DMZ Servers can not browse the web

[Alcone]

Not sure if anyone has run into this or not. We are using 6.2(1) in a failover config.

The issue is that randomly our internal web servers located on our DMZ stop being able to access public web sites. The only thing we have found at this point to correct the issue is to run the following commands

nat (DMZ1) 1 0 0
no static (DMZ1,outside) XXX.XXX.XXX.0 XXX.XXX.XXX.0 netmask 255.255.255.0 0 1
clear xlate

static (DMZ1,outside) XXX.XXX.XXX.53 XXX.XXX.XXX.53
clear xlate

no static (DMZ1,outside) XXX.XXX.XXX.53 XXX.XXX.XXX.53
static (DMZ1,outside) XXX.XXX.XXX.0 XXX.XXX.XXX.0
clear xlate

no nat (DMZ1) 1 0 0

nat (DMZ2) 1 0 0
no static (DMZ2,outside) XXX.XXX.XX2.0 XXX.XXX.XX2.0 netmask 255.255.255.0 0 1
clear xlate

static (DMZ2,outside) XXX.XXX.XX2.130 XXX.XXX.XX2.130
clear xlate

no static (DMZ2,outside) XXX.XXX.XX2.130 XXX.XXX.XX2.130
static (DMZ2,outside) XXX.XXX.XX2.0 XXX.XXX.XX2.0
clear xlate

no nat (DMZ2) 1 0 0


This seams to work for about a day to 2 days or an hour to 2 hours sometimes.

Has anyone seen this. TAC is not sure what could cause this.

Thanks in advance for your assitance.

straitj@alconemarketing.com

 

[gbiello]

What do your global commands look like? Make sure you only specify a single address and not a range. Can you post your config?

-gbiello

 

[Alcone]

Here are the global and nat statements from the config.




global (outside) 1 interface
global (DMZ1) 1 interface
global (DMZ2) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

 

[yizhar]

HI.

Please provide more details about your network.

Does the perimeter router perform NAT ?

What about syslog messages?

When you have the problem, try to telnet from DMZ to the perimeter router ip address - can you?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar