02-14-2009 09:13 AM - edited 03-11-2019 07:50 AM
I am getting this error when hosts on the DMZ try to access the internet.
I seems no matter what I try The implicit rule keeps blocking access.
Deny tcp src dmz:192.168.140.10/58499 dst outside:68.15.170.162/25261 by access-group "dmz-entry" [0x0, 0x0]
Thank you in advance for any assistance..
Solved! Go to Solution.
02-15-2009 02:59 PM
Ah. I'm sorry. The ACE's were meant to be:
access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80
access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443
02-14-2009 01:24 PM
Port 25261? Can you post a sanitized copy of your config?
02-14-2009 02:04 PM
02-14-2009 06:56 PM
I don't see a rule for Internet access on the 'dmz-entry' ACL? I only see MS-SQL and DNS.
02-15-2009 09:31 AM
I have tried adding rules but I may be adding them to wrong place.
What type of rule do I need to add to dmz_entry ?
Thank you.
02-15-2009 11:48 AM
If you just need Internet access (port 80/443), then you just need something to the effect of:
access-list dmz-entry permit tcp host
access-list dmz-entry permit tcp host
It looks like you already have some rules configured for DNS.
02-15-2009 12:21 PM
1) My inbound rules for 80 and 443 work fine.
2) No hosts on the DMZ can pull web pages.
3) Is there a way to global rule the hosts on the DMZ to be able to get outbound Internet access. ?
Again thank you.
02-15-2009 02:35 PM
I think I'm a bit confused. The example ACE's I provided above were to allow outbound Internet access from your DMZ host(s).
If you would like to allow outbound Internet access for your entire DMZ subnet, I would add something like this:
access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80
access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 443
02-15-2009 02:55 PM
I have tried that...
access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80
ERROR: IP address,mask <192.168.140.251,255.255.255.0> doesn't pair.
And you are correct what I need is outbound from the DMZ to the internet.
And that is the correct SM I have listed in the interfaces. This whole thing is making me crazy :)
Thanks for you patience with me.
02-15-2009 02:59 PM
Ah. I'm sorry. The ACE's were meant to be:
access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80
access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443
02-15-2009 03:59 PM
Did the trick Thank you
I had also forgot the:
access-group dmz_entry in interface dmz command.
Problem solved...
02-20-2009 09:57 AM
Now that I have that working.
I have lost internet from the inside network.
Any idea ?
02-20-2009 11:04 AM
I just looked again at the config you posted and I don't see an ACL applied to the inside interface.
02-20-2009 11:48 AM
access-group inside_access_in in interface inside.
When I give th command:
access-list inside_access_in permit tcp 192.168.110.0 255.255.255.0 any eq 80
What I really need to do is be able to FTP files from a host on the dmz to a host on the inside network.
The command succeeds but nothing changes..
02-20-2009 12:19 PM
Did you apply the ACL to your inside interface?
access-group inside_access_in in interface inside
For the FTP connection, you need to add an entry to your DMZ ACL.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: