtu OUTSIDE 1500

mtu DMZ 1500

mtu INSIDE 1500

icmp unreachable rate-limit 1 burst-size 1

asdm location RRC-PC 255.255.255.255 INSIDE

asdm location WEBSERVER1-INTERNETADDRESS 255.255.255.255 INSIDE

asdm location WEBSERVER2-INTERNETADDRESS 255.255.255.255 INSIDE

asdm location FTPSERVER-INTERNETADDRESS 255.255.255.255 INSIDE

asdm location WEBSERVER-IP-DMZ 255.255.255.255 INSIDE

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 WEBSERVER1-INTERNETADDRESS netmask 255.255.255.0

global (OUTSIDE) 101 interface

static (DMZ,OUTSIDE) tcp WEBSERVER1-INTERNETADDRESS www WEBSERVER-IP-DMZ www netmask 255.255.255.255

static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0

static (INSIDE,DMZ) 131.15.0.0 131.15.0.0 netmask 255.255.0.0

access-group OUTSIDE_access_in in interface OUTSIDE

access-group DMZ_access_in in interface DMZ

access-group INSIDE_access_in in interface INSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.169 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http RRC-PC 255.255.255.255 INSIDE

no snmp-server location

no snmp-server contact

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet RRC-PC 255.255.255.255 INSIDE

telnet timeout 5

ssh timeout 5

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

Labels:
0 Helpful
3 Replies 3

adamclarkuk_2
Level 4
Level 4

‎02-28-2009 02:16 PM

When you try to connect to IP 1.1.1.170 do you get an entry in the xlate table for it (show xlate).

One other thing to check is that the server is listening on port 80 and that the default gateway has been set correctly on the server.

0 Helpful

robert.rosa
Level 1
Level 1
In response to adamclarkuk_2

‎02-28-2009 02:59 PM

XLATE command:

Global 10.10.0.0 Local 10.10.0.0

Global 131.15.0.0 Local 131.15.0.0

PAT Global WEBSERVER1-INTERNETADDRESS(80) Local WEBSERVER-IP-DMZ(80)

I'm getting error: 1258 WEBSERVER1-INTERNETADDRESS 80 Inbound TCP connection denied from 1.4.47.235/1258 to WEBSERVER1-INTERNETADDRESS/80 flags SYN on interface OUTSIDE

0 Helpful

vikram_anumukonda
Level 3
Level 3
In response to robert.rosa

‎02-28-2009 08:51 PM

you have got same security-levels on OUTSIDE and DMZ , is this something you did deliberately. If yes, you will have to issue

"same-security-traffic permit inter-interface"

if no, you might want to change the security-level on DMZ to a higher value than what is there now.

either of the above will help you connect to the webserver from outside

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card