Cannot access outside from dmz, ASA 5505.

Answered Question
May 19th, 2010
User Badges:

Hi guys,


I have looked over my config and gone through several cisco helpsheets, I still cannot access the outside from "inside" the dmz. Here is an overview of what I can and cannot do.


OUTSIDE >>> DMZ = OK

INSIDE >>>>> DMZ = OK

DMZ >>>>>>> INSIDE = OK

DMZ >>>>>>> OUTSIDE = FAIL.


What I need to do is to be able to access an external SMTP server from the DMZ. If I telnet pt 25 to an "OUTSIDE" server it fails. If I do it to my "INSIDE" server it works.

Here are the relevant sections of the config. I assume I have missed something stupid and have looked over it too many times and need some fresh eyes.

Many thanks for your help.

Dan.


interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.20 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 99.99.99.99 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.30.30.1 255.255.255.0
!

ftp mode passive
dns server-group DefaultDNS
domain-name cheese
access-list services extended permit tcp any host 99.99.99.98 eq www
access-list inside extended permit tcp host 10.30.30.30 any eq smtp
access-list inside extended permit ip any any
access-list dmz-in extended permit udp host 10.30.30.30 host 192.168.0.10 eq domain
access-list dmz-in extended permit tcp host 10.30.30.30 host 192.168.0.10 eq 88
access-list dmz-in extended permit udp host 10.30.30.30 host 192.168.0.10 eq 389
access-list dmz-in extended permit ip any any
access-list dmz-in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.30.30.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp 99.99.99.98 www 10.30.30.30 www netmask 255.255.255.255
static (inside,dmz) 10.30.30.30 192.168.0.111 netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group inside in interface inside
access-group services in interface outside
access-group dmz-in in interface dmz
route inside 10.1.0.0 255.255.0.0 192.168.0.250 1
route outside 0.0.0.0 0.0.0.0 99.99.99.99 1

Correct Answer by Jennifer Halim about 7 years 2 months ago

Add the following statement and you should have access to the outside from dmz:


no nat (inside) 1 10.30.30.0 255.255.255.0

nat (dmz) 1 10.30.30.0 255.255.255.0


"clear xlate" after the above changes, and dmz should have access to the internet.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Wed, 05/19/2010 - 02:24
User Badges:
  • Cisco Employee,

Add the following statement and you should have access to the outside from dmz:


no nat (inside) 1 10.30.30.0 255.255.255.0

nat (dmz) 1 10.30.30.0 255.255.255.0


"clear xlate" after the above changes, and dmz should have access to the internet.


Hope that helps.

danparsons Wed, 05/19/2010 - 02:28
User Badges:

You are awesome,

Thanks very much, works great. Think I need to brush up on DMZ setups.

Actions

This Discussion

Related Content