How to configure DMZ access for ftp/https without NAT

                 I have a closed network that is not connnected to the internet, just other sites that we want to communicate with.  We have a cisco router connected to the outside interface on an ASA5505 and a cisco router connected to the inside interface on the same ASA5505.  I have an inside interface that connects our management LAN, five separate DMZ interfaces with a separate LAN (VLAN) on each DMZ interface and the outside interface that connects to the other sites.  Data is not allowed to mingle between the five DMZ's. 
Alll connections to the other separate nodes are handled with the router on the external interface.  IPSEC GRE tunnels have been established between all sites and BGP routing has been verified.  Pings are good between inside, dmz and external interfaces and between the DMZ's and the other sites, to include hosts on our local networks and hosts at the remote sites.  Inter and intra traffic is enabled.
When a remote site attempts an https connection, the initial ACK handshake makes it through the ASA5505, but the return SYN/ACK is being knocked down and I don't understand why (it is not because of ACL's, they are any any at this point).
Looking for some ideas on why the return SYN/ACK to the remote site isn't getting through the ASA5505 outbound.  Will probably have the same issue with FTP, but right now, just trying to solve one problem at a time.
ASA5505 is in routed mode, not looking to NAT since the IP addresses in the DMZ need to be reached by their real IP address.
Thanks,

When I use the packet-trace in both directions with the endpoint IP's, it works, all phases show allowed.   I see the hits against the ACL's that show the packet entry in to the outside interface of the ASA, the build up of the connection so the initial step of the external host ACK is reaching the webserver in the DMZ.  I see the hits against the incoming DMZ interface from the web server and then the log shows that the SYN,ACK is not in the state table and drops the outgoing packet.  Since no outgoing SYN/ACK, no three way handshake, not login prompt, no web page to the endpoint.
I even changed the security settings on the outside interface to match the DMZ, enabled the inter and intra connections and that didn't work.  ACL's on the incoming and outgoing outside and DMZ interfaces have any any tcp and any any ip but still the same result.
DMZ hosts point to the ASA.  ASA points to external router on the outside interface.  Pings all work fine.  Tried ACL's at the top with port 443, but no hits on that.  Even tried bypass with the same result.  The initial packet from the external host doesn't seem to enter the state table so that when the host sends the reply (SYN/ACK) the ASA knocks it down.
Also tried twice NAT with static source/destination/port so that what comes in should be what is sent to the DMZ.
If I understand this device, I should have a rule that lets traffic in the outside interface from the external networks, a rule that allows DMZ traffic out the outside interface, a rule that allows external traffic in the DMZ and a rule that allows DMZ internal traffic back out to the external interface.
Still fuzzy on exactly how the data goes between the outside and the DMZ interfaces. 
Is there something else I need to do or define to use HTTPS?  I see that HTTP is defined and also has inspection rules.
I can try the captures tomorrow at work.
Thanks, for any pointers you can provide me.
Peyton
This is my first, painful experience with the ASA. 

Similar Messages

  • How to configure simultanous access for 11i application

    Hi All
    We have one existing 11i application instance on node grid1.In which we start the servicess from apps user.
    In our same we want another node for the same application in which we will start the servicess from another user(merge)
    For that we perfrom the following steps
    1.Copy the APPL_TOP,COMMON_TOP,ORA_TOP(8.0.6,iAS) from node "GRID1" to diffrent node "GRID2"
    2 configure the GRID2 node using adcfgclone.pl utility(we have configure new node for WEB and FORM Server)
    3 We perfrom the modification in the following files ON GRID2 .
    i Identify 'FNDNAM=apps' statement in $FND_TOP/secure/<context>.dbc
    and replace with 'FNDNAME=merge' to connect to MERGE schema instaed of APPS.
    ii. Go to the last line of $APACHE_TOP/jserv/etc/zone.properties file
    and identify 'schema=APPS' statement and change it to 'schema=MERGE'
    iii. Identify below lines in $APACHE_TOP/modplsql/cfg/wdbsvr.app file
    password = apps
         username = apps
         document_table = APPS.fnd_lobs_document
    and replace with modified below lines
    password = merge
         username = merge
         document_table = MERGE.fnd_lobs_document
    6. For redirecting user's request to new Application Server server, we
    changed the following 4 system profile options with proper URL and port
    at responsibility level only for the responsibilities,
    which we use for Merge views.
    Profile Options
         Application Framework Agent
         Applications JSP Agent
         Applications Web Agent
         Apps Servlet Agent
    When we are able to start the services on GRID2 node,but at the time of login we are getting invalid user name/ passwd error
    Please let us know is there any way to access application other than apps user
    Regards
    Sohail

    well thank you very much .I know how to define a DataSource inside Weblogic Server.
    But i am confused over one issue
    When We are going to use Container Managed EntityManager inside the SessionBean the persistence.xml file looks like this
    *<persistence>*
    *     <persistence-unit name="RamsEJBPU" transaction-type="JTA">*
    *          <jta-data-source>myJtaDataSource</jta-data-source>*
    *     </persistence-unit>*
    *</persistence>*
    But in some cases it looks like as shown below :     <persistence-unit name="RamsEJBPU" transaction-type="resource-local">
         <provider>org.hibernate.ejb.HibernatePersistence</provider>
                        <properties>
                   <property name = "hibernate.connection.driver_class" value = "oracle.jdbc.driver.OracleDriver"/>
                   <property name = "hibernate.connection.url" value = "jdbc:oracle:thin:@localhost:1521:orcl"/>
                   <property name = "hibernate.connection.username" value = "CHENNAISPAT"/>
                   <property name = "hibernate.connection.password" value = "CHENNAISPAT"/>
                </properties>
         </persistence-unit>
    </persistence>Can you please tell me why is it so ??

  • How to configure firewall access for ASA 5510

    Hi,
    This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
    I want to do this using ASDM, How do I accomplish this?
    Thanks,
    Jojo

    Hey Jojo I use the ASDM to manage my ASA... so below should get you a general access rule to allow what you need.
    •1.      Log into your ASA using ASDM.. on the top tabs look for "Configuration"
    •2.      Once you click "Configuration", on the left side panel down at the bottom you should see "Firewall".  Make sure you’re in the "Firewall" menu and at the top you should be viewing "Access Rules".  You should see a list of access rules applied to your ASA.
    •3.      At the top you should see a green "+Add" to add a new access rule to your ASA.  Once clicked you should identify…
         •a.      Interface -  INSIDE or OUTSIDE
         •b.      Action - PERMIT or DENY
         •c.      Source - Subnet that needs to talk to destination address
         •d.      Destination - use the [...] box to create a Network Object for 165.241.29.17 and 165.241.31.254 use /32 mask for specific ip address and not a range
         •e.      Service - Again use the [...] box to create TCP and UDP Service Groups for the specific ports
    •4.     You can then enter a description of the specific access rule and enable logging.
    This should be it... let me know how this works out for you!! 

  • How to configure MS-Access 2010 DB details on weblogc using DBAdapter

    Hi Experts,
    Can any one help me how to configure MS-Access 2010 DB details on weblogic 11g using DBAdapters.
    If you provide step by step instuction, it is very usful to me.
    If you have any screen shots you can any one please send a file to my mail ID:[email protected]
    My Requirement:
    I need to fetch 3 columns data (product code/ serial numer and serial status) from MS-Access 2010 and store it on oracle 11g, for that I have wrote a web service code and I need to make it automation. I don't have any IDEA, how to make this web serevice as automation (automation means, when ever new record stored in MS-Access data I need to fetch newly created record from MS-Access 2010 and send it to Oracle 11g)
    Note: MS- Access 2010 present at vision system and Oracle 11g installed in linux server.
    Thanks,
    Phani

    Hi,
    I am also facing the same issue, not sure about what url to use. And also the login webservice doesn't work while I am testing using http://localhost:81/RTC/RTCService.asmx. It always throwing the following error
    " Unable to cast COM object of type 'RTCLib.RTCClientClass' to interface type 'RTCLib.IRTCClient'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{07829E45-9A34-408E-A011-BDDF13487CD1}' failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE))."
    Is the current owc_lcs.zip support MS Office Communication Server 2007?
    Please share the configuration step if anyone already integrated OCS 2007.
    Thanks,
    -Mukesh.
    Edited by: user9127933 on Feb 19, 2010 4:05 AM

