DMZ Setup

Answered Question

I am getting this error when hosts on the DMZ try to access the internet.

I seems no matter what I try The implicit rule keeps blocking access.

Deny tcp src dmz:192.168.140.10/58499 dst outside:68.15.170.162/25261 by access-group "dmz-entry" [0x0, 0x0]


Thank you in advance for any assistance..


Correct Answer by eddie.mitchell@... about 8 years 3 months ago

Ah. I'm sorry. The ACE's were meant to be:


access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80


access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
eddie.mitchell@... Sat, 02/14/2009 - 13:24
User Badges:
  • Silver, 250 points or more

Port 25261? Can you post a sanitized copy of your config?

eddie.mitchell@... Sat, 02/14/2009 - 18:56
User Badges:
  • Silver, 250 points or more

I don't see a rule for Internet access on the 'dmz-entry' ACL? I only see MS-SQL and DNS.

eddie.mitchell@... Sun, 02/15/2009 - 11:48
User Badges:
  • Silver, 250 points or more

If you just need Internet access (port 80/443), then you just need something to the effect of:


access-list dmz-entry permit tcp host any eq 80

access-list dmz-entry permit tcp host any eq 443


It looks like you already have some rules configured for DNS.

eddie.mitchell@... Sun, 02/15/2009 - 14:35
User Badges:
  • Silver, 250 points or more

I think I'm a bit confused. The example ACE's I provided above were to allow outbound Internet access from your DMZ host(s).


If you would like to allow outbound Internet access for your entire DMZ subnet, I would add something like this:


access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80

access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 443

I have tried that...

access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80

ERROR: IP address,mask <192.168.140.251,255.255.255.0> doesn't pair.


And you are correct what I need is outbound from the DMZ to the internet.

And that is the correct SM I have listed in the interfaces. This whole thing is making me crazy :)


Thanks for you patience with me.


Correct Answer
eddie.mitchell@... Sun, 02/15/2009 - 14:59
User Badges:
  • Silver, 250 points or more

Ah. I'm sorry. The ACE's were meant to be:


access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80


access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443

eddie.mitchell@... Fri, 02/20/2009 - 11:04
User Badges:
  • Silver, 250 points or more

I just looked again at the config you posted and I don't see an ACL applied to the inside interface.

eddie.mitchell@... Fri, 02/20/2009 - 12:19
User Badges:
  • Silver, 250 points or more

Did you apply the ACL to your inside interface?


access-group inside_access_in in interface inside


For the FTP connection, you need to add an entry to your DMZ ACL.

Actions

This Discussion