Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

outbound web access from dmz

I'm having a problem getting web access from my dmz network. It has a higher security-level than the outside interface, so shouldn't I be able to get outside internet access from the dmz? Inbound access from outside to the DMZ works fine the way I have it w/ PAT.

Does anyone see anything wrong w/ what I've got?


5510(config)# sh run

: Saved


ASA Version 7.0(7)


hostname 5510

enable password ABC87h/3Z9f23JKj6 encrypted


name DEV_NET

name DMZ_NET


name AEW_NET

name MY_WAN_IP




interface Ethernet0/0

nameif outside

security-level 0

ip address MY_WAN_IP


interface Ethernet0/1

nameif dmz

security-level 20

ip address


interface Ethernet0/2

nameif cluster

security-level 60

ip address


interface Ethernet0/3

nameif development

security-level 80

ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

object-group protocol TCP_UDP_ICMP

protocol-object tcp

protocol-object udp

protocol-object icmp

object-group network CLUSTER_GRP

network-object host

object-group network DEVELOPMENT_GRP

network-object host

object-group network DMZ_GRP

network-object host

object-group network INSIDE_GRP

group-object DMZ_GRP

group-object CLUSTER_GRP

group-object DEVELOPMENT_GRP

object-group service DMZ_SERVICES tcp

port-object eq www

port-object eq https

port-object eq 3690

object-group service ALL_SERVICES tcp

port-object eq www

port-object eq https

port-object eq 3690

port-object eq ssh

access-list ANY_ACCESS extended permit ip any any

access-list SSH_ACCESS extended permit tcp any any eq ssh

access-list ALL_ACCESS extended permit tcp any any object-group ALL_SERVICES

access-list DMZ_ACCESS extended permit tcp any interface dmz object-group DMZ_SERVICES

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu management 1500

mtu dmz 1500

mtu cluster 1500

mtu outside 1500

mtu development 1500

no failover

icmp permit any dmz

icmp permit any cluster

icmp permit any development

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (dmz) 1 DMZ_NET

nat (cluster) 1 CLUSTER_NET

nat (development) 1 DEV_NET

static (cluster,outside) tcp interface ssh ssh netmask

static (dmz,outside) tcp interface www www netmask

static (dmz,outside) tcp interface https https netmask

static (dmz,outside) tcp interface 3690 3690 netmask

static (management,development) MGMT_NET MGMT_NET netmask

static (management,cluster) MGMT_NET MGMT_NET netmask

static (management,dmz) MGMT_NET MGMT_NET netmask

static (development,cluster) DEV_NET DEV_NET netmask

static (development,dmz) DEV_NET DEV_NET netmask

static (cluster,development) CLUSTER_NET CLUSTER_NET netmask

access-group DMZ_ACCESS in interface dmz

access-group SSH_ACCESS in interface cluster

access-group ALL_ACCESS in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http MGMT_NET management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0



Re: outbound web access from dmz

This acl is blocking it, don't forget about the explicit deny ip any any...

access-list DMZ_ACCESS extended permit tcp any interface dmz object-group DMZ_SERVICES

access-list DMZ_ACCESS extended deny ip any any

What is the reason for the above acl? If you don't need it, get rid of it and you will get to the internet. If you need access from the dmz to the inside, you must write the access in this acl.

Community Member

Re: outbound web access from dmz

I thought it was allowing only 3 of the 4 services I care about to get into the DMZ and ssh to the others. However, it did work.

I guess it has something to do w/ PAT which I don't quite understand yet. Do access-lists override PAT, was I using them both wrong together?

My only problem now is that my ssh logins take minutes to 'login' to other machines.

CreatePlease to create content