Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505 DMZ clients can't connect to the Internet

I have been wracking my brain for hours with this. I have tried allowing all ip from this interface but nothing seems to work. Can someone please review the below config and give me an idea of what I could be doing wrong?

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)




hostname TT-ASA

domain-name TT.local

enable password 5/kJOuby0Z8 encrypted

passwd 2KFQnb2KYOU encrypted


name TT01 description Old Server

name TT02 description New Server


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


interface Vlan10

nameif DMZ

security-level 50

ip address


interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6

switchport access vlan 10


interface Ethernet0/7

description Trunk port for Cisco AP

switchport trunk allowed vlan 1,10

switchport trunk native vlan 1

switchport mode trunk


ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server TT02

domain-name TT.local

object-group service RDP tcp-udp

port-object eq 3389

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service NATRDP

service-object tcp range 9998 9999

object-group service DM_INLINE_SERVICE_1

group-object NATRDP

service-object tcp eq www

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host

access-list inside_access_in extended permit ip any any

access-list Split_Tunnel_List standard permit

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ip local pool VPN_Pool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

static (inside,outside) tcp 9999 TT01 3389 netmask

static (inside,outside) tcp 9998 TT02 3389 netmask

static (inside,outside) tcp www TT02 www netmask

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http inside

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP


crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet inside

telnet outside

telnet timeout 5

ssh inside

ssh outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside


dhcpd address inside

dhcpd dns TT02 interface inside

dhcpd lease 604800 interface inside

dhcpd domain TT.local interface inside

dhcpd enable inside


dhcpd address DMZ

dhcpd dns interface DMZ

dhcpd enable DMZ


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


svc enable

group-policy VPNClient internal

group-policy VPNClient attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value TT.local

username paul password AgrY5ikDDfOSoxwU encrypted

username paul attributes

service-type remote-access

username eric password ll/uQBVFb1IqG encrypted

username tommy password U/UxECHbpl0w5Q encrypted privilege 15

username greg password ywuYXikTXKpMM encrypted

username greg attributes

service-type remote-access

tunnel-group VPNClient type remote-access

tunnel-group VPNClient general-attributes

address-pool VPN_Pool

default-group-policy VPNClient

tunnel-group VPNClient ipsec-attributes

pre-shared-key *




ASA 5505 DMZ clients can't connect to the Internet

You're missing NAT from the DMZ to the outside. Try adding

nat (dmz) 1

CreatePlease to create content