Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Internet access and a question...

Hello Friends...

I am having issues with PC's in my DMZ to gain access to the internet...

I saw a post about a week ago with a simular issue, I added the rule that was recommended... and no change... so..

I have a PC with an IP address of 10.1.1.50/24 and a gateway address of 10.1.1.1.

From this DMZ... I can ping the gateway and also 10.11.144.3 which is my DNS \ AD server...

below is the config.... any ideas on what is stopping the PC in the DMZ to gain access to the internet?

Also...

I inherited this firewall from a previous admin who was dismissed... but something I noticed that does not make sense... and it has to do with a rule on the inside interface located right about my any - any implicit deny... and that is..

access-list inside_access_in extended permit ip any any

doesn't this negate the implicit deny? is this safe to allow any-any ip?

Thanks in advance....

Result of the command: "show run"

: Saved
:
ASA Version 8.2(4)
!
hostname XXXX
domain-name XXXX.org
enable password wZJefsykk8VmlkFg encrypted
passwd wZJefsykk8VmlkFg encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.x.x.70 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.11.144.253 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 10
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/3

!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
!
time-range Always
!
boot system disk0:/disk0asa727-k8.bin
boot system disk0:/asa824-k8.bin
boot system disk0:/asa824-k8,bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name xxxx.org
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq 2534
port-object eq 2533
port-object range 2701 2750
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host 66.x.x.77
network-object host 66.x.x.78
object-group network DM_INLINE_NETWORK_5
network-object host 60.x.x.77
network-object host 66.x.x.78
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list 120 extended permit ip 10.11.144.0 255.255.255.0 10.11.145.0 255.255.255.0
access-list 130 extended permit ip 10.11.144.0 255.255.255.0 10.11.146.0 255.255.255.0
access-list 140 extended permit ip 10.11.144.0 255.255.255.0 10.11.147.0 255.255.255.0
access-list 150 extended permit ip 10.11.144.0 255.255.255.0 10.11.148.0 255.255.255.0
access-list 160 extended permit ip 10.11.144.0 255.255.255.0 10.11.149.0 255.255.255.0
access-list 170 extended permit ip 10.11.144.0 255.255.255.0 10.11.150.0 255.255.255.0
access-list 180 extended permit ip 10.11.144.0 255.255.255.0 10.11.151.0 255.255.255.0
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip 10.11.144.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip any 10.11.0.0 255.255.0.0
access-list nonat extended permit ip any 172.16.10.0 255.255.255.0
access-list outside_acl extended permit tcp any host 66.x.x.73 object-group DM_INLINE_TCP_0
access-list outside_acl extended permit icmp any any time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.77 eq www time-range Always
access-list outside_acl extended permit tcp any host 66.x.x.78 object-group DM_INLINE_TCP_1 time-range Always
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_5 eq smtp time-range Always
access-list outside_acl extended permit tcp any object-group DM_INLINE_NETWORK_4 eq pop3 time-range Always
access-list dmz_acl extended permit udp 10.1.1.0 255.255.255.0 host 10.11.144.3 eq domain time-range Always
access-list dmz_acl extended permit ip 10.1.1.0 255.255.255.0 host 10.11.144.3 time-range Always
access-list dmz_acl extended permit tcp any any
access-list XXXVPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list XXXVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool XXXVPN_IP_POOL 172.16.10.1-172.16.10.10
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
asdm history enable
arp timeout 14400
global (outside) 1 66.x.x.71 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 1 10.11.144.0 255.255.255.0
nat (inside) 1 10.11.145.0 255.255.255.0
nat (inside) 1 10.11.146.0 255.255.255.0
nat (inside) 1 10.11.147.0 255.255.255.0
nat (inside) 1 10.11.148.0 255.255.255.0
nat (inside) 1 10.11.149.0 255.255.255.0
nat (inside) 1 10.11.150.0 255.255.255.0
nat (inside) 1 10.11.151.0 255.255.255.0
static (inside,outside) 66.x.x.72 10.11.144.8 netmask 255.255.255.255
static (inside,outside) 66.x.x.78 10.11.144.12 netmask 255.255.255.255
static (inside,outside) 66.x.x.77 10.11.144.2 netmask 255.255.255.255
static (inside,outside) 66.x.x.85 10.11.144.25 netmask 255.255.255.255
static (inside,outside) 66.x.x.73 10.11.144.7 netmask 255.255.255.255
access-group outside_acl in interface outside
access-group inside_access_in in interface inside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 66.x.x.67 1
route inside 10.11.145.0 255.255.255.0 10.11.144.254 1
