Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot access internet from DMZ

ASA 5520 8.0(5)

I want guest AP users in DMZ  to browser thru dmz controller. User is receiveing IP address (172.17.0.1) from WLAN controller and can ping 172.17.1.254 &192.168.1.225, but cannot ping 4.2.2.1.  Even controller (192.168.1.225) cannot ping 4.2.2.1.   Following is the config

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0 

!

interface GigabitEthernet0/2

description DMZ Physical Interface

nameif dmz

security-level 10

ip address 192.168.1.1 255.255.255.0

access-group outside_acl in interface outside

access-group inside_acl in interface inside

access-group dmz_in in interface dmz

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

route inside 10.0.0.0 255.0.0.0 10.1.1.1 1

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 2 172.17.0.0 255.255.254.0

nat (dmz) 1 0.0.0.0 0.0.0.0

access-list outside_acl extended permit ip any host 1.1.1.225

static (dmz,outside) 1.1.1.225 192.168.1.225 netmask 255.255.255.255

access-list outside_acl extended permit ip any 172.17.0.0 255.255.254.0

access-list dmz_in extended permit ip host 192.168.1.225 172.17.0.0 255.255.254.0

access-list dmz_in extended permit ip host 192.168.1.225 172.17.0.0 255.255.254.0

policy-map global_policy

class inspection_default

    inspect icmp

INET-FW(config)# packet-tracer input dmz icmp 172.17.0.255 8 0 4.2.2.1

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: dmz

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

  • Firewalling
Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Cannot access internet from DMZ

Hi,

Why is the network routed towards the ASAs interface IP address?

Can you provide a "packet-tracer" for a source address in the network 172.17.0.0/23 towards some external IP.

- Jouni

4 REPLIES
Super Bronze

Re: Cannot access internet from DMZ

Hi,

The configurations you have posted above dont include any route for the network 172.17.0.0/23

Also the ACL for the DMZ doesnt allow the traffic from this network or the directly connected network.

- Jouni

New Member

Cannot access internet from DMZ

I added  & it is not working

route dmz 172.17.0.0 255.255.254.0 192.168.1.1 1

access-list outside_acl extended permit ip any 172.17.0.0 255.255.254.0

access-list outside_acl extended permit ip 172.17.0.0 255.255.254.0 any

access-list dmz_in extended permit ip host 192.168.1.225 172.17.0.0 255.255.254.0

access-list dmz_in extended permit ip 172.17.0.0 255.255.254.0 any

Super Bronze

Cannot access internet from DMZ

Hi,

Why is the network routed towards the ASAs interface IP address?

Can you provide a "packet-tracer" for a source address in the network 172.17.0.0/23 towards some external IP.

- Jouni

New Member

Cannot access internet from DMZ

It is working after adding route dmz 172.17.0.0 & removing nat (dmz) 2 172.17.0.0

Thanks

277
Views
0
Helpful
4
Replies
This widget could not be displayed.