  • How to configure release procedure for rate contracts release

    Dear all,
    How to configure release procedure for rate  contract following are the requirements
    they are two release codes c1 & c2 <=100000,>=100000
                    if  c1 is not there c2 has to be approved
         Change in the value of the rate contract contract
         Change in the validity of the rate contract
         Addition of deletion of line items
    While using a non u2013 released rate contract in the PO an error message should shoot out.
    Also the logic should be changed while using the rate contract in the PO.
    The usage of the rate contract should be till the validity of the rate contract. i.e. the measurement should be end date of the rate contract and the PO creation date and not the delivery date of the PO. &
    It should be possible to refer existing valid rate contracts in purchase orders.
    Regards,
    bhaskar

    Hi,
    In SAP rate contract is known as value contract denoted with wk. The release procedure for rate contract is same as that of other contracts and scheduling agreements. The tables  for contracts will vary with SA (Scheduling agreement) .You may try and maintain condition records based on the customer combination and maintian the validity date of condition records as per your requirement.For contract and PO will have the same header/item table as EKKO/EKPO, and the release
    class in standard is the same FRG_EKKO, you can use the same for contract.
    To distinguish if it's a contract or PO, EKKO-BSART can be used.
    For contract EKKO-BSART will be MK or WK, while PO will have NB/UB etc..
    You can restrict the document type to set up the release strategy for only contract.
    Of cause, you can also create your own release class Z* for contract copying standard
    one FRG_EKKO via CL01/Class type 032, and then assign the class Z* to customizing:
    OLME:
    -> contract
    ->Release Procedure for Contracts
    ->Define Release Procedure for Contracts
    ->Release Groups
    If you have already created the PO release class.
    Assign a new chracteristic of Document Category -BSTYP
    Please check below link for detailed release procedure. I hope this wil help you out .Thanking you.
    http://wiki.sdn.sap.com/wiki/display/ERPSCM/RELEASE+PROCEDURE#RELEASEPROCEDURE-TABLESUSEDFORRELEASEPROCEDURES

  • How to configure Broadcast messaging for IC Webclient profile

    Dear all,
    How to configure Broadcast messaging for IC Webclient profile. what are the prerequisites for it?
    We are not using EP interface for IC Webclient, then where can I find broadcast messaging URL in SAP CRM system.
    I have checked for the relevant BSP application, but could not find.
    Please help me to configure the scenario successfully, your help will be highly appreciated.
    Best regards,
    Raghu ram

    Hi raghu
    In CRM Broad cast messaging application is CRM _BM,
    Go to easy access u2013 go to favourites u2013 select add other objects - select BSP Applications- then select CRM_BM Application.
    Select that BSP application and test it u2026
    `
    Regards,
    Narsimha

  • How to configure to access internet on Solaris 10 SPARC

    Dear All,
    how to configure to access internet on Solaris 10 SPARC.
    Thanks and regards,
    Heng

    What you need is just an IP address on your network interface and configure dns in /etc/nsswitch.conf and /etc/resolv.conf.
    More details here : http://docs.oracle.com/cd/E23823_01/html/816-4554/index.html

  • How to configure Email notification for User login's in Exchange Infrastructure?

    How to configure Email notification for User login's in Client Machines?

    Hi ,
    Based on the description , you need to assign logon scripts to the end users via group policy and also use your exchange server as the smtp server in that logon script to relay emails to the internal recipients.
    Thanks & Regards S.Nithyanandham

  • How to configure SMTP server for osb 10.3.1

    Hi All,
    Can anyone share information on how to configure SMTP server for osb 10.3.1
    and then how to send an email from osb 10.3.1
    Thanks in Advance!!

