Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ Setup

I am getting this error when hosts on the DMZ try to access the internet.

I seems no matter what I try The implicit rule keeps blocking access.

Deny tcp src dmz:192.168.140.10/58499 dst outside:68.15.170.162/25261 by access-group "dmz-entry" [0x0, 0x0]

Thank you in advance for any assistance..

1 ACCEPTED SOLUTION

Accepted Solutions

Re: DMZ Setup

Ah. I'm sorry. The ACE's were meant to be:

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443

14 REPLIES

Re: DMZ Setup

Port 25261? Can you post a sanitized copy of your config?

New Member

Re: DMZ Setup

here it is thanks ..

Re: DMZ Setup

I don't see a rule for Internet access on the 'dmz-entry' ACL? I only see MS-SQL and DNS.

New Member

Re: DMZ Setup

I have tried adding rules but I may be adding them to wrong place.

What type of rule do I need to add to dmz_entry ?

Thank you.

Re: DMZ Setup

If you just need Internet access (port 80/443), then you just need something to the effect of:

access-list dmz-entry permit tcp host any eq 80

access-list dmz-entry permit tcp host any eq 443

It looks like you already have some rules configured for DNS.

New Member

Re: DMZ Setup

1) My inbound rules for 80 and 443 work fine.

2) No hosts on the DMZ can pull web pages.

3) Is there a way to global rule the hosts on the DMZ to be able to get outbound Internet access. ?

Again thank you.

Re: DMZ Setup

I think I'm a bit confused. The example ACE's I provided above were to allow outbound Internet access from your DMZ host(s).

If you would like to allow outbound Internet access for your entire DMZ subnet, I would add something like this:

access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80

access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 443

New Member

Re: DMZ Setup

I have tried that...

access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80

ERROR: IP address,mask <192.168.140.251,255.255.255.0> doesn't pair.

And you are correct what I need is outbound from the DMZ to the internet.

And that is the correct SM I have listed in the interfaces. This whole thing is making me crazy :)

Thanks for you patience with me.

Re: DMZ Setup

Ah. I'm sorry. The ACE's were meant to be:

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80

access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443

New Member

Re: DMZ Setup

Did the trick Thank you

I had also forgot the:

access-group dmz_entry in interface dmz command.

Problem solved...

New Member

Re: DMZ Setup

Now that I have that working.

I have lost internet from the inside network.

Any idea ?

Re: DMZ Setup

I just looked again at the config you posted and I don't see an ACL applied to the inside interface.

New Member

Re: DMZ Setup

access-group inside_access_in in interface inside.

When I give th command:

access-list inside_access_in permit tcp 192.168.110.0 255.255.255.0 any eq 80

What I really need to do is be able to FTP files from a host on the dmz to a host on the inside network.

The command succeeds but nothing changes..

Re: DMZ Setup

Did you apply the ACL to your inside interface?

access-group inside_access_in in interface inside

For the FTP connection, you need to add an entry to your DMZ ACL.

149
Views
5
Helpful
14
Replies