Solved: DMZ Setup

mhoffman · ‎02-14-2009

I am getting this error when hosts on the DMZ try to access the internet.

I seems no matter what I try The implicit rule keeps blocking access.

Deny tcp src dmz:192.168.140.10/58499 dst outside:68.15.170.162/25261 by access-group "dmz-entry" [0x0, 0x0]

Thank you in advance for any assistance..

eddie.mitchell · ‎02-15-2009

Ah. I'm sorry. The ACE's were meant to be:

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443

View solution in original post

eddie.mitchell · ‎02-14-2009

Port 25261? Can you post a sanitized copy of your config?

mhoffman · ‎02-14-2009

here it is thanks ..

eddie.mitchell · ‎02-14-2009

I don't see a rule for Internet access on the 'dmz-entry' ACL? I only see MS-SQL and DNS.

mhoffman · ‎02-15-2009

I have tried adding rules but I may be adding them to wrong place.

What type of rule do I need to add to dmz_entry ?

Thank you.

eddie.mitchell · ‎02-15-2009

If you just need Internet access (port 80/443), then you just need something to the effect of:

access-list dmz-entry permit tcp host any eq 80

access-list dmz-entry permit tcp host any eq 443

It looks like you already have some rules configured for DNS.

mhoffman · ‎02-15-2009

1) My inbound rules for 80 and 443 work fine.

2) No hosts on the DMZ can pull web pages.

3) Is there a way to global rule the hosts on the DMZ to be able to get outbound Internet access. ?

Again thank you.

eddie.mitchell · ‎02-15-2009

I think I'm a bit confused. The example ACE's I provided above were to allow outbound Internet access from your DMZ host(s).

If you would like to allow outbound Internet access for your entire DMZ subnet, I would add something like this:

access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80

access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 443

mhoffman · ‎02-15-2009

I have tried that...

access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80

ERROR: IP address,mask <192.168.140.251,255.255.255.0> doesn't pair.

And you are correct what I need is outbound from the DMZ to the internet.

And that is the correct SM I have listed in the interfaces. This whole thing is making me crazy :)

Thanks for you patience with me.

eddie.mitchell · ‎02-15-2009

Ah. I'm sorry. The ACE's were meant to be:

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443

mhoffman · ‎02-15-2009

Did the trick Thank you

I had also forgot the:

access-group dmz_entry in interface dmz command.

Problem solved...

mhoffman · ‎02-20-2009

Now that I have that working.

I have lost internet from the inside network.

Any idea ?

eddie.mitchell · ‎02-20-2009

I just looked again at the config you posted and I don't see an ACL applied to the inside interface.

mhoffman · ‎02-20-2009

access-group inside_access_in in interface inside.

When I give th command:

access-list inside_access_in permit tcp 192.168.110.0 255.255.255.0 any eq 80

What I really need to do is be able to FTP files from a host on the dmz to a host on the inside network.

The command succeeds but nothing changes..

eddie.mitchell · ‎02-20-2009

Did you apply the ACL to your inside interface?

access-group inside_access_in in interface inside

For the FTP connection, you need to add an entry to your DMZ ACL.