    Thanks a lot!!
    I configured the same way. When I am sending email to an account on the same domain as my SMTP server is the sending of email is successful. But its giving error when I am trying to send an emain to an account which is on different domain. It giving error as "Operation has been cancelled"
    Please suggest something.

  • If I own Adobe Photoshop Elements 12 and have it installed on my computer, how can I get access to Adobe Bridge without a monthly subscription?  Is there a way to use Adobe Photoshop and Bridge without paying a monthly fee?

    If I own Adobe Photoshop Elements 12 and have it installed on my computer, how can I get access to Adobe Bridge without a monthly subscription?  Is there a way to use Adobe Photoshop and Bridge without paying a monthly fee?

    Hi Jaclyn2,
    Please follow the steps mentioned in the kb: http://helpx.adobe.com/creative-suite/kb/error-update-server-repsonding-cs4.html .
    Regards,
    Romit Sinha

  • How do I get audio for my apps without headphones?

    How do I get audio for my apps without headphones?  For some reason I can only hear the audio for many of my apps through my headphones. I've got the latest version of the OS so I'm not sure what else to do.  Volume works fine for all apps that use video like Netflix and YouTube. Help!

    Instead of turning it off, try a reset. Press & hold the Power and Home buttons together for 10+ seconds, ignoring the red power-off slider, until you see the Apple logo.
    If the reset is not enough to knock a little sense into it, make sure that everything is backed up and restore the iPad to the factory settings.

  • HT5534 How do i purchase keynote for multiple users without a MAC computer?

    How do i purchase keynote for multiple users without a MAC computer?

    Guy, you see, I understand you need to be with the Mac you want to download Keynote.
    And yeah, Keynote only works with the Mac OSX and iOS

  • OBIEE 11g - How to configure Virtual IP for servers hosting OBIEE 11g

    Hi,
    I have 2 Linux servers.
    I have installed OBIEE 11.1.1.6 on first server and did a scale out on second server.
    I don't have a Load Balancer.
    I want to configure Virtual IP for these hosts.
    Please advise how to do it.
    Thanks
    Nitin Aggarwal

    Refer to below lhks.
    http://www.rittmanmead.com/2008/12/obiee-high-availability-the-bi-server/
    http://www.rittmanmead.com/2009/02/obiee-high-availability-presentation-services-and-scheduler/
    Thanks
    Jay.

  • How easy to sniff a public FTP/HTTP username and password?

    Hi IT Colleagues,
    I understand that using plain FTP/HTTP , it is possible to sniff username and password using sniffer like wireshark.
    However, I just to want know how easy to do it.
    I know that in order to sniff , you should be in the same network or subnet as the website or ftp site.
    Regards,
    Jhun

    It is trivially easy to sniff credentials out of FTP and HTTP due to the fact there is no encryption at play. One should also not simply consider the risks of someone running a sniffer on your local area network, or on the local area network of the remote
    server, website or ftp site, but should consider the possibility for traffic to be sniffed along the way. The NSA is doing a rather good job of sniffing all of our traffic, credentials and all! Don't just worry about someone like the NSA though, a malicious
    user on an ISP network, or an administrator of a proxy server could just as easily sniff the plain text traffic.
    Kieran Jacobsen @kjacobsen http://aperturescience.su

  • How to configure internet proxy for portlet builder

    Hi All,
    We have downloaded the portlet builder from developer.bea.com. But while trying
    to access xmethods for adding web service, it can't access as the internet connection
    is thru proxy.
    Can anybody pls tell me how to configure the internet proxy with this portlet
    builder ?
    TIA,
    Sudarson

    Hi, I got the same problem...I try to configure a web service with Portal Builder
    7.0 in Bea E-Business Control Center... But I can not proceed cause there is no
    hint for a proxy... Have you found a solution?
    "sudarson" <[email protected]> wrote:
    >
    Hi All,
    We have downloaded the portlet builder from developer.bea.com. But while
    trying
    to access xmethods for adding web service, it can't access as the internet
    connection
    is thru proxy.
    Can anybody pls tell me how to configure the internet proxy with this
    portlet
    builder ?
    TIA,
    Sudarson

Maybe you are looking for