Solved

can't access DMZ from LAN using ASA 5505 using ASDM 6.2

Posted on 2009-07-10
18
2,084 Views
Last Modified: 2012-05-07
Hi,

I'm new to ASA and ASDM.  I have some knowledge about firewall rules and stuff.  We have a split DNS setup.  where an external DNS sits in DMZ.  We have no problem accessing the external sites like Google or Yahoo.  But we can't seem to access the DMZ addresses.  I've tried to add rules to Internet (outside) and LAN (inside) but still can't access DMZ from LAN.

Thanks



6	Jul 10 2009	14:12:13	106015	10.X.X.228	52966	www.mycompany.com	80	Deny TCP (no connection) from 10.X.X.228/52966 to www.mycompany.com/80 flags RST  on interface LAN

Open in new window

0
Comment
Question by:winstein2005
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 2
18 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24827017
Could you post your current ASA code?  

It sounds like you are missing a nat command to allow the inside network to communicate to the DMZ network.  

What do you have as the global command?   do you have something like:
global (dmz-interface) interface


0
 
LVL 1

Author Comment

by:winstein2005
ID: 24827335
I'm sorry, how do you do that using the GUI?  We have a contractor set it up for us and I'm using the ASDM Java interface to change the access rules.

0
 
LVL 1

Author Comment

by:winstein2005
ID: 24827413
I don't know if this helps, but I managed to export the access rules in the csv format
"Interface","#","Enabled","Source","Destination","Service","Action","Hits","Logging","Time","Description"
"DMZ (12 incoming rules)","1","True","10.x.x.208/28","any","ip","Permit","0","Default","",""
"DMZ (12 incoming rules)","2","True","secure.mycompany.com","domain_controllers","active_directory_tcp","Permit","0","Default","",""
"DMZ (12 incoming rules)","3","True","secure.mycompany.com","domain_controllers","active_directory_udp","Permit","0","Default","",""
"DMZ (12 incoming rules)","4","True","secure.mycompany.com","domain_controllers","udp/bootpc","Permit","0","Default","",""
"DMZ (12 incoming rules)","5","True","secure.mycompany.com","lan_servers_vpn","tcp/21955","Permit","0","Default","","TCP/21955 is for SharePoint"
"DMZ (12 incoming rules)","6","True","secure.mycompany.com","lan_servers_vpn","tcp/http","Permit","0","Default","",""
"DMZ (12 incoming rules)","7","True","secure.mycompany.com","lan_servers_vpn","tcp/https","Permit","0","Default","",""
"DMZ (12 incoming rules)","8","True","secure.mycompany.com","LAN_subnet/24","tcp/1433","Permit","0","Default","",""
"DMZ (12 incoming rules)","9","True","secure.mycompany.com","LAN_subnet/24","tcp/3389","Permit","0","Default","",""
"DMZ (12 incoming rules)","10","True","DMZ_subnet/25","LAN_subnet/24","ip","Deny","68","Default","",""
"DMZ (12 incoming rules)","11","True","DMZ_subnet/25","any","ip","Permit","10923","Default","",""
"DMZ (12 incoming rules)","12","","any","any","ip","Deny","","Default","","Implicit rule"
"Internet (14 incoming rules)","1","True","any","any","icmp","Permit","4558","Default","",""
"Internet (14 incoming rules)","2","True","any","ns1.mycompany.com","tcp/domain,udp/domain","Permit","13957","Default","",""
"Internet (14 incoming rules)","3","True","any","ns2.mycompany.com","tcp/domain,udp/domain","Permit","15049","Default","",""
"Internet (14 incoming rules)","4","True","any","www.mycompany.com","tcp/http,tcp/https","Permit","2159","Default","",""
"Internet (14 incoming rules)","5","False","any","www.mycompany.com","tcp/ftp,tcp/ftp-data","Permit","0","Default","",""
"Internet (14 incoming rules)","6","True","any","fg.mycompany.com","tcp/http,tcp/https","Permit","89414","Default","",""
"Internet (14 incoming rules)","7","True","any","nems.mycompany.com","tcp/http,tcp/https","Permit","29","Default","",""
"Internet (14 incoming rules)","8","True","any","www.mycompanymedia.com","tcp/http,tcp/https","Permit","134","Default","",""
"Internet (14 incoming rules)","9","True","any","secure.mycompany.com","tcp/http","Permit","1","Default","",""
"Internet (14 incoming rules)","10","True","any","secure.mycompany.com","tcp/https","Permit","0","Default","",""
"Internet (14 incoming rules)","11","True","any","hpsi.mycompany.com","tcp/http,tcp/https","Permit","341","Default","",""
"Internet (14 incoming rules)","12","True","LAN_subnet/24,LAN_legacy","hpsi.mycompany.com","tcp/ftp,tcp/ftp-data,tcp/http,tcp/https,tcp/netbios-ssn,tcp/ssh,udp/netbios-dgm,udp/netbios-ns","Permit","108","Default","","ssh and ports for samba"
"Internet (14 incoming rules)","13","True","LAN_subnet/24,LAN_legacy","nems.mycompany.com","tcp/ftp,tcp/ftp-data","Permit","0","Default","",""
"Internet (14 incoming rules)","14","","any","any","ip","Deny","","Default","","Implicit rule"
"LAN (6 incoming rules)","1","False","any","DMZ_subnet/25","ip","Permit","0","Default","",""
"LAN (6 incoming rules)","2","True","any","any","tcp-udp/domain","Permit","0","Default","",""
"LAN (6 incoming rules)","3","True","any","any","tcp/http,tcp/https","Permit","45","Default","",""
"LAN (6 incoming rules)","4","True","any","any","tcp/ftp,tcp/ftp-data","Permit","0","Default","",""
"LAN (6 incoming rules)","5","True","any","any","ip","Permit","2974","Default","",""
"LAN (6 incoming rules)","6","","any","any","ip","Deny","","Default","","Implicit rule"

Open in new window

0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 33

Expert Comment

by:MikeKane
ID: 24827553
From the ASDM click FILE - SHOW RUNNING CONFIG IN NEW WINDOW.    Take out your public ip and any passwords and post it here for review.  

Thanks .
 
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24827581
HI,

If you don't buy Security plus feature, you not able to use the DMZ for two way, you only reach it form outside or inside, but not the same time!
 
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24827604
0
 
LVL 1

Author Comment

by:winstein2005
ID: 24827772
Ok, here it is.
: Saved
:
ASA Version 8.0(4) 
!
hostname mycompanyfw
domain-name mycompany.com
enable password dCMzgJplARCis encrypted
passwd dCMzXJlAVRCis encrypted
names
name 38.x.x.165 fg.mycompany.com
name 38.x.x.175 nems.mycompany.com
name 38.x.x.231 secure.mycompany.com
name 38.x.x.251 ns1.mycompany.com
name 38.x.x.252 ns2.mycompany.com
name 10.x.x.7 mycompany-prime
name 10.x.x.11 mycompany-project
name 10.x.x.8 mycompany-exchange
name 10.x.x.9 mycompany-ezp
name 10.x.x.4 mycompany-www2
name 38.x.x.128 DMZ_subnet
name 10.x.x.0 LAN_subnet
name 38.x.x.139 ftp.mycompany.com
name 38.x.x.137 mail.mycompany.com
name 38.x.x.138 stg.mycompany.com
name 38.x.x.136 www.mycompany.com
name 65.x.x.56 LAN_legacy
name 38.x.x.241 LAN_out
name 38.x.x.141 www.mycompanymedia.com
name 38.x.x.217 hpsi.mycompany.com
!
interface Vlan1
 nameif LAN
 security-level 100
 ip address 10.x.x.3 255.255.255.0 
!
interface Vlan2
 description Cogent L3
 nameif Internet
 security-level 0
 ip address 38.x.x.42 255.255.255.252 
!
interface Vlan3
 description Cogent delegated subnet
 nameif DMZ
 security-level 25
 ip address 38.x.x.129 255.255.255.128 
!
interface Ethernet0/0
 description Cogent
 switchport access vlan 2
!
interface Ethernet0/1
 description DMZ port
 switchport access vlan 3
!
interface Ethernet0/2
 description DMZ port
 switchport access vlan 3
!
interface Ethernet0/3
 description DMZ port
 switchport access vlan 3
!
interface Ethernet0/4
 description DMZ port
 switchport access vlan 3
!
interface Ethernet0/5
 description LAN port
!
interface Ethernet0/6
 description LAN port
!
interface Ethernet0/7
 description LAN port
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Internet
dns server-group DefaultDNS
 name-server 66.x.x.45
 name-server 66.x.x.61
 name-server 4.2.2.2
 name-server 4.2.2.1
 domain-name mycompany.com
object-group network domain_controllers
 network-object host mycompany-prime
 network-object host mycompany-project
object-group service active_directory_tcp tcp
 port-object eq ldap
 port-object eq netbios-ssn
 port-object eq 445
 port-object eq domain
object-group service active_directory_udp udp
 port-object eq netbios-ns
 port-object eq domain
object-group network lan_servers_vpn
 network-object host mycompany-exchange
 network-object host mycompany-ezp
 network-object host mycompany-prime
 network-object host mycompany-project
 network-object host mycompany-www2
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_3 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq domain 
 service-object udp eq domain 
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq domain 
 service-object udp eq domain 
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object LAN_subnet 255.255.255.0
 network-object host LAN_legacy
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service rdp tcp
 description Remote Desktop Protocol
 port-object eq 3389
object-group service DM_INLINE_TCP_7 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_3
 service-object tcp eq netbios-ssn 
 service-object tcp eq ssh 
 service-object udp eq netbios-dgm 
 service-object udp eq netbios-ns 
 service-object tcp eq www 
 service-object tcp eq https 
 service-object tcp eq ftp 
 service-object tcp eq ftp-data 
object-group network DM_INLINE_NETWORK_3
 network-object LAN_subnet 255.255.255.0
 network-object host LAN_legacy
object-group service DM_INLINE_TCP_8 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service DM_INLINE_TCP_10 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service DM_INLINE_TCP_9 tcp
 port-object eq www
 port-object eq https
access-list outside_in extended permit icmp any any 
access-list outside_in extended permit object-group DM_INLINE_SERVICE_1 any host ns1.mycompany.com 
access-list outside_in extended permit object-group DM_INLINE_SERVICE_2 any host ns2.mycompany.com 
access-list outside_in extended permit tcp any host www.mycompany.com object-group DM_INLINE_TCP_5 
access-list outside_in extended permit tcp any host www.mycompany.com object-group DM_INLINE_TCP_8 inactive 
access-list outside_in extended permit tcp any host fg.mycompany.com object-group DM_INLINE_TCP_1 
access-list outside_in extended permit tcp any host nems.mycompany.com object-group DM_INLINE_TCP_2 
access-list outside_in extended permit tcp any host www.mycompanymedia.com object-group DM_INLINE_TCP_4 
access-list outside_in extended permit tcp any host secure.mycompany.com eq www 
access-list outside_in extended permit tcp any host secure.mycompany.com eq https 
