cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4602
Views
0
Helpful
2
Replies

Cannot access outside from dmz, ASA 5505.

danparsons
Level 1
Level 1

Hi guys,

I have looked over my config and gone through several cisco helpsheets, I still cannot access the outside from "inside" the dmz. Here is an overview of what I can and cannot do.

OUTSIDE >>> DMZ = OK

INSIDE >>>>> DMZ = OK

DMZ >>>>>>> INSIDE = OK

DMZ >>>>>>> OUTSIDE = FAIL.

What I need to do is to be able to access an external SMTP server from the DMZ. If I telnet pt 25 to an "OUTSIDE" server it fails. If I do it to my "INSIDE" server it works.

Here are the relevant sections of the config. I assume I have missed something stupid and have looked over it too many times and need some fresh eyes.

Many thanks for your help.

Dan.

interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.20 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 99.99.99.99 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.30.30.1 255.255.255.0
!

ftp mode passive
dns server-group DefaultDNS
domain-name cheese
access-list services extended permit tcp any host 99.99.99.98 eq www
access-list inside extended permit tcp host 10.30.30.30 any eq smtp
access-list inside extended permit ip any any
access-list dmz-in extended permit udp host 10.30.30.30 host 192.168.0.10 eq domain
access-list dmz-in extended permit tcp host 10.30.30.30 host 192.168.0.10 eq 88
access-list dmz-in extended permit udp host 10.30.30.30 host 192.168.0.10 eq 389
access-list dmz-in extended permit ip any any
access-list dmz-in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.30.30.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp 99.99.99.98 www 10.30.30.30 www netmask 255.255.255.255
static (inside,dmz) 10.30.30.30 192.168.0.111 netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group inside in interface inside
access-group services in interface outside
access-group dmz-in in interface dmz
route inside 10.1.0.0 255.255.0.0 192.168.0.250 1
route outside 0.0.0.0 0.0.0.0 99.99.99.99 1

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Add the following statement and you should have access to the outside from dmz:

no nat (inside) 1 10.30.30.0 255.255.255.0

nat (dmz) 1 10.30.30.0 255.255.255.0

"clear xlate" after the above changes, and dmz should have access to the internet.

Hope that helps.

View solution in original post

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

Add the following statement and you should have access to the outside from dmz:

no nat (inside) 1 10.30.30.0 255.255.255.0

nat (dmz) 1 10.30.30.0 255.255.255.0

"clear xlate" after the above changes, and dmz should have access to the internet.

Hope that helps.

You are awesome,

Thanks very much, works great. Think I need to brush up on DMZ setups.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: