On inside interface you can put ACL which will block inside to dmz communication. If you dont PAT dmz subnet on ASA client will not be able to reach internet.

Thanks

Ajay

Thanks for the reply.  How do I PAT the dmz subnet?  I must not have already done this.  Thanks.

Here is sample example - consider you dmz network 192.168.2.0/24

Example-1 - If you want to PAT on outside IP.

1.hostname(config)# object network my-inside-net

2.hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0

3.hostname(config-network-object)# nat (dmz,outside) dynamic interface

Example 2- If you want to use one IP address-

1.hostname(config)# object network my-inside-net

2.hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0

3.hostname(config-network-object)# nat (dmz,outside) dynamic 2.2.2.2

Example 3 - if you want to use NAT Pool-

Attached is the ASA configuration as it is right now.  I have omitted some IP addresses, etc., but the relevant information is there.  Maybe this will help you.  Thanks.

Chris

Hello Christopher,

So first of all you have redundant commands on the nat because the obj-DMZ is also 192.168.3.0 so you can delete one of the following nat statements I will place in this post, this  in order to have a more organized configuration.

object network obj_DMZ

nat (DMZ,outside) dynamic interface

object network obj-192.168.3.0

nat (DMZ,outside) dynamic interface

Now regaring the issue the Wireless clients belong to the 192.168.3.0 network so they should be able to go to the outside because;

1-You have the required nat statement in order to translate their private ip into a routable ip

2-You do not have  an acl on the dmz interface blocking this connection.

So my next question would be are you able to go to the internet using an ip address instead of a domain name?

Please rate helpful test.

Regards,

Julio

That is one of the first things I tried.  I am always getting request timed out.  Why do I need an access-list to allow traffic out to the Internet?

I have deleted the duplicate statement from above and added access-list (DMZ, outside) source static obj_DMZ obj_DMZ destination static obj_DMZ obj_DMZ, but the wireless clients still cannot get to the Internet.

Hello Chris,

You do not need an ACL,thats on my last note, now what happens if you add this into a browser:

http://198.133.219.25

Regards,

Julio

It does not go to the website, nor can I ping 4.2.2.2.

Thanks,

Chris

Hello,

Really extrange behavior, you have a plus license right??

Now lets do some captures to see whats going on

access-list capdmz permit tcp host 192.168.13.2 any eq 80

access-list capdmz permit tcp any eq 80 host 192.168.13.2

access-list capout permit tcp host xxxxxxx any eq 80

access-list capout permit tcp any eq 80 host xxxxxxxx

capture capdmz access-list capdmz interface dmz

capture capout access-list capout interface outside

Note: the xxxx are going to be the outside interface ip address.

Now I want you to try to browse to a web site from 192.168.13.2

And then do a show capture:

sh capture capdmz

sh capture capout

Please rate helpful posts.

Julio