Solved: DMZ Config for Internet access.

ddevecka · ‎01-22-2009

I am setting up ASA 5505's for some telecommuters and I have a question. I broke the ASA into 3 VLAN's. One for outside internet connection from cable , DSL, or what ever, one for the VPN back to our Corp Network, and one for the DMZ to allow full access to the net for home computers. My VPN to corp network works great, but the DMZ doesn't allow traffic to flow to the internet. Here is how I have the DMZ configured.

interface Vlan5

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.240.1 255.255.255.0

interface Ethernet0/1

switchport access vlan 5

interface Ethernet0/2

switchport access vlan 5

interface Ethernet0/3

switchport access vlan 5

dhcpd address 192.168.240.100-192.168.240.150 dmz

dhcpd enable dmz

No ACL and the no forward statement so the DMZ can't get to the inside (Corp VPN) interface and DHCP for any PC's or other wireless routers plugged into the DMZ ports.

Any help world be appreciated.

Dan

JORGE RODRIGUEZ · ‎01-22-2009

Ok, then you do not need my suggestion pertaining to DMZ access to inside.

PLS let me know if your problem is resolved to fruther assist you, PLS rate post if it helped.

Regards

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎01-22-2009

Hi Dan,

In your description but the DMZ doesn't allow traffic to flow to the internet

You need to nat your DMZ interface with your global in order to get outbound internet access including an access list to permit DMZ outbound internet .

nat (dmz) 1 192.168.240.0 255.255.255.0

global (outside)1 interface

access-list dmz_access extended permit ip any

access-group dmz_access in interface dmz

above will provide outbound internet access for dmz segment .

No ACL and the no forward statement so the DMZ can't get to the inside (Corp VPN) interface and DHCP for any PC's or other wireless routers plugged into the DMZ ports.

Now.. Im not to sure about your above statement , do you mean DMZ segment unable to access CorpVPN interface segment? PLS let me know otherwise if not understanding correctly.

you will need couple of statements, assuming interface in asa is (corpVPN) and its subnet is 20.20.20.0/24

you can do a nonat accless list, or add to your existing nonat acl.

access-list inside_nat0_outbound extended permit ip 192.168.240.0 255.255.255.0 20.20.20.0 255.255.255.0

nat (dmz) 0 access-list inside_nat0_outbound

or you can also do instead of above:

static (inside,dmz ) 20.20.20.0 20.20.20.0 netmask 255.255.255.0

and allow traffic from dmz to inside via acl.

Regards

Jorge Rodriguez

ddevecka · ‎01-22-2009

I thought I had the following in the config but didn't.

nat (dmz) 1 192.168.240.0 255.255.255.0

global (outside)1 interface

access-list dmz_access extended permit ip any

access-group dmz_access in interface dmz

As for the "No ACL and the no forward statement so the DMZ can't get to the inside (Corp VPN) interface and DHCP for any PC's or other wireless routers plugged into the DMZ ports." I just want to keep the DMZ and the inside interface (VPN) seperate (No connection between the DMZ and inside interface.

Thanks

JORGE RODRIGUEZ · ‎01-22-2009

Ok, then you do not need my suggestion pertaining to DMZ access to inside.

PLS let me know if your problem is resolved to fruther assist you, PLS rate post if it helped.

Regards

Jorge Rodriguez

ddevecka · ‎01-22-2009

I will test this tonight and let you know.

Thanks.

ddevecka · ‎01-22-2009

I had to change the access-list dmz_access extended permit ip any any to access-list dmz_access extended permit ip 192.168.240.0 255.255.255.0 any because this was causing my Internet traffice not to run thru the VPN connection and then allowing them to surf what ever unfiltered.