Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DMZ can not access the internet, but inside can.

Can someone shed some light on this?  This is the first time that I have ever worked with a Cisco device and it is showing.  From tutorials, I have my inside accessing the internet and a couple of webservers are accessible from the outside.  If you are in Michigan, I'll take you salmon fishing.

My 3 servers on my DMZ vlan can ping each other, but can not ping interface  I have checked that the DMZ VLAN is setup between the servers and the asa 5515 firewall.

Inside computers also can not ping the dmz interface, but they can ping the inside interface

Here is my config:

interface GigabitEthernet0/0

nameif Inside

security-level 100

ip address


interface GigabitEthernet0/1

description Wireless

nameif Wireless

security-level 75

ip address


interface GigabitEthernet0/2

description Perimeter

nameif DMZ

security-level 50

ip address


interface GigabitEthernet0/3


no nameif

no security-level

no ip address


interface GigabitEthernet0/4


no nameif

no security-level

no ip address


interface GigabitEthernet0/5

nameif Outside

security-level 0

ip address


interface Management0/0


nameif management

security-level 100

ip address


boot system disk0:/asa912-smp-k8.bin

boot system disk0:/asa901-smp-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network OBJ_GENERIC_ALL


object network WWW_webserver


description Cascade

object network Direct_Access


description WSCC-S-004014

object network Camtasia


description WSCC-S-003050

object-group network PAT-SOURCE

description PAT Source Networks


object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list OUTSIDE-IN remark WSCC-S-003056

access-list OUTSIDE-IN extended permit tcp any object WWW_webserver object-group DM_INLINE_TCP_1

access-list OUTSIDE-IN remark WSCC-S-004014

access-list OUTSIDE-IN extended permit ip any object Direct_Access

access-list OUTSIDE-IN remark WSCC-S-003050

access-list OUTSIDE-IN extended permit tcp any object Camtasia eq https

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Wireless 1500

mtu DMZ 1500

mtu Outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (DMZ,Outside) source dynamic OBJ_GENERIC_ALL interface

nat (Inside,Outside) source dynamic OBJ_GENERIC_ALL interface


object network WWW_webserver

nat (Inside,Outside) static

object network Direct_Access

nat (any,any) static

object network Camtasia

nat (any,any) static

access-group OUTSIDE-IN in interface Outside

route Outside 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http management

http Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet Inside

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access Inside

dhcpd address management

dhcpd enable management


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


: end

asdm image disk0:/asdm-713.bin

no asdm history enable


Re: DMZ can not access the internet, but inside can.

You may have to permit ping on the DMZ interface.

icmp permit any DMZ

Please remember to rate and select a correct answer

Re: DMZ can not access the internet, but inside can.

Also Please run the packet tracer and post the output here.

packet-tracer input inside tcp host 4444 host 80 detail

Please remember to rate and select a correct answer
Community Member

Re: DMZ can not access the internet, but inside can.

9 Hours of work...  the port connected to the firewall needed to be untagged on vlan 4 instead of tagged.

I might have to sign up for truck driving school.  See the country, decent pay, and great benefits...

Thank you Marius, that command will come in handy.

CreatePlease to create content