access-list outside_in extended permit tcp any host hpsi.mycompany.com object-group DM_INLINE_TCP_7 
access-list outside_in remark ssh and ports for samba
access-list outside_in extended permit object-group DM_INLINE_SERVICE_3 object-group DM_INLINE_NETWORK_3 host hpsi.mycompany.com 
access-list outside_in extended permit tcp object-group DM_INLINE_NETWORK_1 host nems.mycompany.com object-group DM_INLINE_TCP_3 
access-list dmz_in extended permit ip 10.x.x.208 255.255.255.240 any 
access-list dmz_in extended permit tcp host secure.mycompany.com object-group domain_controllers object-group active_directory_tcp 
access-list dmz_in extended permit udp host secure.mycompany.com object-group domain_controllers object-group active_directory_udp 
access-list dmz_in extended permit udp host secure.mycompany.com eq bootps object-group domain_controllers eq bootpc 
access-list dmz_in remark TCP/21955 is for SharePoint
access-list dmz_in extended permit tcp host secure.mycompany.com object-group lan_servers_vpn eq 21955 
access-list dmz_in extended permit tcp host secure.mycompany.com object-group lan_servers_vpn eq www 
access-list dmz_in extended permit tcp host secure.mycompany.com object-group lan_servers_vpn eq https 
access-list dmz_in extended permit tcp host secure.mycompany.com LAN_subnet 255.255.255.0 eq 1433 
access-list dmz_in extended permit tcp host secure.mycompany.com LAN_subnet 255.255.255.0 eq 3389 
access-list dmz_in extended deny ip DMZ_subnet 255.255.255.128 LAN_subnet 255.255.255.0 
access-list dmz_in extended permit ip DMZ_subnet 255.255.255.128 any 
access-list lan_no_nat extended permit ip LAN_subnet 255.255.255.0 DMZ_subnet 255.255.255.128 
access-list lan_no_nat extended permit ip LAN_subnet 255.255.255.0 10.x.x.208 255.255.255.240 
access-list Admin_Users_splitTunnelACL standard permit LAN_subnet 255.255.255.0 
access-list LAN_access_in extended permit ip any DMZ_subnet 255.255.255.128 inactive 
access-list LAN_access_in extended permit object-group TCPUDP any any eq domain 
access-list LAN_access_in extended permit tcp any any object-group DM_INLINE_TCP_9 
access-list LAN_access_in extended permit tcp any any object-group DM_INLINE_TCP_10 
access-list LAN_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu LAN 1500
mtu Internet 1500
mtu DMZ 1500
ip local pool vpnpool 10.x.x.1-10.x.x.63 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo LAN
icmp permit any echo Internet
icmp permit any echo-reply Internet
icmp permit any time-exceeded Internet
icmp permit any echo DMZ
icmp permit any echo-reply DMZ
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Internet) 1 interface
global (Internet) 2 LAN_out netmask 255.255.255.255
nat (LAN) 0 access-list lan_no_nat
nat (LAN) 2 0.0.0.0 0.0.0.0
access-group LAN_access_in in interface LAN
access-group outside_in in interface Internet
access-group dmz_in in interface DMZ
route Internet 0.0.0.0 0.0.0.0 38.x.x.41 1
route DMZ 10.x.x.208 255.255.255.240 secure.mycompany.com 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication secure-http-client
http server enable
http 0.0.0.0 0.0.0.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-AES256-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface Internet
crypto ca trustpoint self
 enrollment self
 crl configure
crypto ca certificate chain self
 certificate 5caf4b4a
    308202c2 308201aa a0030201 0202045c af4b4a30 0d06092a 864886f7 0d010104 
    05003023 3121301f 06092a86 4886f70d 01090216 12736563 7572652e 63656e74 
    7261782e 636f6d30 1e170d30 39303730 31313834 3735365a 170d3139 30363239 
    31383437 35365a30 23312130 1f06092a 864886f7 0d010902 16127365 63757265 
    2e63656e 74726178 2e636f6d 30820122 300d0609 2a864886 f70d0101 01050003 
    82010f00 3082010a 02820101 00af1b98 ca5a6ccf 55c61fa7 7d30d871 ba326bf9 
    9c8b00a3 36db613a b075b232 ef2b6576 4b3d8900 e6202aca 5e48c91b de841b3d 
    a0b6fc2c 77d2f463 a6936b45 23789b00 60eddbd1 12e1870f ab345e99 8b42c7bd 
    460b8b54 d85b93e7 3dd6ebff 5e689e56 b0d42844 59e2b282 131ecbe6 f3c9adb5 
    ece6c3fe 1decbbcf f35acd2c a54a2095 a70f021c a06f72be c3ed0106 28ef69f3 
    656cc355 cc718d78 2f396879 6ce1cc1e d6546c36 9c3cb69b 40967f95 e78ebf68 
    b4286e94 f3a2b3fd 4c1a6d01 95a41347 90365693 1baf198a 7392b5e2 813cdbd5 
    f2168fa1 86a7b2bd 9009d8dc 3adf542a b71207bd 1ff5c0ec 739664d8 8ce20aae 
    b00d7072 9e8b361f 51df706c f3020301 0001300d 06092a86 4886f70d 01010405 
    00038201 01009e08 9e033a7f 67d23acf 79b34699 9ce6f526 03cc64d3 92d14a78 
    805521ac 2574e051 4ae1aa39 bf91215f b92a012f fae568de 3b52c66a e8027642 
    7540ef53 af25a996 20fcfbc9 43315122 406eeb00 8755c08b d17ac124 aea2ee29 
    d45cad8f 56292f1b f662d400 8e5723d8 c1d3dff5 1ee10c8d e12b350e aa0a475e 
    a93d5334 1d4226ec 6db2aa67 6fa50aac 44798c60 31035a48 108f347b 3122f9b4 
    0fe1a983 fe5747ab e6186786 8d66f1ca 0c0e78ff e2cc812c c4fd25b8 2664e14a 
    b5c2c2d7 5fa713fe c14b1a68 b958e534 3c78bdda 733c3090 62a377d9 eb3197f7 
    f30d5ff3 917a8a02 5fde4a14 64c96968 59ddab31 7c89780f f9db6889 4ebfc1ca 
    22f42ba8 1e11
  quit
crypto isakmp identity address 
crypto isakmp enable Internet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 LAN
ssh timeout 5
console timeout 0
 
threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.41
ntp server 130.126.24.53
ntp server 129.6.15.29
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1
ssl trust-point self Internet
webvpn
 enable Internet
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy Admin_Users internal
group-policy Admin_Users attributes
 dns-server value 10.x.x.7 10.x.x.11
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Admin_Users_splitTunnelACL
 default-domain value intranet.mycompany.com
username asaadm password 25kYBePmBfwdcy encrypted privilege 15
username wtsa password j8V7eu1M40eBD encrypted
username wtsa attributes
 vpn-group-policy Admin_Users
 service-type remote-access
tunnel-group Admin_Users type remote-access
tunnel-group Admin_Users general-attributes
 address-pool vpnpool
 default-group-policy Admin_Users
tunnel-group Admin_Users webvpn-attributes
 group-alias Admin_Users enable
tunnel-group Admin_Users ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:083dac2b9c72151c6e7e6a069cd21
: end
asdm image disk0:/asdm-621.bin
asdm location nems.mycompany.com 255.255.255.255 LAN
asdm location LAN_legacy 255.255.255.255 LAN
asdm location www.mycompany.com 255.255.255.255 LAN
asdm location mail.mycompany.com 255.255.255.255 LAN
asdm location stg.mycompany.com 255.255.255.255 LAN
asdm location ftp.mycompany.com 255.255.255.255 LAN
asdm location LAN_out 255.255.255.255 LAN
asdm location www.mycompanymedia.com 255.255.255.255 LAN
asdm location hpsi.mycompany.com 255.255.255.255 LAN
no asdm history enable

