I think that I am on the last part of my Firewall config, and that is allowing traffic out of the DMZ to the Internet. In theory I have it working where Internet traffic coming in is allowed, but I haven't been able to test that yet.
Here is the config for the DMZ:
description TWTelecom Internet
ip address 126.96.36.199 255.255.255.252
description DMZ Interface
ip address 10.2.2.254 255.255.0.0
object-group service WebPorts tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
port-object eq pop3
access-list DMZACL remark Allow all ICMP traffic
access-list DMZACL extended permit icmp any any
access-list DMZACL remark Allow SQL traffic from websites to SQL servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSQL eq 1433
access-list DMZACL remark Allow SMTP traffic from websites to Exchange servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSMTP eq smtp
access-list DMZACL remark Deny all DMZ traffic to Internal Network
access-list DMZACL extended deny ip any host 10.1.0.0
access-list DMZACL remark Allow DMZ access to the Internet
access-list DMZACL extended permit tcp 10.2.0.0 255.255.0.0 any object-group WebPorts
access-list DMZACL remark Deny EVERYTHING
access-list DMZACL extended deny ip any any
global (ExtNet) 1 188.8.131.52 netmask 255.255.255.255
global (ExtNet) 2 184.108.40.206 netmask 255.255.255.255
nat (IntNet) 0 access-list nonat
nat (IntNet) 1 10.1.0.0 255.255.0.0
nat (DMZNet) 2 10.2.0.0 255.255.0.0
static (IntNet,DMZNet) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
access-group IntACL in interface IntNet
access-group ExtACL in interface ExtNet
access-group DMZACL in interface DMZNet
route ExtNet 0.0.0.0 0.0.0.0 220.127.116.11 1
But so far I am unable to ping anything on the Internet, nor am I able to connect to anything using HTTP.
I don't think that the traffic is being blocked as I am able to use
packet-tracer input DMZNet tcp 10.2.1.100 80 18.104.22.168 80 detail
without any errors.
I have also checked the logs and it shows that it is trying to do the connection, but it doesn't appear like the connection ever finishes.
I think that it might be a routing issue. But I am not sure.
Can someone help to shed some light on this issue? I am pretty sure the ACL's are good, but I am still a bit skeptical of the NAT or possibly the routing.