02-28-2009 11:57 AM - edited 03-11-2019 07:58 AM
Hi:
Having problems trying to publish a webpage, the webserver 10.10.0.2 (on dmz), has the 1.1.1.170 (internet address).
can anyone help me?
[b]
please see the configuration:[/b]
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 131.15.3.10 RRC-PC
name 1.1.1.173 FTPSERVER-INTERNETADDRESS
name 1.1.1.170 WEBSERVER1-INTERNETADDRESS
name 1.1.1.171 WEBSERVER2-INTERNETADDRESS
name 10.10.0.2 WEBSERVER-IP-DMZ
!
interface Ethernet0
nameif OUTSIDE
security-level 0
ip address 1.1.1.172 255.255.255.248
!
interface Ethernet4
nameif DMZ
security-level 0
ip address 10.10.0.1 255.255.255.0
!
interface Ethernet5
nameif INSIDE
security-level 100
ip address 131.15.254.254 255.255.0.0
!
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq www
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
access-list DMZ_access_in extended permit tcp 10.10.0.0 255.255.255.0 131.15.0.0 255.255.0.0
access-list INSIDE_access_in extended permit ip host RRC-PC any
access-list INSIDE_access_in extended permit tcp 131.15.0.0 255.255.0.0 10.10.0.0 255.255.255.0
access-list OUTSIDE_access_in extended permit tcp any any
access-list OUTSIDE_access_in extended permit tcp any host WEBSERVER1-INTERNETADDRESS object-group DM_INLINE_TCP_1
access-list OUTSIDE_access_in extended permit tcp any host WEBSERVER2-INTERNETADDRESS object-group DM_INLINE_TCP_2
access-list OUTSIDE_access_in extended permit tcp any host FTPSERVER-INTERNETADDRESS eq ftp
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location RRC-PC 255.255.255.255 INSIDE
asdm location WEBSERVER1-INTERNETADDRESS 255.255.255.255 INSIDE
asdm location WEBSERVER2-INTERNETADDRESS 255.255.255.255 INSIDE
asdm location FTPSERVER-INTERNETADDRESS 255.255.255.255 INSIDE
asdm location WEBSERVER-IP-DMZ 255.255.255.255 INSIDE
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 WEBSERVER1-INTERNETADDRESS netmask 255.255.255.0
global (OUTSIDE) 101 interface
static (DMZ,OUTSIDE) tcp WEBSERVER1-INTERNETADDRESS www WEBSERVER-IP-DMZ www netmask 255.255.255.255
static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0
static (INSIDE,DMZ) 131.15.0.0 131.15.0.0 netmask 255.255.0.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group DMZ_access_in in interface DMZ
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http RRC-PC 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet RRC-PC 255.255.255.255 INSIDE
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
02-28-2009 02:16 PM
When you try to connect to IP 1.1.1.170 do you get an entry in the xlate table for it (show xlate).
One other thing to check is that the server is listening on port 80 and that the default gateway has been set correctly on the server.
02-28-2009 02:59 PM
XLATE command:
Global 10.10.0.0 Local 10.10.0.0
Global 131.15.0.0 Local 131.15.0.0
PAT Global WEBSERVER1-INTERNETADDRESS(80) Local WEBSERVER-IP-DMZ(80)
I'm getting error: 1258 WEBSERVER1-INTERNETADDRESS 80 Inbound TCP connection denied from 1.4.47.235/1258 to WEBSERVER1-INTERNETADDRESS/80 flags SYN on interface OUTSIDE
02-28-2009 08:51 PM
you have got same security-levels on OUTSIDE and DMZ , is this something you did deliberately. If yes, you will have to issue
"same-security-traffic permit inter-interface"
if no, you might want to change the security-level on DMZ to a higher value than what is there now.
either of the above will help you connect to the webserver from outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide