Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5520 DMZ Internet Access

I have a DMZ named DMZ4.  The address range is 192.168.31.0/24.  The gateway address is 192.168.31.1  I have a host with an IP of 192.168.31.5 that needs access to the internet.  I have created a static translation, static (dmz4,outside) xx.xx.xx.136 192.168.31.5 netmask 255.255.255.255, where xx.xx.xx.136 is a public IP.

I have created the following ACL, access-list dmz4-out extended permit ip host 192.168.31.5 any

I have attached a diagram to show what I am trying to do.

However, this host cannot reach the internet.  I know I am missing something simple but cannot figure out what it may be.  Any help would be appreciated.  Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ASA 5520 DMZ Internet Access

Well, if there is no hitcount on the ACL, then the traffic is not even coming in to the ASA dmz4 interface.

Please check if your server default gateway is 192.168.31.1, then add "icmp permit any dmz4" on the ASA and see if you can ping 192.168.31.1 from the server. The switch port that is connected to the server should also be in vlan 31.

If you are trying to ping the internet, then you should also add "inspect icmp" as follows:

policy-map global_policy
class inspection_default

     inspect icmp

Re: ASA 5520 DMZ Internet Access

Are you supposed to be natting the DMZ4 traffic out? I'm assuming so, but you don't have a nat translation for your dmz interface.

Try:

       nat (dmz4) 1 0 0

Although, I don't see natting for any of your dmz interfaces, so I'm not sure if you want to.

HTH,

John

HTH, John *** Please rate all useful posts ***
5 REPLIES
Cisco Employee

Re: ASA 5520 DMZ Internet Access

1) Pls check if there is any hitcount on ACL dmz4-out: "show access-list dmz4-out"

This is to make sure that traffic is in fact arriving on the ASA.

2) "clear xlate" if you have created the new static translation statement.

3) Checked if "no sysopt noproxyarp outside" is configured, if not, please configure it.

4) Lastly, if all the above have been checked, and it's still not working, "clear arp" on the internet router (OR/ reload the internet router) because sometimes the public ip address of xx.xx.xx.136 might have a different arp entry prior to  being assigned on the ASA static statement.

Hope that helps.

Community Member

Re: ASA 5520 DMZ Internet Access

Thank you for  the reply.  Still not working.

1)  No hits on the ACL.

2)  I had already issued "clear xlate" after creating the new static translation.

3)  Configrued no sysopt noproxyarp outside.

4)  Clear ARP on internet router.

I have attached a santized version of my config.

Thanks for your assistance.

Cisco Employee

Re: ASA 5520 DMZ Internet Access

Well, if there is no hitcount on the ACL, then the traffic is not even coming in to the ASA dmz4 interface.

Please check if your server default gateway is 192.168.31.1, then add "icmp permit any dmz4" on the ASA and see if you can ping 192.168.31.1 from the server. The switch port that is connected to the server should also be in vlan 31.

If you are trying to ping the internet, then you should also add "inspect icmp" as follows:

policy-map global_policy
class inspection_default

     inspect icmp

Re: ASA 5520 DMZ Internet Access

Are you supposed to be natting the DMZ4 traffic out? I'm assuming so, but you don't have a nat translation for your dmz interface.

Try:

       nat (dmz4) 1 0 0

Although, I don't see natting for any of your dmz interfaces, so I'm not sure if you want to.

HTH,

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: ASA 5520 DMZ Internet Access

Thanks again for your reply.  This issue is resolved.  The port I was using for 192.168.31.5 in my DMZ switch was configured for VLAN 30 and not VLAN 31.

735
Views
0
Helpful
5
Replies
CreatePlease to create content