02-14-2009 09:13 AM - edited 03-11-2019 07:50 AM
I am getting this error when hosts on the DMZ try to access the internet.
I seems no matter what I try The implicit rule keeps blocking access.
Deny tcp src dmz:192.168.140.10/58499 dst outside:68.15.170.162/25261 by access-group "dmz-entry" [0x0, 0x0]
Thank you in advance for any assistance..
Solved! Go to Solution.
02-15-2009 02:59 PM
Ah. I'm sorry. The ACE's were meant to be:
access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80
access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443
02-14-2009 01:24 PM
Port 25261? Can you post a sanitized copy of your config?
02-14-2009 02:04 PM
02-14-2009 06:56 PM
I don't see a rule for Internet access on the 'dmz-entry' ACL? I only see MS-SQL and DNS.
02-15-2009 09:31 AM
I have tried adding rules but I may be adding them to wrong place.
What type of rule do I need to add to dmz_entry ?
Thank you.
02-15-2009 11:48 AM
If you just need Internet access (port 80/443), then you just need something to the effect of:
access-list dmz-entry permit tcp host
access-list dmz-entry permit tcp host
It looks like you already have some rules configured for DNS.
02-15-2009 12:21 PM
1) My inbound rules for 80 and 443 work fine.
2) No hosts on the DMZ can pull web pages.
3) Is there a way to global rule the hosts on the DMZ to be able to get outbound Internet access. ?
Again thank you.
02-15-2009 02:35 PM
I think I'm a bit confused. The example ACE's I provided above were to allow outbound Internet access from your DMZ host(s).
If you would like to allow outbound Internet access for your entire DMZ subnet, I would add something like this:
access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80
access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 443
02-15-2009 02:55 PM
I have tried that...
access-list dmz-entry permit tcp 192.168.140.251 255.255.255.0 any eq 80
ERROR: IP address,mask <192.168.140.251,255.255.255.0> doesn't pair.
And you are correct what I need is outbound from the DMZ to the internet.
And that is the correct SM I have listed in the interfaces. This whole thing is making me crazy :)
Thanks for you patience with me.
02-15-2009 02:59 PM
Ah. I'm sorry. The ACE's were meant to be:
access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 80
access-list dmz-entry permit tcp 192.168.140.0 255.255.255.0 any eq 443
02-15-2009 03:59 PM
Did the trick Thank you
I had also forgot the:
access-group dmz_entry in interface dmz command.
Problem solved...
02-20-2009 09:57 AM
Now that I have that working.
I have lost internet from the inside network.
Any idea ?
02-20-2009 11:04 AM
I just looked again at the config you posted and I don't see an ACL applied to the inside interface.
02-20-2009 11:48 AM
access-group inside_access_in in interface inside.
When I give th command:
access-list inside_access_in permit tcp 192.168.110.0 255.255.255.0 any eq 80
What I really need to do is be able to FTP files from a host on the dmz to a host on the inside network.
The command succeeds but nothing changes..
02-20-2009 12:19 PM
Did you apply the ACL to your inside interface?
access-group inside_access_in in interface inside
For the FTP connection, you need to add an entry to your DMZ ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide