Solved

can't access DMZ from LAN using ASA 5505 using ASDM 6.2

Posted on 2009-07-10
18
2,071 Views
Last Modified: 2012-05-07
Hi,

I'm new to ASA and ASDM.  I have some knowledge about firewall rules and stuff.  We have a split DNS setup.  where an external DNS sits in DMZ.  We have no problem accessing the external sites like Google or Yahoo.  But we can't seem to access the DMZ addresses.  I've tried to add rules to Internet (outside) and LAN (inside) but still can't access DMZ from LAN.

Thanks




6	Jul 10 2009	14:12:13	106015	10.X.X.228	52966	www.mycompany.com	80	Deny TCP (no connection) from 10.X.X.228/52966 to www.mycompany.com/80 flags RST  on interface LAN

Open in new window

0
Comment
Question by:winstein2005
  • 9
  • 7
  • 2
18 Comments
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Could you post your current ASA code?  

It sounds like you are missing a nat command to allow the inside network to communicate to the DMZ network.  

What do you have as the global command?   do you have something like:
global (dmz-interface) interface


0
 
LVL 1

Author Comment

by:winstein2005
Comment Utility
I'm sorry, how do you do that using the GUI?  We have a contractor set it up for us and I'm using the ASDM Java interface to change the access rules.

0
 
LVL 1

Author Comment

by:winstein2005
Comment Utility
I don't know if this helps, but I managed to export the access rules in the csv format
"Interface","#","Enabled","Source","Destination","Service","Action","Hits","Logging","Time","Description"

"DMZ (12 incoming rules)","1","True","10.x.x.208/28","any","ip","Permit","0","Default","",""

"DMZ (12 incoming rules)","2","True","secure.mycompany.com","domain_controllers","active_directory_tcp","Permit","0","Default","",""

"DMZ (12 incoming rules)","3","True","secure.mycompany.com","domain_controllers","active_directory_udp","Permit","0","Default","",""

"DMZ (12 incoming rules)","4","True","secure.mycompany.com","domain_controllers","udp/bootpc","Permit","0","Default","",""

"DMZ (12 incoming rules)","5","True","secure.mycompany.com","lan_servers_vpn","tcp/21955","Permit","0","Default","","TCP/21955 is for SharePoint"

"DMZ (12 incoming rules)","6","True","secure.mycompany.com","lan_servers_vpn","tcp/http","Permit","0","Default","",""

"DMZ (12 incoming rules)","7","True","secure.mycompany.com","lan_servers_vpn","tcp/https","Permit","0","Default","",""

"DMZ (12 incoming rules)","8","True","secure.mycompany.com","LAN_subnet/24","tcp/1433","Permit","0","Default","",""

"DMZ (12 incoming rules)","9","True","secure.mycompany.com","LAN_subnet/24","tcp/3389","Permit","0","Default","",""

"DMZ (12 incoming rules)","10","True","DMZ_subnet/25","LAN_subnet/24","ip","Deny","68","Default","",""

"DMZ (12 incoming rules)","11","True","DMZ_subnet/25","any","ip","Permit","10923","Default","",""

"DMZ (12 incoming rules)","12","","any","any","ip","Deny","","Default","","Implicit rule"

"Internet (14 incoming rules)","1","True","any","any","icmp","Permit","4558","Default","",""

"Internet (14 incoming rules)","2","True","any","ns1.mycompany.com","tcp/domain,udp/domain","Permit","13957","Default","",""

"Internet (14 incoming rules)","3","True","any","ns2.mycompany.com","tcp/domain,udp/domain","Permit","15049","Default","",""

"Internet (14 incoming rules)","4","True","any","www.mycompany.com","tcp/http,tcp/https","Permit","2159","Default","",""

"Internet (14 incoming rules)","5","False","any","www.mycompany.com","tcp/ftp,tcp/ftp-data","Permit","0","Default","",""

"Internet (14 incoming rules)","6","True","any","fg.mycompany.com","tcp/http,tcp/https","Permit","89414","Default","",""

"Internet (14 incoming rules)","7","True","any","nems.mycompany.com","tcp/http,tcp/https","Permit","29","Default","",""

"Internet (14 incoming rules)","8","True","any","www.mycompanymedia.com","tcp/http,tcp/https","Permit","134","Default","",""

"Internet (14 incoming rules)","9","True","any","secure.mycompany.com","tcp/http","Permit","1","Default","",""

"Internet (14 incoming rules)","10","True","any","secure.mycompany.com","tcp/https","Permit","0","Default","",""

"Internet (14 incoming rules)","11","True","any","hpsi.mycompany.com","tcp/http,tcp/https","Permit","341","Default","",""

"Internet (14 incoming rules)","12","True","LAN_subnet/24,LAN_legacy","hpsi.mycompany.com","tcp/ftp,tcp/ftp-data,tcp/http,tcp/https,tcp/netbios-ssn,tcp/ssh,udp/netbios-dgm,udp/netbios-ns","Permit","108","Default","","ssh and ports for samba"

"Internet (14 incoming rules)","13","True","LAN_subnet/24,LAN_legacy","nems.mycompany.com","tcp/ftp,tcp/ftp-data","Permit","0","Default","",""

"Internet (14 incoming rules)","14","","any","any","ip","Deny","","Default","","Implicit rule"

"LAN (6 incoming rules)","1","False","any","DMZ_subnet/25","ip","Permit","0","Default","",""

"LAN (6 incoming rules)","2","True","any","any","tcp-udp/domain","Permit","0","Default","",""

"LAN (6 incoming rules)","3","True","any","any","tcp/http,tcp/https","Permit","45","Default","",""

"LAN (6 incoming rules)","4","True","any","any","tcp/ftp,tcp/ftp-data","Permit","0","Default","",""

"LAN (6 incoming rules)","5","True","any","any","ip","Permit","2974","Default","",""

"LAN (6 incoming rules)","6","","any","any","ip","Deny","","Default","","Implicit rule"

Open in new window

0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
From the ASDM click FILE - SHOW RUNNING CONFIG IN NEW WINDOW.    Take out your public ip and any passwords and post it here for review.  

Thanks .
 
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
HI,

If you don't buy Security plus feature, you not able to use the DMZ for two way, you only reach it form outside or inside, but not the same time!
 
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
0
 
LVL 1

Author Comment

by:winstein2005
Comment Utility
Ok, here it is.
: Saved

:

ASA Version 8.0(4) 

!

hostname mycompanyfw

domain-name mycompany.com

enable password dCMzgJplARCis encrypted

passwd dCMzXJlAVRCis encrypted

names

name 38.x.x.165 fg.mycompany.com

name 38.x.x.175 nems.mycompany.com

name 38.x.x.231 secure.mycompany.com

name 38.x.x.251 ns1.mycompany.com

name 38.x.x.252 ns2.mycompany.com

name 10.x.x.7 mycompany-prime

name 10.x.x.11 mycompany-project

name 10.x.x.8 mycompany-exchange

name 10.x.x.9 mycompany-ezp

name 10.x.x.4 mycompany-www2

name 38.x.x.128 DMZ_subnet

name 10.x.x.0 LAN_subnet

name 38.x.x.139 ftp.mycompany.com

name 38.x.x.137 mail.mycompany.com

name 38.x.x.138 stg.mycompany.com

name 38.x.x.136 www.mycompany.com

name 65.x.x.56 LAN_legacy

name 38.x.x.241 LAN_out

name 38.x.x.141 www.mycompanymedia.com

name 38.x.x.217 hpsi.mycompany.com

!

interface Vlan1

 nameif LAN

 security-level 100

 ip address 10.x.x.3 255.255.255.0 

!

interface Vlan2

 description Cogent L3

 nameif Internet

 security-level 0

 ip address 38.x.x.42 255.255.255.252 

!

interface Vlan3

 description Cogent delegated subnet

 nameif DMZ

 security-level 25

 ip address 38.x.x.129 255.255.255.128 

!

interface Ethernet0/0

 description Cogent

 switchport access vlan 2

!

interface Ethernet0/1

 description DMZ port

 switchport access vlan 3

!

interface Ethernet0/2

 description DMZ port

 switchport access vlan 3

!

interface Ethernet0/3

 description DMZ port

 switchport access vlan 3

!

interface Ethernet0/4

 description DMZ port

 switchport access vlan 3

!

interface Ethernet0/5

 description LAN port

!

interface Ethernet0/6

 description LAN port

!

interface Ethernet0/7

 description LAN port

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup Internet

dns server-group DefaultDNS

 name-server 66.x.x.45

 name-server 66.x.x.61

 name-server 4.2.2.2

 name-server 4.2.2.1

 domain-name mycompany.com

object-group network domain_controllers

 network-object host mycompany-prime

 network-object host mycompany-project

object-group service active_directory_tcp tcp

 port-object eq ldap

 port-object eq netbios-ssn

 port-object eq 445

 port-object eq domain

object-group service active_directory_udp udp

 port-object eq netbios-ns

 port-object eq domain

object-group network lan_servers_vpn

 network-object host mycompany-exchange

 network-object host mycompany-ezp

 network-object host mycompany-prime

 network-object host mycompany-project

 network-object host mycompany-www2

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service DM_INLINE_TCP_3 tcp

 port-object eq ftp

 port-object eq ftp-data

object-group service DM_INLINE_SERVICE_1

 service-object tcp eq domain 

 service-object udp eq domain 

object-group service DM_INLINE_SERVICE_2

 service-object tcp eq domain 

 service-object udp eq domain 

object-group service DM_INLINE_TCP_5 tcp

 port-object eq www

 port-object eq https

object-group network DM_INLINE_NETWORK_1

 network-object LAN_subnet 255.255.255.0

 network-object host LAN_legacy

object-group service DM_INLINE_TCP_4 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_2 tcp

