Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1087
Views
0
Helpful
5
Replies

ASA 5520 DMZ Internet Access

Go to solution
jwebber
Level 1
Level 1

‎05-21-2010 06:30 AM - edited ‎03-11-2019 10:49 AM

I have a DMZ named DMZ4.  The address range is 192.168.31.0/24.  The gateway address is 192.168.31.1  I have a host with an IP of 192.168.31.5 that needs access to the internet.  I have created a static translation, static (dmz4,outside) xx.xx.xx.136 192.168.31.5 netmask 255.255.255.255, where xx.xx.xx.136 is a public IP.

I have created the following ACL, access-list dmz4-out extended permit ip host 192.168.31.5 any

I have attached a diagram to show what I am trying to do.

However, this host cannot reach the internet.  I know I am missing something simple but cannot figure out what it may be.  Any help would be appreciated.  Thanks.

Labels:
Preview file
30 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jwebber

‎05-21-2010 07:16 AM

Well, if there is no hitcount on the ACL, then the traffic is not even coming in to the ASA dmz4 interface.

Please check if your server default gateway is 192.168.31.1, then add "icmp permit any dmz4" on the ASA and see if you can ping 192.168.31.1 from the server. The switch port that is connected to the server should also be in vlan 31.

If you are trying to ping the internet, then you should also add "inspect icmp" as follows:

policy-map global_policy
class inspection_default

     inspect icmp

View solution in original post

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Jennifer Halim

‎05-21-2010 07:29 AM

Are you supposed to be natting the DMZ4 traffic out? I'm assuming so, but you don't have a nat translation for your dmz interface.

Try:

       nat (dmz4) 1 0 0

Although, I don't see natting for any of your dmz interfaces, so I'm not sure if you want to.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-21-2010 06:40 AM

1) Pls check if there is any hitcount on ACL dmz4-out: "show access-list dmz4-out"

This is to make sure that traffic is in fact arriving on the ASA.

2) "clear xlate" if you have created the new static translation statement.

3) Checked if "no sysopt noproxyarp outside" is configured, if not, please configure it.

4) Lastly, if all the above have been checked, and it's still not working, "clear arp" on the internet router (OR/ reload the internet router) because sometimes the public ip address of xx.xx.xx.136 might have a different arp entry prior to  being assigned on the ASA static statement.

Hope that helps.

0 Helpful

Go to solution
jwebber
Level 1
Level 1
In response to Jennifer Halim

‎05-21-2010 07:06 AM

Thank you for  the reply.  Still not working.

1)  No hits on the ACL.

2)  I had already issued "clear xlate" after creating the new static translation.

3)  Configrued no sysopt noproxyarp outside.

4)  Clear ARP on internet router.

I have attached a santized version of my config.

Thanks for your assistance.

64867-asa5520.log.zip
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jwebber

‎05-21-2010 07:16 AM

Well, if there is no hitcount on the ACL, then the traffic is not even coming in to the ASA dmz4 interface.

Please check if your server default gateway is 192.168.31.1, then add "icmp permit any dmz4" on the ASA and see if you can ping 192.168.31.1 from the server. The switch port that is connected to the server should also be in vlan 31.

If you are trying to ping the internet, then you should also add "inspect icmp" as follows:

policy-map global_policy
class inspection_default

     inspect icmp

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Jennifer Halim

‎05-21-2010 07:29 AM

Are you supposed to be natting the DMZ4 traffic out? I'm assuming so, but you don't have a nat translation for your dmz interface.

Try:

       nat (dmz4) 1 0 0

Although, I don't see natting for any of your dmz interfaces, so I'm not sure if you want to.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
jwebber
Level 1
Level 1
In response to Jennifer Halim

‎05-21-2010 07:32 AM

Thanks again for your reply.  This issue is resolved.  The port I was using for 192.168.31.5 in my DMZ switch was configured for VLAN 30 and not VLAN 31.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card