configuring dmz on asa 5500

Unanswered Question
Feb 6th, 2008
User Badges:

am trying to get a DMZ configured . I have allowed the interesting traffic to go from the Inside inteface to the DMZ and vice versa but its still being dropped.

When I do a packet trace it tells me the Implicit deny ACL rule is the cause of my problems but there are rules above it that match my traffic. So I am confused I dont know if there something I am missing.

I have permitted any any for troublehooting purposes but still no dice.

Thanks for your help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
acomiskey Wed, 02/06/2008 - 12:23
User Badges:
  • Green, 3000 points or more

I would suggest starting over again with those acl's.

To get traffic from inside to dmz you do not need an acl at all.

To get traffic from the dmz to the inside, write an acl and apply it with "access-group dmz_access_in in interface dmz". For ex, to allow a host on dmz to hit a host on the inside on port 80, it would look like this...

access-list dmz_access_in extended permit tcp host 192.168.10.x host 192.168.3.x eq www

access-group dmz_access_in in interface dmz

keith.k.quaye Fri, 02/08/2008 - 04:49
User Badges:

Thanks I did that but still couldnt get my ping to work from to the dmz server

I made changes and now I can ping from the above IP to the servers real IP but I cant ping to its External ip.

Also I have allowed remote desktop traffic to go to the dmz server but I keep getting reset -0 in the syslog .

I am attaching current config

acomiskey Fri, 02/08/2008 - 08:59
User Badges:
  • Green, 3000 points or more

To communicate with the dmz server on it's external ip from the inside you have to do something like this...

static (DMZ,inside) netmask

husycisco Fri, 02/08/2008 - 09:20
User Badges:
  • Gold, 750 points or more

Hi Keith

For getting PING to work, you should permit the icmp traffic either by ACL or by policy inspections.

Here is the icmp inspection

policy-map global_policy

class inspection_default

inspect icmp


access-list youracl permit icmp source destination (you can type any to source and any to destinatin temporarily during troubleshooting and it will allow all icmp traffic. You should do it in bot dmz and inside acls)


keith.k.quaye Fri, 02/08/2008 - 09:37
User Badges:

Thanks for your help guys you were very helpful I finally got it right and apparently the server guy forgot to enable RDP so I was pulling my hair out wondering what was wrong. It doesn't help that I am doing this remotely.


This Discussion