0

Hi Everyone,

Recently my organization (where m working) has decided to host web locally rather then hosting in ISP. We have purchased a new server which will be used only for web. My Company has got new public IP for web from ISP i.e. 119.2.116.190.

I am trying to configure web server using Windows 2003 Server for hosting ASP.NET website for our branch office. I have been trying to find a best tutorial for googles but could not find a proper tutorials.

My web server is directly connected to DMZ port of the ASA Firewall which has an IP 30.30.30.10 255.255.255.255. In the firewall the IP 30.30.30.60 (my server IP) is mapped with my public IP.

Now i want to configure using the above configuration. CAN ANYONE HELP ME HOW TO CONFIGURE. It would be very gratefull if anyone can help me out.\

TashiDuks

2
Contributors
5
Replies
6
Views
7 Years
Discussion Span
Last Post by CimmerianX
0

In the ASA, you have the static NAT created. You will also need to create an inbound access list to allow the traffic...

access-list outside_in extended permit tcp any host <public ip mapped to .60> eq 80
access-list outside_in extended permit tcp any host <public ip mapped to .60> eq 443

You will need to point your DNS A record for the website to the new IP address.
You may need to add/reissue a cert for use in the site if you use https.

0

Oops - forgot to mention that you need to apply the acl to the interface and direction of traffic with :

access-group outside_in in interface outside

0

Thanks for your help but the solution which you have given to me is already been configured. Check below:

!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 75
 ip address 30.30.30.10 255.255.255.0
!
access-list acl_outside_in extended permit tcp any host 119.2.116.190
access-list acl_outside_in extended permit icmp any host 119.2.116.190
access-list acl_dmz_in extended permit tcp host 30.30.30.60 any
access-list acl_dmz_in extended permit icmp host 30.30.30.60 any
!
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) 119.2.116.190 30.30.30.60 netmask 255.255.255.255
static (DMZ,inside) 30.30.30.0 30.30.30.0 netmask 255.255.255.0
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
!
access-group acl_outside_in in interface outside
access-group acl_dmz_in in interface DMZ
!

Still then i cannot ping.
Problems:

1. I cannot ping DMZ port from the webserver.
2. I cannot ping the public IP from outside and from inside.

Please help me out.

thanks,

TashiDuks

0

Continuation...

I have checked my host A configuration in DNS, its been already mapped with the public IP. Still i doesnt work.

TashiDuks

0

These lines will help support ICMP echos going in and out.... add them to the ACLs.

for example:
access-list dmz_access_in extended permit icmp any any source-quench
access-list dmz_access_in extended permit icmp any any unreachable
access-list dmz_access_in extended permit icmp any any time-exceeded


Check the ASA log "show logging" or the ASDM home screen. If the ASA is blocking any packets, a drop error will be displayed and/or recorded.

You can also hop on the DMZ web server, open a browser, and check 'canyourseeme.org' It will list your current IP, then you can test back to port 80/443 to see if they are open from the outside.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.