Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
0
Helpful
1
Replies

ASA 5515X DMZ reachability issue

michaelgbenga
Level 1
Level 1

‎08-27-2014 02:29 PM - edited ‎02-21-2020 05:16 AM

Hello everyone,
I want to migrate a client network from ASA 8.2 to 9.1. Presently, the 8.2 box takes LAN users to the internet, and to a webserver in the DMZ. The DMZ server is assessed both from the LAN with a private IP address and from the internet using its public IP address. 
After translating the current 8.2 config, LAN users can assess the internet, but cannot browse the webserver in the DMZ; but 'weirdly' can ping it; so icmp is going to the webserver from the LAN, but can't be reached by http. Kindly share a sample config, if you have conquered this before. Bear in mind that NAT is different in 9.1 compared to 8.2. Here is a part of the config.

interface GigabitEthernet0/0
 nameif outsideif
 security-level 0
 ip address outside-if 255.255.255.248 
!
interface GigabitEthernet0/1
 nameif insideif
 security-level 100
 ip address inside-if 255.255.255.248 
!
interface GigabitEthernet0/2
 nameif dmzif
 security-level 50
 ip address dmz-if 255.255.255.0 
!
object network DMZ-webserver
 host 192.168.0.4
!
object network DMZ-webserver_public_IP
 host 1XX.2X.4.13
!
access-list outsideacl extended permit tcp any object DMZ-webserver eq www
access-list dmzacl extended permit ip any any
!
nat (dmzif,outsideif) source static DMZ-webserver DMZ-webserver_public_IP
object network inside-lan_outside
 nat (insideif,outsideif) dynamic interface
route outsideif 0.0.0.0 0.0.0.0 outside-router 1
route insideif 10.0.0.0 255.0.0.0 inside-router 1

 

 

 

 

There are no other access-lists in the running config.
Many thanks in advance.

0 Helpful
1 Reply 1

Tushar Bangia
Level 1
Level 1

‎09-05-2014 04:47 AM

I understand you are new to 9.x NAT, there are couple interesting link for NAT conversion

http://www.tunnelsup.com/nat-converter/

http://www.tunnelsup.com/nat-creator/

 

Hope the above link helps!!

 

Regards,

 

Tushar Bangia

 

Please rate the post if you find it helpful!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card