DMZ Setup

Answered Question

I am getting this error when hosts on the DMZ try to access the internet.

I seems no matter what I try The implicit rule keeps blocking access.

Deny tcp src dmz:192.168.140.10/58499 dst outside:68.15.170.162/25261 by access-group "dmz-entry" [0x0, 0x0]

Thank you in advance for any assistance..

I have this problem too.
0 votes
Correct Answer by eddie.mitchell@... about 7 years 11 months ago

Ah. I'm sorry. The ACE's were meant to be:

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
eddie.mitchell@... Sun, 02/15/2009 - 11:48

If you just need Internet access (port 80/443), then you just need something to the effect of:

access-list dmz-entry permit tcp host any eq 80

access-list dmz-entry permit tcp host any eq 443

It looks like you already have some rules configured for DNS.

eddie.mitchell@... Sun, 02/15/2009 - 14:35

I think I'm a bit confused. The example ACE's I provided above were to allow outbound Internet access from your DMZ host(s).

If you would like to allow outbound Internet access for your entire DMZ subnet, I would add something like this:

access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80

access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 443

I have tried that...

access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80

ERROR: IP address,mask <192.168.140.251,255.255.255.0> doesn't pair.

And you are correct what I need is outbound from the DMZ to the internet.

And that is the correct SM I have listed in the interfaces. This whole thing is making me crazy :)

Thanks for you patience with me.

Correct Answer
eddie.mitchell@... Sun, 02/15/2009 - 14:59

Ah. I'm sorry. The ACE's were meant to be:

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443

eddie.mitchell@... Fri, 02/20/2009 - 11:04

I just looked again at the config you posted and I don't see an ACL applied to the inside interface.

eddie.mitchell@... Fri, 02/20/2009 - 12:19

Did you apply the ACL to your inside interface?

access-group inside_access_in in interface inside

For the FTP connection, you need to add an entry to your DMZ ACL.

Actions

This Discussion