route inside 10.11.146.0 255.255.255.0 10.11.144.254 1
route inside 10.11.147.0 255.255.255.0 10.11.144.254 1
route inside 10.11.148.0 255.255.255.0 10.11.144.254 1
route inside 10.11.149.0 255.255.255.0 10.11.144.254 1
route inside 10.11.150.0 255.255.255.0 10.11.144.254 1
route inside 10.11.151.0 255.255.255.0 10.11.144.254 1
route inside 192.168.100.0 255.255.255.0 10.11.144.254 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server DOMAIN protocol nt
aaa-server DOMAIN (inside) host 10.11.144.3
nt-auth-domain-controller XXXdc1
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
url-server (inside) vendor websense host 10.11.144.9 timeout 30 protocol TCP version 1 connections 50
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication secure-http-client
filter url except 10.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url except 0.0.0.0 0.0.0.0 10.1.1.3 255.255.255.255
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.11.144.0 255.255.255.0 inside
http 10.11.0.0 255.255.0.0 inside
http 0.0.0.0 255.255.255.255 outside
snmp-server location Weber
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 20 esp-des esp-md5-hmac
crypto ipsec transform-set 30 esp-des esp-md5-hmac
crypto ipsec transform-set 50 esp-des esp-md5-hmac
crypto ipsec transform-set 60 esp-des esp-md5-hmac
crypto ipsec transform-set 70 esp-des esp-md5-hmac
crypto ipsec transform-set ENCRYPT esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OUTSIDEMAP 10 set transform-set ENCRYPT
crypto dynamic-map OUTSIDEMAP 30 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map VPN 20 match address 120
crypto map VPN 20 set peer 206.166.36.122
crypto map VPN 20 set transform-set 20
crypto map VPN 30 set peer 206.166.36.154
crypto map VPN 30 set transform-set 30
crypto map VPN 50 set peer 206.166.36.146
crypto map VPN 50 set transform-set 50
crypto map VPN 60 set peer 206.166.36.150
crypto map VPN 60 set transform-set 60
crypto map VPN 70 set peer 206.166.36.126
crypto map VPN 70 set transform-set 70
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpnspd.XXX.org
subject-name CN=sslvpnspd
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 50d23f4d
    308201e9 30820152 a0030201 02020450 d23f4d30 0d06092a 864886f7 0d010105
    05003039 31123010 06035504 03130973 736c7670 6e737064 31233021 06092a86
    4886f70d 01090216 1473736c 76706e73 70642e73 6b6f6b69 652e6f72 67301e17
    0d313130 31323631 37323930 355a170d 32313031 32333137 32393035 5a303931
    12301006 03550403 13097373 6c76706e 73706431 23302106 092a8648 86f70d01
    09021614 73736c76 706e7370 642e736b 6f6b6965 2e6f7267 30819f30 0d06092a
    864886f7 0d010101 05000381 8d003081 89028181 00b7ec4e 59cbac48 0887a91f
    6a093ce6 96b98eff 5276cb30 5d7831a3 d1fec4ae a6ecdd56 d64e3140 b3acb7b0
    a6c77aa5 732e5e28 6dae291f f0af8af9 d0b8d245 8351879b e2d7d36a 8890ee3a
    6c873537 98a30ca1 9ec5efae 5866656b 278573f0 be1990d7 0f9dfc67 dbc8d63d
    33bce9af b786a396 d695be7a 12dcecdc 61b54119 31020301 0001300d 06092a86
    4886f70d 01010505 00038181 001de265 7c0d1343 b15718e6 9e7fd220 12f17499
    d72a723b bd5841a8 d4d30ef3 dab4e858 f078089b 0602b3da 76dad4b7 9eb47466
    44914b5a f30f11f9 7ad3f2f5 9cdc027b db32f06a 9f548a68 6a0ca0a6 623833ee
    d4b2f7f2 75602be6 927d3b3e 1def6021 1bd71e18 c9e2a4fe cc7bc65d 6c7b608a
    cfdbd3d7 421a40c6 b7472323 d8
  quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
telnet 10.11.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.11.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
url-block url-mempool 1500
url-block url-size 4
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2001-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 10.11.144.3 10.11.144.8
dns-server value 10.11.144.3 10.11.144.8
vpn-tunnel-protocol IPSec
backup-servers clear-client-config
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  customization value DfltCustomization
group-policy SPDVPN internal
group-policy SPDVPN attributes
wins-server value 10.11.144.3 10.11.144.8
dns-server value 10.11.144.3 10.11.144.8
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPDVPN_splitTunnelAcl
default-domain value xxx.org
username xxx password sE2H9HubIXI75SNz encrypted privilege 15
username xxx attributes
vpn-group-policy SPDVPN
username admin password 6YI.p7lD7uzHZBBs encrypted privilege 15
tunnel-group SPDVPN type remote-access
tunnel-group SPDVPN general-attributes
authentication-server-group DOMAIN
default-group-policy SPDVPN
dhcp-server 10.11.144.3
tunnel-group SPDVPN webvpn-attributes
group-alias SPD enable
tunnel-group SPDVPN ipsec-attributes
pre-shared-key *****
tunnel-group 206.x.x.126 type ipsec-l2l
tunnel-group 206.x.x.126 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect http
  inspect mgcp
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:de6cc013b7f352d3ae23801e154d8a3b
: end

  • Firewalling
Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Internet access and a question...

Hello David,

All you are missing is the Nat statement for the DMZ to be able to get to th outside.

Please add the following:

Nat (dmz 1 0 0

Now regarding your ACL question, of course if you add a permit ip any any, the implicit deny is  going to do nothing, but remember you will be allowing all trafffic from the DMZ to any other interface, so it will be just outbound traffic not inbound traffic to that interface.

Regards,

Please rate helpful posts.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Internet access and a question...

Hello David,

Yes, I saw it, actually I answered to that one on the previous response as well.

Here is the answer just in case,

Now regarding your ACL question, of course if you add a permit ip any  any, the implicit deny is  going to do nothing, but remember you will be  allowing all trafffic from the inside to any other interface, so it will  be just outbound traffic not inbound traffic to that interface.

Regards,

Please rate helpful posts.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
3 REPLIES

Re: Internet access and a question...

Hello David,

All you are missing is the Nat statement for the DMZ to be able to get to th outside.

Please add the following:

Nat (dmz 1 0 0

Now regarding your ACL question, of course if you add a permit ip any any, the implicit deny is  going to do nothing, but remember you will be allowing all trafffic from the DMZ to any other interface, so it will be just outbound traffic not inbound traffic to that interface.

Regards,

Please rate helpful posts.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Internet access and a question...

wow... that was quick and it works!!!! thank you Julio...

did you see the other question?

I inherited this firewall from a previous admin who was dismissed... but something I noticed that does not make sense... and it has to do with a rule on the inside interface located right above my any - any implicit deny... and that is..

access-list inside_access_in extended permit ip any any

doesn't this negate the implicit deny? is this safe to allow any-any ip?

Internet access and a question...

Hello David,

Yes, I saw it, actually I answered to that one on the previous response as well.

Here is the answer just in case,

Now regarding your ACL question, of course if you add a permit ip any  any, the implicit deny is  going to do nothing, but remember you will be  allowing all trafffic from the inside to any other interface, so it will  be just outbound traffic not inbound traffic to that interface.

Regards,

Please rate helpful posts.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
399
Views
0
Helpful
3
Replies
This widget could not be displayed.