Skip to main content

Having trouble Configuring outside access to DMZ webserver.

More
15 years 7 months ago #30408 by jibon
Hello everyone

I'm new to Cisco ASA's. So far what I've configured I've done by going through forums, and Cisco docs. But now I'm stuck, and I have no clue where to go from here. I don't even know what to troubleshoot for. I'd really appreciate some help.

Here are the details:



So far I have:
    - Internet connectivity from inside and dmz
    - Connectivity to web server from inside hosts

I've configured some static nat statements that are supposed to give outside access to the dmz server, but it doesn't work. I don't know what I'm doing wrong. My running config is below

[code:1]
ASA Version 8.0(3)
!
hostname xxx
enable password xxxxx encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxxxxxxx encrypted
ftp mode passive
access-list dmz_server_allow extended permit tcp any host 192.168.3.254 eq www
access-list dmz_server_allow extended permit tcp any host 192.168.3.254 eq https
access-list dmz_server_allow extended permit tcp any host 192.168.3.254 eq ftp
access-list dmz_server_allow extended permit tcp any host 192.168.3.254 eq ftp-data
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.3.10-192.168.3.100 netmask 255.255.255.0
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 192.168.3.0 255.255.255.0
static (dmz,outside) tcp interface www 192.168.3.254 www netmask 255.255.255.255 tcp 500 0
static (dmz,outside) tcp interface https 192.168.3.254 https netmask 255.255.255.255 tcp 500 0
static (dmz,outside) tcp interface ftp 192.168.3.254 ftp netmask 255.255.255.255 tcp 500 0
static (dmz,outside) tcp interface ftp-data 192.168.3.254 ftp-data netmask 255.255.255.255 tcp 500 0
access-group dmz_server_allow in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal

telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.1.1.1
!
dhcpd address 192.168.2.11-192.168.2.200 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map

inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1a29d5a1d3920dbbfa07ce6acc9ad69a
: end[/code:1]

[/code]

I'd appreciate any help I can get. Thanks
More
15 years 7 months ago #30409 by jibon
I forgot to mention...i have one static public Ip address from my ISP.
More
15 years 7 months ago #30412 by Blake
Not sure if this will fix your problem or not, but i would have approached the nat a little differently, your static statements look good. You have the following

global (outside) 1 interface
global (dmz) 1 192.168.3.10-192.168.3.100 netmask 255.255.255.0
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 192.168.3.0 255.255.255.0

i would have done

global (outside) 1 interface
nat (inside) 1 0 0
nat (dmz) 1 0 0

and just wrote a static for the inside to dmz since you are going from higher to lower no need to nat

static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

Not sure if this will help or not.

Can you post your logs when you try to access the web server?
More
15 years 7 months ago #30415 by jibon
Thanks I applied those changes.

As for logs...I'm not using a real Windows server. I have Uniform Server running on my desk pc which only gives me error reports. Since there are no connections getting across the DSL modem, and on to the ASA...the error log is empty.

I was not provided with a real server because the current ASA i'm working on is going to be a failover device. The primary device is a Sonicwall firewall at the moment. I'm not sure if it's even going to stay either. The company is planning a network upgrade, and I have not been informed yet as to what is going and what is staying. The "real" web server is on that network at the moment.

I'm leaning on the DSL modem/router thing as being the problem. There's no way I can turn it into just a bridge only. It would be so much easier.

My traffic doesn't get past 10.1.1.1 (modem) at the moment.
More
15 years 7 months ago #30418 by Blake
Does the DSL modem have a built in firewall? I definetly agree with you making the modem a transparent bridge would be the best solution. :D
More
15 years 7 months ago #30422 by jibon
yeah it does. I just had a thought...maybe if I enable the DMZ in the modem/router itself to point to my ASA...it might work. I'll have to try it on Monday.
Time to create page: 0.130 seconds