Open in new window

0
 
LVL 1

Author Comment

by:winstein2005
ID: 24830741
We do have security plus.  I tried to add static routing in the NAT rules, but it did not work.  Maybe the contractor have left out more than a couple of things?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24831084
To access the DMZ you'll need to allow the LAN to nat into the DMZ.

Try this

  global (DMZ) 2 interface


That will use the same nat2 from inside and should get you an xlate into the DMZ.  


0
 
LVL 1

Author Comment

by:winstein2005
ID: 24840653
Mike, that make sense.  but where do I set it in the ASDM?
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24840943
IIRC, its in CONFIGURATION - FIREWALL - NAT Rules  

You should be able to add a new one there.
0
 
LVL 1

Author Comment

by:winstein2005
ID: 24841424
Mike, could you be more specific on the source,destination/Interface?

I've tried both static rule and static policy, but did not work.  It says the source and translated IP must have same subnet mask.

Thanks
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24841475
Its not a static you are adding, its a global pool entry.    If you don't see the globals listed, go to that area in ASDM and click VIEW - GLOBAL POOLS.    You want to add a global pool "1" Interface "DMZ" addresses "DMZ interface"
0
 
LVL 1

Author Comment

by:winstein2005
ID: 24842607
Ok, I was able to generate the address pool and the configuration now has this lline:

global (DMZ) 2 LAN_out netmask 255.255.255.255

But still no go.  Still getting Deny TCP in the log viewer.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24842682
Change the global to 1 so its part of the same global pool.    



0
 
LVL 1

Author Comment

by:winstein2005
ID: 24852784
The NAT rules did not help.  I've consulted with several people, they all thought the same thing.  But here is the weird part:  I can PING the address, URLs in DMZ, but not browse it using a browser!
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24852882
I had to take a closer look at your code.   You are no-natting into the DMZ using
access-list lan_no_nat extended permit ip LAN_subnet 255.255.255.0 DMZ_subnet 255.255.255.128
and
nat (LAN) 0 access-list lan_no_nat

There is no translations happening here.    

On the ACL side I see
access-list LAN_access_in extended permit ip any any

Which should allow all traffic from the inside to the DMZ and it would flow without translation.  

If Pings are working but port 80 is failing, then the 1st thing we do is eliminate the ACLS and firewall.    If you have the ASDM open, the console, or want to setup a syslog server, you can set the logging to informational and the firewall will log any dropped packets and give the reason.   IF the firewall is preventing communication, this will alert you to it.    IF the log is clean then the firewall isn't the cause of the issue.    




0
 
LVL 1

Author Comment

by:winstein2005
ID: 24860300
We finally figured out!  The problem is not Cisco, the problem is the Windows servers.  The servers had two NIC cards and they were both enabled.  One is configured on DMZ and one is configured on LAN.  Because the DMZ address was not NATed, the requests from the LAN were replied using the LAN interface.

Once we disabled the LAN interface, everything works.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question