DMZ not Allowing Port80 or Port21

Unanswered Question
Nov 24th, 2009
User Badges:


I setup a DMZ on an ASA 5505 and left the security level at 50. When I tried to test connectivity to the Internet, it won't allow traffic to the Internet. Can someone please tell me how to fix this issue? Does security level 50 disable port 80?

Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
grant.maynard Tue, 11/24/2009 - 09:46
User Badges:
  • Silver, 250 points or more

The only signifiacnce of the security level is whether it is higher, lower or the same as other interfaces it wishes to talk to. For a DMZ 50 is fine.

You should look at:

NAT - "show run nat", "show run global" - assunimg it's a private IP range on the DMZ.

Access-lists - "show run access-group", "show run access-list"

and default route out the outside interface - "show route".

JORGE RODRIGUEZ Tue, 11/24/2009 - 13:49
User Badges:
  • Green, 3000 points or more

SK in addition to previous poster ,   especifically  you need to allow outbound traffic for dmz, also ensure dmz host have proper DNS.


access-list dmz_access_in extended permit ip any any
access-group dmz_access_in in interface dmz

or if just port 80 and ftp only then:

access-list dmz_access_in permit tcp any any eq 80
access-list dmz_access_in permit tcp any any eq 21

check nat  for dmz  network via  outbound outside global  interface 

global (outside) 1 interface

nat (dmz ) 1   



This Discussion