 port-object eq www

 port-object eq https

object-group service rdp tcp

 description Remote Desktop Protocol

 port-object eq 3389

object-group service DM_INLINE_TCP_7 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_SERVICE_3

 service-object tcp eq netbios-ssn 

 service-object tcp eq ssh 

 service-object udp eq netbios-dgm 

 service-object udp eq netbios-ns 

 service-object tcp eq www 

 service-object tcp eq https 

 service-object tcp eq ftp 

 service-object tcp eq ftp-data 

object-group network DM_INLINE_NETWORK_3

 network-object LAN_subnet 255.255.255.0

 network-object host LAN_legacy

object-group service DM_INLINE_TCP_8 tcp

 port-object eq ftp

 port-object eq ftp-data

object-group service DM_INLINE_TCP_10 tcp

 port-object eq ftp

 port-object eq ftp-data

object-group service DM_INLINE_TCP_9 tcp

 port-object eq www

 port-object eq https

access-list outside_in extended permit icmp any any 

access-list outside_in extended permit object-group DM_INLINE_SERVICE_1 any host ns1.mycompany.com 

access-list outside_in extended permit object-group DM_INLINE_SERVICE_2 any host ns2.mycompany.com 

access-list outside_in extended permit tcp any host www.mycompany.com object-group DM_INLINE_TCP_5 

access-list outside_in extended permit tcp any host www.mycompany.com object-group DM_INLINE_TCP_8 inactive 

access-list outside_in extended permit tcp any host fg.mycompany.com object-group DM_INLINE_TCP_1 

access-list outside_in extended permit tcp any host nems.mycompany.com object-group DM_INLINE_TCP_2 

access-list outside_in extended permit tcp any host www.mycompanymedia.com object-group DM_INLINE_TCP_4 

access-list outside_in extended permit tcp any host secure.mycompany.com eq www 

access-list outside_in extended permit tcp any host secure.mycompany.com eq https 

access-list outside_in extended permit tcp any host hpsi.mycompany.com object-group DM_INLINE_TCP_7 

access-list outside_in remark ssh and ports for samba

access-list outside_in extended permit object-group DM_INLINE_SERVICE_3 object-group DM_INLINE_NETWORK_3 host hpsi.mycompany.com 

access-list outside_in extended permit tcp object-group DM_INLINE_NETWORK_1 host nems.mycompany.com object-group DM_INLINE_TCP_3 

access-list dmz_in extended permit ip 10.x.x.208 255.255.255.240 any 

access-list dmz_in extended permit tcp host secure.mycompany.com object-group domain_controllers object-group active_directory_tcp 

access-list dmz_in extended permit udp host secure.mycompany.com object-group domain_controllers object-group active_directory_udp 

access-list dmz_in extended permit udp host secure.mycompany.com eq bootps object-group domain_controllers eq bootpc 

access-list dmz_in remark TCP/21955 is for SharePoint

access-list dmz_in extended permit tcp host secure.mycompany.com object-group lan_servers_vpn eq 21955 

access-list dmz_in extended permit tcp host secure.mycompany.com object-group lan_servers_vpn eq www 

access-list dmz_in extended permit tcp host secure.mycompany.com object-group lan_servers_vpn eq https 

access-list dmz_in extended permit tcp host secure.mycompany.com LAN_subnet 255.255.255.0 eq 1433 

access-list dmz_in extended permit tcp host secure.mycompany.com LAN_subnet 255.255.255.0 eq 3389 

access-list dmz_in extended deny ip DMZ_subnet 255.255.255.128 LAN_subnet 255.255.255.0 

access-list dmz_in extended permit ip DMZ_subnet 255.255.255.128 any 

access-list lan_no_nat extended permit ip LAN_subnet 255.255.255.0 DMZ_subnet 255.255.255.128 

access-list lan_no_nat extended permit ip LAN_subnet 255.255.255.0 10.x.x.208 255.255.255.240 

access-list Admin_Users_splitTunnelACL standard permit LAN_subnet 255.255.255.0 

access-list LAN_access_in extended permit ip any DMZ_subnet 255.255.255.128 inactive 

access-list LAN_access_in extended permit object-group TCPUDP any any eq domain 

access-list LAN_access_in extended permit tcp any any object-group DM_INLINE_TCP_9 

access-list LAN_access_in extended permit tcp any any object-group DM_INLINE_TCP_10 

access-list LAN_access_in extended permit ip any any 

pager lines 24

logging enable

logging asdm informational

mtu LAN 1500

mtu Internet 1500

mtu DMZ 1500

ip local pool vpnpool 10.x.x.1-10.x.x.63 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo LAN

icmp permit any echo Internet

icmp permit any echo-reply Internet

icmp permit any time-exceeded Internet

icmp permit any echo DMZ

icmp permit any echo-reply DMZ

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (Internet) 1 interface

global (Internet) 2 LAN_out netmask 255.255.255.255

nat (LAN) 0 access-list lan_no_nat

nat (LAN) 2 0.0.0.0 0.0.0.0

access-group LAN_access_in in interface LAN

access-group outside_in in interface Internet

access-group dmz_in in interface DMZ

route Internet 0.0.0.0 0.0.0.0 38.x.x.41 1

route DMZ 10.x.x.208 255.255.255.240 secure.mycompany.com 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL 

aaa authentication ssh console LOCAL 

aaa authentication telnet console LOCAL 

aaa authentication secure-http-client

http server enable

http 0.0.0.0 0.0.0.0 LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-AES256-SHA

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface Internet

crypto ca trustpoint self

 enrollment self

 crl configure

crypto ca certificate chain self

 certificate 5caf4b4a

    308202c2 308201aa a0030201 0202045c af4b4a30 0d06092a 864886f7 0d010104 

    05003023 3121301f 06092a86 4886f70d 01090216 12736563 7572652e 63656e74 

    7261782e 636f6d30 1e170d30 39303730 31313834 3735365a 170d3139 30363239 

    31383437 35365a30 23312130 1f06092a 864886f7 0d010902 16127365 63757265 

    2e63656e 74726178 2e636f6d 30820122 300d0609 2a864886 f70d0101 01050003 

    82010f00 3082010a 02820101 00af1b98 ca5a6ccf 55c61fa7 7d30d871 ba326bf9 

    9c8b00a3 36db613a b075b232 ef2b6576 4b3d8900 e6202aca 5e48c91b de841b3d 

    a0b6fc2c 77d2f463 a6936b45 23789b00 60eddbd1 12e1870f ab345e99 8b42c7bd 

    460b8b54 d85b93e7 3dd6ebff 5e689e56 b0d42844 59e2b282 131ecbe6 f3c9adb5 

    ece6c3fe 1decbbcf f35acd2c a54a2095 a70f021c a06f72be c3ed0106 28ef69f3 

    656cc355 cc718d78 2f396879 6ce1cc1e d6546c36 9c3cb69b 40967f95 e78ebf68 

    b4286e94 f3a2b3fd 4c1a6d01 95a41347 90365693 1baf198a 7392b5e2 813cdbd5 

    f2168fa1 86a7b2bd 9009d8dc 3adf542a b71207bd 1ff5c0ec 739664d8 8ce20aae 

    b00d7072 9e8b361f 51df706c f3020301 0001300d 06092a86 4886f70d 01010405 

    00038201 01009e08 9e033a7f 67d23acf 79b34699 9ce6f526 03cc64d3 92d14a78 

    805521ac 2574e051 4ae1aa39 bf91215f b92a012f fae568de 3b52c66a e8027642 

    7540ef53 af25a996 20fcfbc9 43315122 406eeb00 8755c08b d17ac124 aea2ee29 

    d45cad8f 56292f1b f662d400 8e5723d8 c1d3dff5 1ee10c8d e12b350e aa0a475e 

    a93d5334 1d4226ec 6db2aa67 6fa50aac 44798c60 31035a48 108f347b 3122f9b4 

    0fe1a983 fe5747ab e6186786 8d66f1ca 0c0e78ff e2cc812c c4fd25b8 2664e14a 

    b5c2c2d7 5fa713fe c14b1a68 b958e534 3c78bdda 733c3090 62a377d9 eb3197f7 

    f30d5ff3 917a8a02 5fde4a14 64c96968 59ddab31 7c89780f f9db6889 4ebfc1ca 

    22f42ba8 1e11

  quit

crypto isakmp identity address 

crypto isakmp enable Internet

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal 30

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 LAN

ssh timeout 5

console timeout 0
 

threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.5.41.41

ntp server 130.126.24.53

ntp server 129.6.15.29

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1

ssl trust-point self Internet

webvpn

 enable Internet

 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

 svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 2

 svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 3

 svc enable

 tunnel-group-list enable

group-policy Admin_Users internal

group-policy Admin_Users attributes

 dns-server value 10.x.x.7 10.x.x.11

 vpn-tunnel-protocol IPSec svc webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Admin_Users_splitTunnelACL

 default-domain value intranet.mycompany.com

username asaadm password 25kYBePmBfwdcy encrypted privilege 15

username wtsa password j8V7eu1M40eBD encrypted

username wtsa attributes

 vpn-group-policy Admin_Users

 service-type remote-access

tunnel-group Admin_Users type remote-access

tunnel-group Admin_Users general-attributes

 address-pool vpnpool

 default-group-policy Admin_Users

tunnel-group Admin_Users webvpn-attributes

 group-alias Admin_Users enable

tunnel-group Admin_Users ipsec-attributes

 pre-shared-key *

!

!

prompt hostname context 

Cryptochecksum:083dac2b9c72151c6e7e6a069cd21

: end

asdm image disk0:/asdm-621.bin

asdm location nems.mycompany.com 255.255.255.255 LAN

asdm location LAN_legacy 255.255.255.255 LAN

asdm location www.mycompany.com 255.255.255.255 LAN

asdm location mail.mycompany.com 255.255.255.255 LAN

asdm location stg.mycompany.com 255.255.255.255 LAN

asdm location ftp.mycompany.com 255.255.255.255 LAN

asdm location LAN_out 255.255.255.255 LAN

asdm location www.mycompanymedia.com 255.255.255.255 LAN

asdm location hpsi.mycompany.com 255.255.255.255 LAN

no asdm history enable

Open in new window

0
 
LVL 1

Author Comment

by:winstein2005
Comment Utility
We do have security plus.  I tried to add static routing in the NAT rules, but it did not work.  Maybe the contractor have left out more than a couple of things?
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
To access the DMZ you'll need to allow the LAN to nat into the DMZ.

Try this

  global (DMZ) 2 interface


That will use the same nat2 from inside and should get you an xlate into the DMZ.  


0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:winstein2005
Comment Utility
Mike, that make sense.  but where do I set it in the ASDM?
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
IIRC, its in CONFIGURATION - FIREWALL - NAT Rules  

You should be able to add a new one there.
0
 
LVL 1

Author Comment

by:winstein2005
Comment Utility
Mike, could you be more specific on the source,destination/Interface?

I've tried both static rule and static policy, but did not work.  It says the source and translated IP must have same subnet mask.

Thanks
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Its not a static you are adding, its a global pool entry.    If you don't see the globals listed, go to that area in ASDM and click VIEW - GLOBAL POOLS.    You want to add a global pool "1" Interface "DMZ" addresses "DMZ interface"
0
 
LVL 1

Author Comment

by:winstein2005
Comment Utility
Ok, I was able to generate the address pool and the configuration now has this lline:

global (DMZ) 2 LAN_out netmask 255.255.255.255

But still no go.  Still getting Deny TCP in the log viewer.
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Change the global to 1 so its part of the same global pool.    



0
 
LVL 1

Author Comment

by:winstein2005
Comment Utility
The NAT rules did not help.  I've consulted with several people, they all thought the same thing.  But here is the weird part:  I can PING the address, URLs in DMZ, but not browse it using a browser!
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
Comment Utility
I had to take a closer look at your code.   You are no-natting into the DMZ using
access-list lan_no_nat extended permit ip LAN_subnet 255.255.255.0 DMZ_subnet 255.255.255.128
and
nat (LAN) 0 access-list lan_no_nat

There is no translations happening here.    

On the ACL side I see
access-list LAN_access_in extended permit ip any any

Which should allow all traffic from the inside to the DMZ and it would flow without translation.  

If Pings are working but port 80 is failing, then the 1st thing we do is eliminate the ACLS and firewall.    If you have the ASDM open, the console, or want to setup a syslog server, you can set the logging to informational and the firewall will log any dropped packets and give the reason.   IF the firewall is preventing communication, this will alert you to it.    IF the log is clean then the firewall isn't the cause of the issue.    




0
 
LVL 1

Author Comment

by:winstein2005
Comment Utility
We finally figured out!  The problem is not Cisco, the problem is the Windows servers.  The servers had two NIC cards and they were both enabled.  One is configured on DMZ and one is configured on LAN.  Because the DMZ address was not NATed, the requests from the LAN were replied using the LAN interface.

Once we disabled the LAN interface, everything works.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now