Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5510 8.2 Cannot access internet from DMZ

Dear Friends, I am implementing a new infrastructure at my customer's company but i've realized i have no access to internet from DMZ. Here's my config. Someone can help please:

 

 

ASA Version 8.2(1)

!

hostname ASAFCHFW

domain-name farmaciachavez.com.bo

enable password 6Jfo5anznhoG00fM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address xxx.yyy.zzz.122 255.255.255.248

!

interface Ethernet0/1

 nameif Branch_Office

 security-level 100

 ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2

 nameif DMZ

 security-level 10

 ip address 172.16.31.1 255.255.255.0

!

interface Ethernet0/3

 nameif Inside

 security-level 100

 ip address 192.168.0.2 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name farmaciachavez.com.bo

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list dmz_in extended permit tcp host 172.16.31.2 any eq domain

access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp

access-list dmz_in extended permit tcp host 172.16.31.2 any eq www

access-list dmz_in extended permit tcp host 172.16.31.2 any eq https

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000

access-list Inside extended permit ip any any

access-list Inside extended permit icmp any any

access-list 100 extended permit tcp any host xxx.yyy.zzz.123 eq smtp

access-list 100 extended permit udp any host xxx.yyy.zzz.123 eq domain

access-list 100 extended permit tcp any host xxx.yyy.zzz.123 eq https

access-list 100 extended permit tcp any host xxx.yyy.zzz.123 eq 3000

access-list 100 extended permit tcp any host xxx.yyy.zzz.123 eq 1000

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu Outside 1500

mtu Branch_Office 1500

mtu DMZ 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 192.168.0.43 Outside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

global (Outside) 101 interface

global (DMZ) 101 interface

nat (Branch_Office) 101 0.0.0.0 0.0.0.0

nat (DMZ) 101 0.0.0.0 0.0.0.0

nat (Inside) 101 0.0.0.0 0.0.0.0

static (DMZ,Inside) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (Inside,Branch_Office) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (DMZ,Branch_Office) 172.16.31.0 172.16.31.0 netmask 255.255.255.0

static (Branch_Office,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.2.0 172.16.2.0 netmask 255.255.255.0

static (Branch_Office,Inside) 172.16.3.0 172.16.3.0 netmask 255.255.255.0

static (Branch_Office,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.44.0 192.168.44.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.21.0 192.168.21.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.37.0 192.168.37.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.43.0 192.168.43.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.28.0 192.168.28.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.33.0 192.168.33.0 netmask 255.255.255.0

static (Branch_Office,Inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

static (Branch_Office,Inside) 193.168.1.0 193.168.1.0 netmask 255.255.255.0

static (DMZ,Outside) xxx.yyy.zzz.123 172.16.31.0 netmask 255.255.255.255

access-group dmz_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.121 20

route Branch_Office 172.16.1.0 255.255.255.0 192.168.2.2 1

route Branch_Office 172.16.2.0 255.255.255.0 192.168.2.2 1

route Branch_Office 172.16.3.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.1.0.0 255.255.192.0 192.168.2.2 1

route Branch_Office 192.168.20.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.21.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.28.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.30.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.33.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.35.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.37.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.43.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.44.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.45.0 255.255.255.0 192.168.2.2 1

route Branch_Office 192.168.100.0 255.255.255.0 192.168.2.2 1

route Inside 193.168.1.0 255.255.255.0 192.168.0.249 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 Branch_Office

telnet 172.16.31.0 255.255.255.0 DMZ

telnet 192.168.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username eguerra password dr6zkC4iOPQHLH5f encrypted privilege 15

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:084e09cf27338f97578b7f9bea920c29

: end

ASAFCHFW#

5 REPLIES
Hall of Fame Super Silver

You NAT for the DMZ is to the

You NAT for the DMZ is to the outside interface, so that fine. However since your access-list "dmz_in" is applied on the DMZ interface, your Internet connectivity will be limited to the single host and protocols specified there:

access-list dmz_in extended permit tcp host 172.16.31.2 any eq domain

access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp

access-list dmz_in extended permit tcp host 172.16.31.2 any eq www

access-list dmz_in extended permit tcp host 172.16.31.2 any eq https

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000

access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000

Community Member

Marvin, I tried to use

Marvin, I tried to use IExplorer on a computer within DMZ but cannot explore anything. Computer IP is 31.2, but cannot do anything 

 

Any suggestion?

Hall of Fame Super Silver

Please provide output (on ASA

Please provide output (on ASA) of the following command:

packet-tracer input DMZ tcp 172.16.31.2 1025 8.8.8.8 80 detailed

Is there a reason you have a

Is there a reason you have a global nat config for the DMZ interface?

global (DMZ) 101 interface

If you there is no real reason that you need it there, then I suggest removing it.

Also please remove the following NAT command as I think this is the reason you are unable to NAT to the outside.

static (DMZ,Outside) xxx.yyy.zzz.123 172.16.31.0 netmask 255.255.255.255

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer

Hi Edu,Please correct you ACL

Hi Edu,

Please correct you ACL line for DMZ DNS.

 

access-list dmz_in extended permit udp host 172.16.31.2 any eq domain (you have configured with TCP). Since UDP is the preferred protocol for DNS. Also have you checked whether you have configured with the DNS settings in your server (dmz).

 

Regards

Karthik

104
Views
0
Helpful
5
Replies
CreatePlease to create content